Modern access control and CCTV systems may look like purely physical security measures, but their cyber components are equally vulnerable and often overlooked by the teams that deploy and manage them.
This talk demonstrates this by showing the result of hands-on penetration testing of both networked and embedded components. I intercepted CCTV traffic, extracted and reverse-engineered camera firmware to expose systemic weaknesses in deployed devices.
For access control, I progressed from breaking legacy, broken MIFARE Classic technology to compromising MIFARE DESFire secured environments by focusing on the door controllers themselves, dumping their firmware, recovering sensitive secrets, exploiting insecure Java RMI services to remotely open doors, and eventually cloning these high-security badges.
These findings show how even advanced technologies can fail when they’re built or deployed poorly. The talk walks through the technical attack paths, failures, wins, and key lessons for securing the cyber-physical perimeter.
