Initial commit: HPR Knowledge Base MCP Server
- MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Lee Hanken
187
hpr_transcripts/hpr3158.txt
Normal file
187
hpr_transcripts/hpr3158.txt
Normal file
@@ -0,0 +1,187 @@
|
||||
Episode: 3158
|
||||
Title: HPR3158: Fingerprint access control? LOL...
|
||||
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3158/hpr3158.mp3
|
||||
Transcribed: 2025-10-24 17:59:34
|
||||
|
||||
---
|
||||
|
||||
This is Hacker Public Radio Episode 3158 for Wednesday 9 September 2020. Today's show is entitled
|
||||
Fingerprint Access Control. Lull
|
||||
and is part of the series' Privacy and Security, it is hosted by Cedric DeVroey
|
||||
and is about 20 minutes long
|
||||
and carries a clean flag. The summary is
|
||||
a story about pen-testing physical security.
|
||||
This episode of HPR is brought to you by Ananasthos.com.
|
||||
Get 15% discount on all shared hosting
|
||||
with the offer code HPR15. That's HPR15.
|
||||
Better web hosting that's honest and fair at Ananasthos.com.
|
||||
Hello everyone, my name is Cedric and I'm here again with another story on pen-testing
|
||||
and security straight from the trenches.
|
||||
Today I'm going to share a story with you about an assignment we did some time ago for a large
|
||||
entertainment company. Our client, like many entertainment companies,
|
||||
produces a lot of intellectual property. So what are their biggest concerns is that
|
||||
someone might physically break into their premises and steal some of these designs
|
||||
and products. They had already taken some precautions,
|
||||
like installing intrusion detection alarms and access controls on all doors etc.
|
||||
These access controls, they were actually pretty sophisticated.
|
||||
They had a dual function as an RFID reader and as a fingerprint reader.
|
||||
So they were already trying their best to secure their own site in intellectual property
|
||||
and that's also the reason why they hired me and my team.
|
||||
They wanted to check out if their investment in security was actually worth its money so far.
|
||||
Our approach was basically the same as that of a professional burglar,
|
||||
which started with a week of preparation and scoping the place.
|
||||
So how do you do this? Well, we knew the address of course,
|
||||
so first we checked out a place on Google Maps.
|
||||
And we were pretty lucky. Google had just recently updated their imagery of the area
|
||||
which meant we had recent maps to work with and the entire thing could be viewed in 3D
|
||||
with a fair amount of detail.
|
||||
That's pretty much as perfect as it comes when you're planning to do a majorized
|
||||
on a place in the physical world out there. So we started with scouting the area
|
||||
from behind our laptops. We saw where all the entrances were to the building
|
||||
and we also saw that on the front side the building just gave access to the street.
|
||||
While on the backside of the premise there was a public park.
|
||||
This looked very promising as a potential entry point.
|
||||
So our next step would be to actually physically go there and scout the area.
|
||||
So first we went there during daylight hours and just took a drive around the block using a rental car.
|
||||
We'd look for entrances to the building, cameras guarding these,
|
||||
and the general view of the area, basic things.
|
||||
We didn't spot any cameras on the outside of the building.
|
||||
So we figured it would be pretty safe to take a walk around and scout the area by foot.
|
||||
There was some foot traffic but not too much.
|
||||
So we wouldn't try any attention by just casually walking around and having a closer look.
|
||||
The main entrance to the building was in a quiet street,
|
||||
which led to a small square or a few kids were playing.
|
||||
And on the other side there was a street with some shops and a few restaurants.
|
||||
The entrance to our client's building had a gate,
|
||||
through which we could see a quiet courtyard and the general layout of the building.
|
||||
The first thing that drew our attention was a nexus control device guarding the entrance.
|
||||
It was a fingerprint reader and it had a brand name supreme up printed on it.
|
||||
Straight across the courtyard we could see the trees of the neighboring park.
|
||||
There was a rooftop terrace on the first floor which gave access to the offices of our clients.
|
||||
We also noticed a wall that separated this terrace from the park and it was huge, at least 6 meters.
|
||||
We couldn't hang around for too long of course,
|
||||
so we decided to continue our walk to the second entrance with small adjusts around corner.
|
||||
We could recognize it's anonymous door next to our restaurant because it was guarded by the same supreme of fingerprint device.
