Access badges audit
During an access badge audit, the objective is to verify the ability of an attacker to:
- Impersonate a badge
- Clone a badge
- Replay successful authentication
- Retrieve personal information
- Elevate access zone privileges
Possible scope :
- Physical badge (wireless card)
- Dematerialized badge (Android / iOS mobile application)
Checks
- Signal coding
- Static and dynamic analysis
- Maximum badge communication distance
- Sectioning of sectors and blocks
- Header sectors and data sectors
- Access rights on each block (protected, read-only, read-write)
- Block protection with access password
- Authentication protocol (password, Challenge / Response)
- Type of block modification at each authentication
- Known constructor vulnerabilities
- Analysis of stored permissions
- Backoffice software
Attack scenarios
- Generation of a valid UID (copy of block 00 in sector 00)
- Block password bruteforce (protected block access)
- Card clone (copy of all blocks)
- Revalidation of a temporary access badge (modification of a timestamp block)
- Elevation of badge privilege (modification of a privilege block)
- Attack on middleware (SQL injection)
- Authentication replay (Challenge / Response Capture)
- Communication password theft (Authentication capture)