Key cards, key fobs and related access devices are designed to give a person access to a restricted area. The permissions on the item are specific to the person and place, such as having a membership to a gym, owning a condo with a secure garage or needing to enter a restricted area at work.  Security systems are designed with the intention of granting access to only those with the authorizing items. But how much trust should we put in these security measures?

Interns at the Department of Energy’s Oak Ridge National Laboratory investigated door access control systems to see if the controller could be manipulated to open or close without proper permissions. 

“Basically, we gave the students a door access badge kit and let them design a testbed and experiments to see what they could discover,” said ORNL Tristen Mullins, a signals processing engineer and mentor to the students.

Door access systems have two main components: the key given to a person and the controller that reads the key and grants or denies access. Each component has a signal. When the key signal matches a signal in the controller, an action happens, such as a door unlocking or a door remaining secure. 

To understand the signals emanating from a key or a controller, a hacker may use a logic analyzer, a powerful electronic testing tool used to observe and analyze the digital signals in a circuit. There was no existing analyzer for the communication protocol used by the door access system, so Andrew Tabaczynski, a rising senior in electrical engineering at Purdue University Northwest, created one. Using C++ (a general-purpose programming language), his program decoded the unique combination of ones and zeros to display the data in readable text on a computer. He plans to submit his discovery for public disclosure and share the information on GitHub, a collaboration site for software developers. 

Ashton Ruesch, a cyber operations rising senior from Dakota State University, and Tristan Clark, a doctoral candidate at the University of South Alabama, used logic analyzers to find different types of vulnerabilities in a door access system. Ruesch used an inexpensive device, what he called a “Swiss Army Knife of signal manipulation,” to duplicate a key’s signal with 100% accuracy. He further proved a method to force the system to recognize a signal and open the door despite not having the original card.

“Using brute force, I figured out how to trick the system into giving me access,” Ruesch said. 

Clark tried to influence the controller itself rather than the key. Gaining access through a Wi-Fi access point, he demonstrated how a hacker could use signals captured earlier to gain access to the door. 

Simon Campos Greenblatt found a vulnerability to gain access to a different type of system: a home internet router for a satellite internet provider. Campos Greenblatt, a 2024 graduate of Brown University in cybersecurity, worked on the router’s firmware to better understand a known vulnerability that allowed a hacker to change passwords on accounts without the user’s knowledge. He also identified over 800 routers worldwide still running the vulnerable code. 

“This problem is not limited to this service provider,” Campos Greenblatt said. “There are other home routers with similar vulnerability manufactured by other companies. If it’s possible for a user to update their router, it’s a good idea to take the steps to protect their information.”

This Oak Ridge National Laboratory news article "Interns open doors without a key" was originally found on https://www.ornl.gov/news