|
||||
The restaurant however seemed quite popular and it had a terrace in front of it with a dozen tables,
|
||||
so that pretty much dismissed this entrance as a possible entry for our highest.
|
||||
Needless to say that while we walked around the block,
|
||||
we were also continuously scanning the area for Wi-Fi and Bluetooth devices.
|
||||
But nothing interesting had shown up so far.
|
||||
We had spotted our clients network, but it was protected.
|
||||
We probably could use this information to set up rogue access points later during our assignments,
|
||||
but for now this information was of little use to us.
|
||||
We continued our walk and took a left to end up at the park bordering to the other side of our clients building.
|
||||
While the park was empty at that moment, we didn't really feel at ease.
|
||||
On one side, the park bordered an apartment building and all of its rear terraces faced this park.
|
||||
We went to the wall at the far end of the park as casually as possible and inspected it.
|
||||
It had two large windows, giving the people working in the offices on the inside a nice view of the park.
|
||||
Unfortunately, these windows didn't seem to have any way of opening.
|
||||
The wall was high, very high.
|
||||
We estimated about 8 meters.
|
||||
On the other side, it would give access to the terrace on the first floor.
|
||||
We figured that this would be the perfect entry point for our highest.
|
||||
We'd use the cover of darkness to get a ladder across the park under the trees against that wall.
|
||||
I'd climb over it to land on the terrace and that would be our first step onto the premise.
|
||||
Next step would be to find a way into the building and for that we'd have to find a way to bypass the supreme affinger print readers next to every door.
|
||||
So we went back to our hacker space and researched this device and we figured the best way to move forward would be to actually buy one of these to first try and hack it in the safety of our lab.
|
||||
So I spent a fair amount of time researching the exact model they had installed and ordering one from a local supplier.
|
||||
The thing came at a hefty price. These supreme advices, they are not cheap.
|
||||
But now I add an electronic lock, a relay board, a power supply and one of these fingerprint readers with which I could start playing with.
|
||||
I started off with reading the manual of course, which already was very interesting on some.
|
||||
I learned that this thing can be configured in a zillion ways.
|
||||
I figured that, like most things, the guys that installed it would probably stick pretty close to how it came out of the box.
|
||||
So that's what I did as well.
|
||||
I installed the thing exactly as it came following the instructions in the manual.
|
||||
I'll give you the summary of this entire installation.
|
||||
Electronic locks are pretty simple technology. Basically it's just an electromagnet, a coil through which you send a current to create a magnetic field that pulls the bolt out of the way so the lock can open.
|
||||
That's when it makes the clicking sound.
|
||||
Inside of the building, the receptionist can just press a button and a current will float to the lock.
|
||||
However, on the outside of the building, it wouldn't be very desirable that anyone can just press a button to open the door.
|
||||
That's why most companies implement access controls like RFID readers, or in this case fingerprint readers.
|
||||
A visitor scans his fingerprint with a device next to the door.
|
||||
The software checks if it finds the signature of the print in the database holding all recognized prints, and if so, it will open the door.
|
||||
So, if we'd want to bypass this scheme, we'd basically have two options.
|
||||
Hack the device to open the lock or duplicate a registered fingerprint to fold the scanner and open the lock that way.
|
||||
Research had shown that this last option wasn't actually that far-fetched.
|
||||
It was a proof and feasible attack last DEF CON even demonstrated an attack where a fingerprint was copied in 3D using a 3D printer.
|
||||
The technique we would try involved etching the negative of a high contrast image from a lifted latent print onto a copper plate.
|
||||
Next, we'd pour a hot glue over that edge to actually recreate a fingerprint in 3D.
|
||||
However, this procedure would wire some practice and skills, and we didn't have time for that.
|
||||
We tried it using our own prints, lifted from a glass plate, following the procedure as best as we could, but we failed miserably.
|
||||
So, this would not be an option, and we already spend a fair amount of time.
|
||||
So, by now it had become clear, we would have to hack the device.
|
||||
And as it was laying there in front of me on my desk, basically running the default setup with just my own fingerprint risk registered in the software, it became obvious to me that I had missed a crucial error in the design the entire time.
|
||||
I had never actually bothered to install this thing properly, like mounted to a board with its cables fitted nicely behind the wall, etc.
