Last coffee break I shared the nice experience I had in our shared office space Creative Valley on Utrecht Central Station – Link to previous article
Back in our office in Groenlo, I got into a discussion with our colleague and master developer Mark Banierink. He obviously wanted to know about all the ins and outs of this application. How did it work and why was I so enthusiastic?
As you might recall, the application looked like this:
A web app application is sent to an employee and uses GPS to ensure that they are in range to unlock doors.
Rather quick, and I guess the access control geeks inside us, we came to the joint conclusion that we should “test” this application to its limits.
Luckily, we are both KnowBe4 addicts and therefore have learned all about social engineering and the basic loopholes in (cyber)security.
A plan was drawn up…. The next time that I would be working from Utrecht I would contact Mark and let the Hack begin.
It all started with a bit of social engineering. I asked the receptionist kindly If she could already provide my dear colleague Mark with the link to the application. This way he would be able to enter the building later that week. No questions asked. She complied and sent the invitation.
Would she not have complied I could always send Mark an invite myself as they were having their after-work-work drinks and beers and had left the reception unmanned (and workstations unlocked).
- Step 1
First thing we tried: If Mark could only open our cubicles from Groenlo. Miraculously, I heard a click, and YES, HE COULD. But, OK, we frowned but it wasn’t the end of the world.
- Step 2
Would Mark be able to open the Main Entrance and entrance to the offices? Both use GPS location as a kind of security. Mark downloaded a free GPS spoofer, and I shared my location via Google Maps.It took about 15min to get the following result – see video on the left side:Yaw-dropping and I have to admit that I felt like a little kid stealing candy from my grandmother’s candy jar.Now… We could easily open the doors from Groenlo by mimicking our location. But would everybody be able to do this or is the invitation link dedicated to Mark?
- Step 3
We found out that the invitation link was dedicated to only one device. Some kind of security at last…. So we thought…It was about 17:00 o’clock and I needed to catch my train back home and I just missed it. Bummer! it was cold, and I felt nature calling.While standing at the platform, Mark called me, “I figured it out! I can now copy the application to an indefinite number of devices, do you have time for a final experiment?” I had another 20 minutes, so I walked back.Apparently, the main entrance automatically locks after 17:00. Now I really needed to “go”….. had Mark on the phone so I couldn’t open the door myself. Mark! Please help! And voila….by magic the main entrance opened followed by the entrance to all offices and for heaven’s sake the loo… What a relief.
Mark and I have now offered our hack and the keys to all these offices to the highest bidder for some Bitcoins on some dodgy site. If you see us off on early retirement or driving around in brand new Porsches, you now know where it came from…
P.S. We will share our findings with Creative Valley to warn them.
In summary, two “security”-features of the application could easily be bypassed. First, the location feature. This is only checked on the client and not sent to the server. When directly calling the server, without using the web app, this is bypassed. Second, the key-share function, which in our case was limited to 1. Only a single device was registered, but identification of the device is done by a cookie containing a device ID. This cookie can obviously be shared infinitely. The result is that now anyone you share this device ID with, can open both the inside and outside doors from anywhere in the world. Apparently, no alarms are raised when the doors are opened many times ata weird time of day, and nobody checks the logs without an apparent cause.