Kiwicon Not every demo at security cons goes off without a hitch: Badass hackers Ryan and Jeremy electrocuted themselves when building what could have been the first device capable of wirelessly exploiting door-opening push buttons.
The pair demonstrated the trial and terror process of building the box at the Kiwicon hacking event in New Zealand last Friday.
Before its insides dissolved due to extreme heat, the device was capable of activating the push buttons that open doors to allow egress from secure buildings - but from the outside of that building.
Ryan and Jeremy's beefed-up electromagnet is the latest in a niche line of research which would allow attackers to enter buildings by using the devices to unlock the push-button door controls.
"I guess they really are touch-to-enter buttons," Jeremy told the 2,000 laughing hackers at the Michael Fowler centre, Wellington.
"Should you be worried about this? Ehh probably not."
Ryan (left) and Jeremy. Image: Darren Pauli, The Register.
The pair chalked their work up as a failed-but-fun experiment, but in reality it was something more akin to success. Others interested in the field could leverage their work, as Ryan and Jeremy did others, to build a more stable device.
If that were to happen, scores of buildings would be at risk of break and entry.
Right now, penetration testers on red teaming assignments rely on extendable sticks to shove between automatic doors. Such rigs allow them to physically depress the buttons in a much more obvious attack.
Ryan explained one beefed-up prototype that used ignition coils bought from car parts chain Supercheap Auto: "Instead of driving that small coil, it drives this massive coil, which goes into an even bigger coil which generates a large voltage which then jumps the spark gap and, instead of igniting fuel, it hits the touch-to-exit button," he says.
"The air is literally conducting electricity, it's scary stuff."
During the testing process his mobile phone stopped working.
The pair, who again requested photographic anonymity, then increased the amount of electrons running through their prototype.
The current hopped across the helping hands and through Jeremy; "it was just a tickle" he says, asking delegates to please not inform his wife.
Several pieces of equipment melted including a high current motor driver which blew up instantly in a puff of blue smoke. Another piece of kit became so heated its solder melted.
They reworked some existing research which failed to open the push-to-exit buttons building an electromagnetic interference fuzzer which used a scripting language and a VLSI interface into testing equipment, plus a microphone used to detect if the contraption worked.
The lab gear helped the pair better understand the right frequencies required to interfere with the push-to-exit button. They found that lots of noise forces the exit buttons to reduce sensitivity, and that suddenly removing that noise causes buttons to unlock.
"Some of these devices implement frequency-shifting so they are trying to evade interference like that," Ryan says.
The final prototype: A microcontroller taped to a battery, taped to a resonance circuit, taped to more batteries. RIP.
A final balled-up and taped device proved able to unlock the devices through a glass door, meaning attackers could use it to enter locked buildings, but it soon melted.
"Forunately for us the frequency intereference doesn't have to come from directly in front of the reader, and can come from the sides," Ryan says. "The range wasn't great though, and then we realised we were only using a fourth of the power, so we increased it."
"The hole in the middle?" he says, pointing to a burnt-out integrated circuit; "not meant to be there."
"We're good at prototypes." ®