|
||||
The entire thing was just laying there in front of me on my desk, and all the cables really were a mess.
|
||||
But most importantly, the software wasn't showing any warnings whatsoever that the device was not mounted to a wall.
|
||||
I investigated the manual, and I learned that the thing has something called a tamper alarm, but this must have been disabled by default, because I never had any alarms while the device was just laying there, and I was continuously shaking and moving it.
|
||||
So, this meant that I could probably just pull this thing from a wall, without any alarms going off. Awesome.
|
||||
I had to validate this premise first before we could continue. If this turned out to be a false assumption, we'd waste valuable time investigating a plan which would probably fail in it.
|
||||
So, the following night, I set out again to our client's building, it was like 3.30 in the morning, and there was nobody on the streets.
|
||||
We already validated that there were no cameras pointing to the entrance, still I didn't feel too confident.
|
||||
My plan was simple, but solid. I'd unscrew the fingerprint reader at the main entrance, and put it back in place after 30 seconds.
|
||||
I'd then walk to the little square at the end of the street, and sit on a bench there, so I could have a nice clear view of our client's entrance.
|
||||
I figured that if the tamper alarm was enabled, and if they had someone monitoring it, they would probably come and check the device causing the alarm.
|
||||
I'd be interested in their response time, of course, but most of all, I was just hoping nobody would show up. And that's also what happened.
|
||||
I waited for two whole hours on that bench, and nobody showed up, so I concluded the tamper alarm must have been disabled as is the default setting on these things, or nobody is monitoring it.
|
||||
Anyway, now I knew I could safely start tinkering on how I could manipulate this thing into letting me in.
|
||||
So the next day, after I had a few hours of sleep, we went back to work, playing with a supreme a biolite, and it's software.
|
||||
I was in a good mood, and I had lots of inspiration. We started with investigating the general architecture of this access control scheme.
|
||||
So it turns out you have a client device, the scanner, which is next to the door, and this client device gets a database of recognized fingerprints from a control server, which also holds a list of all connected devices.
|
||||
So it's on this server where you register new doors and locks, and new users that can open these locks.
|
||||
Now, when I installed a setup to experiment with, I learned that I had to register the lock into the control server before I could actually do anything.
|
||||
So I followed that entire procedure, but unless I was missing something, I didn't notice any real checks to be in place during that registration.
|
||||
So what I was thinking was maybe I can disconnect this device from its network and the control server, and reconnect it to my own server.
|
||||
Then I could upload my own prints to the device, and then I'd be able to open the door with my own print.
|
||||
So that's what I tried. I had the entire setup running in my own local network, so I reinstalled the software on my laptop.
|
||||
I then registered another print of mine into this installation, and next I disconnected the device from my local network, and connected it to a new temperate network running on my laptop.
|
||||
I had it running DHCP, and I had this little USB powered Ethernet switch laying around, which came in handy for this job.
|
||||
So the device quickly got an IP address from my new network, and when I scanned for a new fingerprint devices in my network using the supreme control server that was on install on my laptop, I easily found it and was able to register it into this installation.
|
||||
I then was able to upload a copy of my fingerprints from my laptop to the device, and after reconnecting it to the original network, I could still open the lock with my newly registered prints.
|
||||
So this meant we had our hack to bypass this device, which just upload our own set of prints to the device, and it would happily accept this and open the door for us.
|
||||
So we hired a van and a ladder, and with some action cameras geared up, we set out in the middle of the following night.
|
||||
We managed to get the ladder across the park, and put it against the wall without making too much noise. We didn't want to wake up any curious neighbors.
|
||||
Next, I'd climb up the ladder, but since it was only 6 meters, and the wall was about 8 meters high, I'd have to climb the last pit by hand.
|
||||
Fortunately, there was some vegetation growing on that wall, and it felt like it would be strong enough to hold my weight.
|
||||
So I gave it a try and pulled myself up from the ladder, and the vines fortunately didn't break.
|
||||
So I climbed to the top of the wall and hoisted myself on top of it.
|
||||
I jumped off on the other side and landed on the first floor terrace that we saw earlier.
|
||||
I went straight to the door, and as expected, I found one of the supreme up fingerprint readers next to it, and immediately I went to work.
