Don't be mislead: Telenot complex is not a mental diseases but an alarm system. It can use NFC tags to open doors.
TL;DR:
All we wanted was to read the logs to alert if e.g. the alarm company makes use of their key without actually responding to an alarm. Turns out that wasn't trivial, as there is only an old Windows GUI program using a custom protocol.
When my colleague (OP) looked further into it, it caught his eye that srand() and rand() were being called from a function responsible for making cryptographic keys. And with some further digging, it turns out those keys are the master keys to get into our office. A bit more digging and it turns out you can capture and offline crack one of those keys from a handshake, so a 32-bit key (even if rand() hadn't been seeded with a unix timestamp...) would have been easily crackable.
The technical details and PoC code are in the blog post.
Telenot responded quite well to all of this, but the roll-out to offline alarm systems could be faster. That is to say, many of these systems are internet-connected (also using AES-encrypted comms, no TLS), but you will also need to issue new NFC cards for people, so a remote update would only lead to denial of service.
TL;DR:
All we wanted was to read the logs to alert if e.g. the alarm company makes use of their key without actually responding to an alarm. Turns out that wasn't trivial, as there is only an old Windows GUI program using a custom protocol.
When my colleague (OP) looked further into it, it caught his eye that srand() and rand() were being called from a function responsible for making cryptographic keys. And with some further digging, it turns out those keys are the master keys to get into our office. A bit more digging and it turns out you can capture and offline crack one of those keys from a handshake, so a 32-bit key (even if rand() hadn't been seeded with a unix timestamp...) would have been easily crackable.
The technical details and PoC code are in the blog post.
Telenot responded quite well to all of this, but the roll-out to offline alarm systems could be faster. That is to say, many of these systems are internet-connected (also using AES-encrypted comms, no TLS), but you will also need to issue new NFC cards for people, so a remote update would only lead to denial of service.