Join Bishop Fox's Dan Petro, Senior Security Engineer, and David Vargas, Senior Security Consultant, as they present their session, "Badge of Shame: Breaking into Secure Facilities with OSDP" at the 26th Annual Black Hat USA in Las Vegas. The two-day main conference will feature more than 100 selected briefings, dozens of open-source tool demos, a robust business hall, networking and social events, and much more.

"Badge of Shame: Breaking into Secure Facilities with OSDP"

Breaking into secure facilities used to be possible by inserting a listening device (such as an ESPKey) behind an RFID card reader and sniffing the unencrypted Wiegand badge numbers over the wire as they go to the backend controller. The physical security industry has taken notice and there's a new sheriff in town: the encrypted protocol OSDP which is starting to be rolled into production. Surely encryption will solve our problems and prevent MitM attacks, right? ... Right?

In this presentation, we'll demonstrate over a dozen vulnerabilities, concerning problems, and general "WTF"s in the OSDP protocol that let it be subverted, coerced, and totally bypassed. This ranges from deeply in-the-weeds, clever cryptographic attacks to boneheaded mistakes that undermine the whole thing. We will also demonstrate a practical pentesting tool that can be inserted behind an RFID badge reader to exploit these vulnerabilities.

Get your orange vest and carry a ladder, because we're going onsite!

For more details, visit www.blackhat.com.