Caribou is an Android app that does what RFID cardkeys do with locked doors. Caribou remotely connects to a server managing the locks at a supposedly secure location, and exploits the servers’ poor security controls.
The app was written by written by security researcher Ian Robertson as a proof-of-concept demonstration of what he calls “incredibly poor security controls.” Ironically, these controls are supposed to protect widely used cardkey door control systems.
By providing Caribou with the IP address of the target cardkey system/device, the button “Unlock” will access the cardkey system and unlock all available doors in sequence. The app allows 30 seconds for entry and then re-locks all of the doors. According to Robertson and the guy who reported the importance of his app, Michael Gough (Hacker Hurricane), Caribou has the capability of performing a “brute-force” of any customized security PIN used with the system. A brute force attack is known to hackers as a highly effective password cracking method that simply tries to use every possible character combination as a password.
Both Robertson and Gough are reportedly working with US-CERT on the security flaws so that appropriate measures will be taken. However, if you have a cardkey system with an IP address open to the public, it wouldn’t hurt add a firewall for extra security. Businesses large and small need to go the extra mile in protecting their IP addresses, which hackers can find via email, shared public files and malicious programs managed offsite. Fortunately, Caribou has not been released to the public.
For more on Caribou, check out the video below.