|
||||
I unscrewed the device from its mounting bracket and pulled the cables a bit from the wall. I then cut all the wires of the UTP connection and connected the female RJ45 socket to the UTP wires of the fingerprint reader with crocodile clamps.
|
||||
Next, I hooked it up to my USB powered switch, which was connected to my laptop running a separate network.
|
||||
As I had tested everything in detail, the attack went smooth as breeze, and within no time I had my own fingerprint loaded into the device.
|
||||
I tested it, and I could hear the lock of the door clicking while I put my finger onto the reading, so I started screwing the device back into the mounting bracket.
|
||||
Everything went exactly as planned, and I had just put my laptop and all my gear into my backpack again when suddenly I saw the lights go on through the glass doors separating me from the inside of the top floor.
|
||||
I could see the elevated doors open, and suddenly there I was standing face to face with a janitor.
|
||||
I could see his face, and he could see me, so I tried to pull myself together. I had to think quickly, actually.
|
||||
I figured he would let me in or call the cops, and I would probably only get one chance to explain myself.
|
||||
So I pulled my silly face, pointed with a finger to the access control, shrugged my shoulders, and lipped slowly, it's not working.
|
||||
Well, I must have been an actor in a previous life, because sure thing, the man came up to the door and opened up for me.
|
||||
While I entered and said a quick, hey, thanks man, he looked a bit questioning and mumbled something of, who are you and what are you doing here?
|
||||
And as casual as I could, I answered, oh, I'm from IT, and I'm here for work.
|
||||
I smiled, thanked him once again, while I stepped into the elevator and pressed the button for the ground floor. I was in.
|
||||
My heart was pounding like a razor, but I was in. This stuff was like straight from the movies.
|
||||
Now it was time for the fun part of the night, claiming our flag of victory.
|
||||
First I went to the director's office to leave a friendly signature of my presence.
|
||||
I left a bottle of champagne on his desk and I decorated the place with some cyber tape.
|
||||
On my way out, I left a little present in the form of a Lan Turtle 3G.
|
||||
That's a 3G enabled remote access toolkit with a network connection, which I hooked up with an empty socket underneath the receptionist's desk.
|
||||
The Lan Turtle would immediately boot, and using its 3G connection, it established a reverse tunnel using SSH to our command and control server.
|
||||
Using that covert connection, we now add a good way into the network from the outside.
|
||||
Installing it only took about 15 seconds, and after having confirmed the tunnel using a shell on my phone, I went straight to the front door and left the place.
|
||||
Mission accomplished. We had successfully penetrated this place.
|
||||
I went to bed with a very big smile on my face early in the morning on that day.
|
||||
By noon, I got up after a few hours of sleep and caught our clients.
|
||||
They thanked us for the champagne and I gave them the gist of what had happened earlier that day while everyone else was still sleeping in their beds.
|
||||
The following weeks, we would continue our assignments and use our newly granted access into the place to go there physically during daytime hours, posing as an external developer.
|
||||
Eventually, we gained full access to the entire place, including their on-premise data center holding their intellectual property, the Crown Jewels, as to speak.
|
||||
Apparently, the access control server was still protected with default credentials admin admin, so I had a pretty easy time expanding my initial foothold.
|
||||
At the end of our assignment, we presented all of our findings to our clients and they immediately took appropriate action, including making sure tampering control got enabled on all of their access control devices.
|
||||
And I, for my part, had learned a whole lot of news, fun stuff about access control devices and the possible flaws they can hold.
|
||||
So, this was yet another story on pen testing and security. I hope you enjoyed this episode.
|
||||
If you would like to reach out to me, please use the comment section on Hacker Public Radio or contact me on Twitter or Facebook. See you next time.
|
||||
We are a community podcast network that releases shows every weekday, Monday through Friday. Today's show, like all our shows, was contributed by an HPR listener like yourself.
|
||||
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
|
||||
Hacker Public Radio was founded by the digital dog pound and the infonomicon computer club and is part of the binary revolution at binrev.com.
|
||||
If you have comments on today's show, please email the host directly, leave a comment on the website or record a follow-up episode yourself.
|
||||
Unless otherwise status, today's show is released under Creative Commons, Attribution, ShareLite, 3.0 license.
|
||||
Reference in New Issue
Block a user