Breaking the Barrier: A Deep Dive into RFID and Physical Access Control Bypasses

In the world of cybersecurity, we often focus on the digital perimeter—firewalls, EDRs, and MFA. However, as Julia Zduńczyk demonstrated at Black Hat, the physical perimeter is often the weakest link. If an attacker can physically access your server room or an executive's office, the most sophisticated software defenses can be rendered moot. This post explores the technical realities of bypassing Physical Access Control Systems (PACS) and why the industry is struggling to move past decades-old vulnerabilities.

The Illusion of Security: Mechanical vs. Electronic Bypasses

Before diving into the bits and bytes of RFID, it is crucial to recognize that the most effective bypass is often the simplest. Red teamers frequently use the 'under-door tool'—a simple piece of shaped wire—to reach under a door and pull the interior handle. If a door hasn't been fitted with a simple brush or floor seal, all the encryption in the world on the RFID reader outside won't matter. This 'path of least resistance' mindset defines the professional red teamer.

The Architecture of Access Control

To understand the electronic attacks, we must distinguish between the two primary types of systems:

1. Autonomous Locks: These are 'all-in-one' units where the reader and the locking logic reside in the same housing. These are common in apartments. They are vulnerable to logic flaws (such as the 'all-Fs' UID bug) and physical attacks like EMP generators that can force a hardware reset.
2. Controller-Based Systems: These are the enterprise standard. The reader on the wall is merely a 'dumb' interface that collects card data and passes it to a controller located in a secure room. The decision to unlock is made remotely. While more secure, this architecture introduces a new attack surface: the communication protocol between the reader and the controller.

The Wiegand Problem: Security from the 1970s

The vast majority of enterprise readers still communicate using the Wiegand protocol. Developed in the 1970s, Wiegand is a simple, unencrypted, and unauthenticated protocol. It uses three main wires: Ground, Data0, and Data1. When a card is tapped, the reader decrypts the card (if it's a high-security card) and then sends the raw ID in plain text over the Data wires to the controller.

This creates a massive vulnerability. If an attacker can pop the reader off the wall—a process that often takes seconds—they can attach a sniffing device like The TIC or ESPKey to the wires. These devices can intercept the card IDs of authorized employees and allow the attacker to replay them at will, or even open the door remotely via a web interface.

The Downgrade Attack: When Legacy Kills Security

One of the most sophisticated techniques Julia demonstrated is the Downgrade Attack. Many organizations spend significant sums on high-security cards (like MIFARE DESFire or iCLASS) that utilize AES encryption. However, to maintain compatibility with older employee badges, they often leave 'Legacy' support enabled on their readers (supporting 125kHz LF cards like HID Prox).

An attacker cannot clone a DESFire card without the encryption keys. However, by using a Wiegand sniffer, the attacker can capture the decrypted ID as it travels from the reader to the controller. They then take this raw ID and write it to a cheap, unencrypted LF card. When the attacker taps this LF card, the reader sees a valid ID, passes it along the Wiegand wires, and the controller opens the door. The 'high security' of the DESFire card has been completely bypassed by the reader's backward compatibility.

Denial of Service: Controlling the Flow

Physical security is as much about keeping people in as it is about keeping them out. By flooding the Wiegand lines with garbage data using a tool like The TIC, an attacker can create a Denial of Service (DoS) state where no cards work. This can be used as a distraction or to trap security personnel while an attack occurs elsewhere. Furthermore, vulnerabilities in the Bluetooth management interfaces of modern readers (like those found in some HID models) allow attackers to put readers into a 'locate loop' via mobile apps, causing them to beep incessantly and stop functioning until the loop is broken.

Hardening the Perimeter

How do we defend against these attacks? The transition to OSDP (Open Supervised Device Protocol) is the most critical step. Unlike Wiegand, OSDP supports Secure Channel mode, which uses AES-128 encryption for all communication between the reader and the controller. This makes sniffing and replay attacks effectively impossible.

Additionally, organizations should:

• Disable Legacy Support: If you use high-frequency encrypted cards, disable 125kHz support immediately.
• Monitor Tamper Alarms: Most readers have a tamper switch. Ensure these are actually wired to the controller and that security guards are trained to respond to 'Tamper' events instantly.
• Firmware Management: Treat RFID readers like any other IoT device. They require regular firmware updates to patch vulnerabilities like the Bluetooth DoS flaw.
• Physical Hardening: Use security screws and ensure there are no gaps under or over doors that can be exploited by mechanical tools.

Conclusion

Physical access control is often a 'set and forget' infrastructure, but the research presented by Julia Zduńczyk shows that it requires the same rigorous auditing as any network service. By understanding the weaknesses of legacy protocols like Wiegand and the dangers of backward compatibility, security professionals can better protect their facilities from real-world intruders.