I have been working on the implementation of a small security system based on the PAC Access Control System (www.pac.co.uk) and came across a major security vulnerability which if found on credit cards, would see banks answering very tough questions. Before anyone criticises the choice of PAC, this was due to legacy reasons not related to this issue.

PAC is an access control system which operates on (among other technologies) proximity card/tokens as identifiers for access. Almost everyone will be aware of these as they are used in most offices nowadays and are similar in use to the Oyster card. Most PAC readers are simple black boxes you present your tag to, and after checking with their controller, they grant or deny access and unlocking the door as appropriate.

The company also supplies a “PAC + PIN Reader”, a special type of device which also requests that you type in a four-digit PIN code after presenting your token to the reader. This is another level on the security ladder, the tag being “something you have” and the PIN being “something you know”. There are however two major problems with this system:

1. Each PAC token (a card or key fob in this case) has a token code which identifies it to the reader (e.g. 20184201AD). There is then a formula which uses this code (dropping the first ’20′ bits) to generate a PIN (a hash of the token code). This means that anyone who knows your token code (i.e. anyone who has run your token past a reader, and the standard read distance of a few centimetres can I’m sure be extended with enough thought; or anyone who has access to a system on which you are registered if you happen to use multiple systems) can work out your PIN code just by using the PAC EasiNet software. This means that the PIN code is no longer ‘something you know’.. it’s just a code written on the PAC token but “in ink only visible under ultraviolet light” in comparative terms. Anyone who knows this just brings a UV light and they have your PIN (i.e. using PAC EasiNet Software)
2. The communication between the PAC PIN reader and the controller appears to only send information when the PAC has been presented and the PIN has been typed correctly. If you type the PIN incorrectly, it is the keypad itself which blacklists you after three attempts but only from that keypad. This means there is no security logging of failed PIN attempts (not that this should happen in any organised attempt to subvert the system due to the first problem). I have not studied the communication in detail so it is possible this is just not visible in the software I was using, but it does seem to be handled by the reader itself.

I think PAC may be offering user-set PIN codes in newer systems. PAC do have a fingerprint reader (“something you are” on the security ladder, also known as biometrics) and a non-biometric Mifare-based smart card system which is a more secure form of RFID proximity access. Nonetheless ever releasing a system which is based on such flawed security basics is worrying.

This entry was posted on Monday, May 28th, 2007 at 3:29 am and is filed under annoyances.blog, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.