Video: Android App Hacks Into Cardkey-Protected Doors With One Click
White-hat hackers (that’s the good, helpful kind) Michael Gough and Ian Robertson have created an Android app that’s capable of...
White-hat hackers (that’s the good, helpful kind) Michael Gough and Ian Robertson have created an Android app that’s capable of breaking into the very popular cardkey-type door locks with a single click. It’s not foolproof, since it requires some information about each cardkey system that not everyone will have, but it’s still pretty amazing/uncomfortable.
The app (which is not in the Android Market, so don’t even bother looking for it) is called Caribou, and relies on a vulnerability in these sorts of security systems that allows them to be unlocked remotely. It’s actually a surprisingly lo-fi sort of app: You have to input the IP address of the system you’re trying to hack, and then the app will perform a brute force attack (basically trying every single possible combination) until it lands on the correct one. Then the app will unlock the door for 30 seconds while you scoot inside the not-so-secure door.
This isn’t exactly cause for panic–more of a warning to those in charge of security system upkeep to make a few easy changes to block this sort of attack. For one thing, if the data the app needs to access is simply behind a firewall, the app won’t be able to access it. Some lackadaisical systems make the error of leaving it out in the open for anyone to swipe, which this app does ably.
There’s also the small problem of the app needing the IP address of the door it’s trying to unlock. It’s not clear whether that information is easily obtained, but the fact is that it has to be obtained, somehow. You can’t just walk up to any door and hit a button; there needs to be some recon work to secure the IP addresses first. Still, it’s a nice illustration of a weakness in this sort of security system, and the team is actually working with US-CERT (the U.S. Computer Emergency Readiness Team) to ensure that the loophole is patched.
[CyberSecurityGuy via Engadget]