{"id":1192,"date":"2009-03-13T16:41:23","date_gmt":"2009-03-14T00:41:23","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=1192"},"modified":"2009-03-13T16:41:23","modified_gmt":"2009-03-14T00:41:23","slug":"security-review-my-apartment","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/03\/13\/security-review-my-apartment\/","title":{"rendered":"Security Review: My Apartment"},"content":{"rendered":"<p>The apartment complex I live in is comprised of a garage and multiple residential floors. The access points into the building are through the elevator, garage, and a street access door. All three use RFID keycards to restrict the access to only residents. The elevators are activated with the keycard. Once activated a floor button can be pushed and the elevator functions normally. The keycard is also used open the garage gate and outside doors. Once inside a resident would have to use the elevator to reach his or her apartment floor.<br \/>\n<!--more--><br \/>\n<strong>Assets\/Security Goals:<\/strong><br \/>\n&#8211;\tSafety and Privacy: With people living inside, safety is an important security goal. People need to feel secure and know unwanted parties cannot enter.<br \/>\n&#8211;\tPrivate Property: Besides personal wellbeing, the residents also need to be assured that their private property cannot be stolen or damaged. <\/p>\n<p><strong>Potential Adversaries\/Threats:<\/strong><br \/>\n&#8211;\tEmployees: Most employees have access to anywhere in the building and a few have keys to enter any apartment. An employee could willingly, or unwillingly, provide a gateway into someone\u2019s apartment.<br \/>\n&#8211;\tMalicious people: There is always the possibility of someone wanting to harm someone else or steal someone\u2019s belongings. Having access to someone\u2019s home allows the possibility for either event to occur.<br \/>\n&#8211;\tFormer Residents: Since the same key is used to access the building, a resident could try to duplicate the key. This might allow the person to have access to the building after he or she leaves. <\/p>\n<p><strong>Potential Weaknesses:<\/strong><br \/>\n&#8211;\tRFID Access: The garage, elevators, and outside doors all use an RFID reader to access the building from outside. The weaknesses of RFID also apply as someone could try to create an access key into the building by first reading someone else\u2019s key.<br \/>\n&#8211;\tResidents: It is possible to access the building by following a resident. Someone could enter the garage right after someone else opened it or enter the elevator right after someone used his or her key.<\/p>\n<p><strong>Potential Defenses:<\/strong><\/p>\n<p>The main defense is controlling who has access into the building. As mentioned above, outside doors, the garage, and the evaluator require an access key. Although the access method has its own weaknesses, it still provides some protection against unwanted guests from entering. <\/p>\n<p>Another method of controlling access is locking the staircase in one direction. The doors to the staircase remain unlocked, but the doors from inside the staircase are lock. This prevents people, even residents, from accessing the building from the stairwell. <\/p>\n<p>There are security cameras at every floor. Although these cameras are unlikely to prevent anything bad from happening, they can be used to detect and recover from an attack. <\/p>\n<p><strong>Evaluation of Risks<\/strong><\/p>\n<p>Although piggybacking on another resident\u2019s access into the building is possible, it does have its limitations. Each key access only allows one floor button to be pushed. If someone was strictly relying on someone else\u2019s key, he or she would be limited to the same floor. Also with the one-way staircase access, that person would not be able to use the stairs to change floors. <\/p>\n<p>Although this one-way access does provide an added security feature, like in the case above, it can also provide inconvenience. Since the stairways only have a one-way access, the elevator is the only way to access the residential floors. This restriction allows for a denial of service attack. If the elevators were ever disabled, residents would not be able to access their apartments without removing the security of a locked stairwell. <\/p>\n<p><strong>Conclusion<\/strong><\/p>\n<p>There are flaws in RFID, but why go through the trouble of breaking the restricted access mechanism when a social engineering attack is easier. There have been many times when I\u2019ve entered the elevator with someone else inside, noticed my floor was already pushed, and never had to take out my key. Of course no one will ask \u201cHey, do you live here? Can I see your key?\u201d In the end having access require keycards or some other type of technology doesn\u2019t really matter if someone else opens the door. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>The apartment complex I live in is comprised of a garage and multiple residential floors. The access points into the building are through the elevator, garage, and a street access door. All three use RFID keycards to restrict the access &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/03\/13\/security-review-my-apartment\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":72,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,5],"tags":[],"class_list":["post-1192","post","type-post","status-publish","format-standard","hentry","category-physicalsecurity","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/72"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=1192"}],"version-history":[{"count":3,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1192\/revisions"}],"predecessor-version":[{"id":1196,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1192\/revisions\/1196"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=1192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=1192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=1192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}