When reverse engineering the proprietary DUOX PLUS intercom system dubbed the ‘most secure in world’ by Fermax, previously Kirils & friends focused on its digital 2-wire signalling and employed such tools like oscilloscopes, logic analyzers and breadboards.

While these attacks are important as they shine light on the internal workings on the system, their application in the field is limited as one would need to acquire access to the 2-wire bus, which is only possible from the inside of the building.

Then we noticed something that was right in front of our eyes - access control panels! These things are out there just on the perimeter! And, when installed on multi-tenant buildings, they have RFID reader modules installed. Fermax offers modules doing EM4100, MIFARE Classic, and MIFARE Desfire.

In this talk we give an overview of previous research and expand on it by exploring the possibilities of entering the perimeter by attacking the RFID dimension of these systems, and exploring card cloning, implanting, and cryptographic attacks together with Iceman.

Attendees will gain insight into decoding and interacting with closed digital protocols, exposing vulnerabilities in real-world access control systems. They also get practically applying RFID attacks to real world systems in use right now.