IP-Based Card Security Keylocks Cracked by Android App - 'Caribou'

dgstorm

Editor in Chief
Staff member
Premium Member
Joined
Dec 30, 2010
Messages
10,992
Reaction score
3,961
Location
Austin, TX
[ame=http://www.youtube.com/watch?v=gBDVkY9KgtM&feature=player_detailpage]YouTube - Cardkey system exploited using an Android app[/ame]

Above is a fairly scary demonstration of just how powerful an Android app can be. Security researcher Ian Robertson, has created an Android app called 'Caribou', that has the ability to easily bypass security on the wide-spread Cardkey door control systems. These are systems in place in numerous places, like office buildings and hotels.

The app can even remotely take over all the doors of a Cardkey system! In fact, to further scare the 'bejeezus' out of us, here's a quote from his website at cybersecurityguy.com,
...with the IP address of the target cardkey device, a single-button "Unlock" will access the cardkey system, unlock all available doors in sequence, allow 30 seconds for entry, and then re-lock all those same doors. Caribou has the capability of performing a brute-force of any customized security PIN used with the system.
Lest you think that we are supporting thieves here on the website, please realize that Mr. Robertson is paid to do this professionally. Here's what his website further elaborates that he and his partner, Michael Gough, are
...actively engaged with US-CERT and the manufacturers in order to improve the security of the products and provide better documentation and instructions to system installers.

Caribou is a proof-of-concept and is not available to the public.
It's still pretty incredible to ponder just how powerful 'Andy' really is. James Bond would use Android.

Source: Android.net via Cybersecurityguy.com
 

johnomaz

Silver Member
Joined
Jul 12, 2010
Messages
3,187
Reaction score
633
Location
Central Valley, California
Current Phone Model
Google Pixel 2XL
So first you need the IP address of the target cardkey device. That in itself is pretty obscure. However, if it were to be able to be used by the new tech coming in android phones (Near Field Communication), that would be much more impressive. Still though, pretty cool.
 

sohaunted

Member
Joined
Dec 10, 2010
Messages
49
Reaction score
0
"My name? Bond, James Bond. Now if you'll excuse me.."

Then he pulls out a Droid X which turns into heliboathome and he rides off into the sunset :p
 
Top