Key cards, key fobs and related access devices are designed to give a person access to a restricted area. The permissions on the item are specific to the person and place, such as having a membership to a gym, owning a condo with a secure garage or needing to enter a restricted area at work. Security systems are designed with the intention of granting access to only those with the authorizing items. But how much trust should we put in these security measures?
Interns at the Department of Energy's Oak Ridge National Laboratory investigated door access control systems to see if the controller could be manipulated to open or close without proper permissions.
"Basically, we gave the students a door access badge kit and let them design a testbed and experiments to see what they could discover," said ORNL Tristen Mullins, a signals processing engineer and mentor to the students.
Door access systems have two main components: the key given to a person and the controller that reads the key and grants or denies access. Each component has a signal. When the key signal matches a signal in the controller, an action happens, such as a door unlocking or a door remaining secure.
To understand the signals emanating from a key or a controller, a hacker may use a logic analyzer, a powerful electronic testing tool used to observe and analyze the digital signals in a circuit. There was no existing analyzer for the communication protocol used by the door access system, so Andrew Tabaczynski, a rising senior in electrical engineering at Purdue University Northwest, created one. Using C++ (a general-purpose programming language), his program decoded the unique combination of ones and zeros to display the data in readable text on a computer. He plans to submit his discovery for public disclosure and share the information on GitHub, a collaboration site for software developers.
Ashton Ruesch, a cyber operations rising senior from Dakota State University, and Tristan Clark, a doctoral candidate at the University of South Alabama, used logic analyzers to find different types of vulnerabilities in a door access system. Ruesch used an inexpensive device, what he called a "Swiss Army Knife of signal manipulation," to duplicate a key's signal with 100% accuracy. He further proved a method to force the system to recognize a signal and open the door despite not having the original card.
"Using brute force, I figured out how to trick the system into giving me access," Ruesch said.
Clark tried to influence the controller itself rather than the key. Gaining access through a Wi-Fi access point, he demonstrated how a hacker could use signals captured earlier to gain access to the door.
Simon Campos Greenblatt found a vulnerability to gain access to a different type of system: a home internet router for a satellite internet provider. Campos Greenblatt, a 2024 graduate of Brown University in cybersecurity, worked on the router's firmware to better understand a known vulnerability that allowed a hacker to change passwords on accounts without the user's knowledge. He also identified over 800 routers worldwide still running the vulnerable code.
"This problem is not limited to this service provider," Campos Greenblatt said. "There are other home routers with similar vulnerability manufactured by other companies. If it's possible for a user to update their router, it's a good idea to take the steps to protect their information."
The OMNI program opens the door to sit alongside researchers and work on the same projects and tasks. We had great mentors who hosted workshops to show us more skills and gave us projects that are relevant in the real world.
The students were a part of DOE's OMNI program offering internships for those studying cybersecurity and information technology. All four students said they enjoyed their time at ORNL.
"The biggest culmination of the summer was taking what I learned in my classes and putting it into use," Ruesch said. "We looked at real devices, badge readers you see in a real system and got to see a real application of assessing vulnerability."
Clark spoke of his experience with mentors who conduct research as their career.
"The OMNI program opens the door to sit alongside researchers and work on the same projects and tasks," he said. "We had great mentors who hosted workshops to show us more skills and gave us projects that are relevant in the real world. Our experience will look awesome on a resume."
Ryan Styles, an ORNL cybersecurity technical professional and mentor to the students, spoke highly of their accomplishments. "This summer was my first-time mentoring interns, and we got very lucky with these four guys. They had the opportunity to work on impactful cybersecurity projects and proved themselves to be capable of getting the job done."
Overall, the students also learned about what it means to be a consumer of many commonly used electronics. Each student relayed how a little bit of work using inexpensive tools could give access to a building or to a person's personal information. Ruesch added, "If you have something you want to protect, make sure you evaluate the flaws and know the risks in the system."
ORNL's Cyber Resilience and Intelligence Division researches innovative methods to identify, analyze and defend against vulnerabilities in critical infrastructure while developing advanced sensors and software tools to better understand and characterize our adversaries. Our science secures our nation's most critical assets - from the energy grid and manufacturing supply chains to the Internet of Things devices we rely on daily.
UT-Battelle manages ORNL for the Department of Energy's Office of Science, the single largest supporter of basic research in the physical sciences in the United States. The Office of Science is working to address some of the most pressing challenges of our time. For more information, please visit energy.gov/science . - Liz Neunsinger
