IP-Based Card Security Keylocks Cracked by Android App - 'Caribou'

[dgstorm]

Above is a fairly scary demonstration of just how powerful an Android app can be. Security researcher Ian Robertson, has created an Android app called 'Caribou', that has the ability to easily bypass security on the wide-spread Cardkey door control systems. These are systems in place in numerous places, like office buildings and hotels.

The app can even remotely take over all the doors of a Cardkey system! In fact, to further scare the 'bejeezus' of of us, here's a quote from his website at cybersecurityguy.com,

...with the IP address of the target cardkey device, a single-button "Unlock" will access the cardkey system, unlock all available doors in sequence, allow 30 seconds for entry, and then re-lock all those same doors. Caribou has the capability of performing a brute-force of any customized security PIN used with the system.

Lest you think that we are supporting cyber-thievery here on the website, please realize that Mr. Robertson is paid to do this professionally. Here's what his website further elaborates that he and his partner, Michael Gough, are

...actively engaged with US-CERT and the manufacturers in order to improve the security of the products and provide better documentation and instructions to system installers.

Caribou is a proof-of-concept and is not available to the public.

It's still pretty incredible to ponder just how powerful 'Andy' really is. James Bond would use Android.

Source: Cybersecurityguy.com

[RayBan]

thanks for this dgstorm -- i forwarded this to the community manager here. we use this type of security door in our community. it's 100% gated so that's the only thing separating us from the rest of the world.

brute forcing can be a real pain to defend against if you have a seasoned hacker who knows how to ghost and auto-relay IPs... but if the ip is static it's a no-brainer to block thankfully.

the simplest defense for a static IP brute force attack is to setup server logs (if they already aren't) and setup a loop to continually query the log files for failed login attempts from the same IP and then just block that IP after x number of failed attempts. can be done in a variety of programming languages.

[ckb1985]

I would like to get my hands on this app so I can see if it works on the hardware I have to trouble shoot on a daily basis.

[RayBan]

I would like to get my hands on this app so I can see if it works on the hardware I have to trouble shoot on a daily basis.

question: are you the network administrator?

... because this has *nothing* to do with hardware. it's all *network* based.

and there is nothing that this app does that can't also be done from a terminal on a computer using readily available security tools. ... any system admin should know without thinking twice whether or not his/her system is vulnerable to brute forcing or not. and the defenses are literally a google search away.

in short, there is no reason that i can see for anyone to have this tool for "troubleshooting" purposes... hence why it's not available to the public.