Tasked with unique testing objectives, expert testers start an engagement like any real-world attacker would, by gathering the information they need to meet their goal.
In this video, Mike Kelly, Principal Consultant in the Secureworks Adversary Group, walks through the steps the Red Team took to test a client’s enterprise-wide physical security. When the team found a previously undisclosed vulnerability, it not only benefits the client, but everyone using the product since the vendor was able to work on a fix following notification by our testers.
We had a client come to us with a pretty unique request in that they wanted to see what kind of attacks would be possible against their enterprise-wide physical security. So not just any one building, but all their buildings at once. We started this engagement like any attacker would, with our goals of figuring out the people and the products that they're using to control their physical security. We ended up finding a testimonial from the integrator who recently installed all of their physical security devices at their new data center. This testimonial included specific makes and models of the devices they were using, particularly their door controllers. So with that information, we were able to go find one of those devices online. We purchased it and spent about a week reverse engineering it, looking for vulnerabilities that we could leverage to gain physical access. We eventually landed on a remote vulnerability that would allow us to control the full door's functionality. So we could open and close the door whenever we wanted.
Additionally, we could implant our own credentials, like an RFID badge or something like that, to effectively create a back door, that we could show up with a badge that we've created and gain access to that door. So with that vulnerability, in order to execute that, we needed to have network connectivity to their door controllers. As they are a TV service provider, one of the things that they have is a set-top box that they deliver to all of their customers so their customers can receive the service. We found one of those online as well. Spent about another week reverse engineering it. We found a hardware-level vulnerability that allowed us to acquire the entire system's firmware. Within that firmware, we found some hard-coded credentials that the set-top box used to communicate to our client's back end systems. So with those credentials, we were able to gain access into their network, began enumerating all their door controllers, and eventually executing our exploit to add our own credentials, effectively giving us access to every door in their enterprise. Completely undetectable, the softwares don't alarm on these, and there's really not a way to detect that. The client was surprised. I don't think that they imagined that we'd be presenting them with undisclosed vulnerabilities that have never been found before, at least publicly. We did disclose it to the vendor. The vendor worked on a fix. And so now one of the results is that everybody who uses that product is now more secure, not just the client.