August 06, 2007 - Cut a couple of wires, insert a small, easy-to-make device between them, and you can walk right through all those supposedly card-protected locked office doors.

At the Defcon security conference over the weekend, a hacker and Defcon staffer who goes by the name Zac Franken showed off how a small homemade device he calls Gecko can perform a classic man-in-the-middle attack on the type of access card readers used on office doors around the country. Gecko is simply a small, programmable PIC chip with a wire connector on either side. Once it's connected to the wires behind the card reader, it's not only trivial to use a 'Replay' card to get through the door, but you can also disable the system so that nobody else can come in behind you.

What's more, making a Gecko is easy and cheap. Franken says the hardware costs about $10.

According to Franken, the hack subverts the Wiegand protocol, commonly used for communication between the card reader and the back-end access control system, and doesn't take direct advantage of any problems with any of the hardware involved. When you swipe your card at the office, the reader very likely sends a signal using the Wiegand protocol to the control system, when then opens the doors.

"The problem is, this is what we call a plain-text protocol," Franken says. "There's nothing secure about it."

For many card readers, getting Gecko in place is just a matter of popping off the reader's cover with a knife or screwdriver and undoing two screws, he says. That provides access to the wires that carry the signal from the reader to the control system.

In a real-world situation you'd quickly cut the wires and insert one cut end into one side of the Gecko, and the other cut end into the Gecko's other side. In Franken's demonstration he used pre-made connectors so he could easily disconnect and reconnect the device. When you put the reader's cover back, the Gecko would be hidden behind it.

The card reader also continues to work fine with the Gecko attached. It passes along the signal from the reader to the control system as it's supposed to. But when someone swipes an authorized card that unlocks the door, Gecko saves that signal.

With that saved unlock signal, the attacker can swipe a 'replay' card that tells Gecko to re-send that saved signal, and the doors unlock. What's more, any saved access logs would only show that the same person who originally swiped the saved signal swiped his card again.

August 06, 2007 (PC World) -- Cut a couple of wires, insert a small, easy-to-make device between them, and you can walk right through all those supposedly card-protected locked office doors.

At the Defcon security conference over the weekend, a hacker and Defcon staffer who goes by the name Zac Franken showed off how a small homemade device he calls Gecko can perform a classic man-in-the-middle attack on the type of access card readers used on office doors around the country. Gecko is simply a small, programmable PIC chip with a wire connector on either side. Once it's connected to the wires behind the card reader, it's not only trivial to use a 'Replay' card to get through the door, but you can also disable the system so that nobody else can come in behind you.

What's more, making a Gecko is easy and cheap. Franken says the hardware costs about $10.

According to Franken, the hack subverts the Wiegand protocol, commonly used for communication between the card reader and the back-end access control system, and doesn't take direct advantage of any problems with any of the hardware involved. When you swipe your card at the office, the reader very likely sends a signal using the Wiegand protocol to the control system, when then opens the doors.

"The problem is, this is what we call a plain-text protocol," Franken says. "There's nothing secure about it."

For many card readers, getting Gecko in place is just a matter of popping off the reader's cover with a knife or screwdriver and undoing two screws, he says. That provides access to the wires that carry the signal from the reader to the control system.

In a real-world situation you'd quickly cut the wires and insert one cut end into one side of the Gecko, and the other cut end into the Gecko's other side. In Franken's demonstration he used pre-made connectors so he could easily disconnect and reconnect the device. When you put the reader's cover back, the Gecko would be hidden behind it.

The card reader also continues to work fine with the Gecko attached. It passes along the signal from the reader to the control system as it's supposed to. But when someone swipes an authorized card that unlocks the door, Gecko saves that signal.

With that saved unlock signal, the attacker can swipe a 'replay' card that tells Gecko to re-send that saved signal, and the doors unlock. What's more, any saved access logs would only show that the same person who originally swiped the saved signal swiped his card again.