CAPEC-395: Bypassing Electronic Locks and Access Controls

Description

An attacker exploits security assumptions to bypass electronic locks or other forms of access controls. Most attacks against electronic access controls follow similar methods but utilize different tools. Some electronic locks utilize magnetic strip cards, others employ RFID tags embedded within a card or badge, or may involve more sophisticated protections such as voice-print, thumb-print, or retinal biometrics. Magnetic Strip and RFID technologies are the most widespread because they are cost effective to deploy and more easily integrated with other electronic security measures. These technologies share common weaknesses that an attacker can exploit to gain access to a facility protected by the mechanisms via copying legitimate cards or badges, or generating new cards using reverse-engineered algorithms.

Extended Description

Performing this attack allows the adversary to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the adversarys' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the adversarys' intent. When the goal is to spread malware, deceptive content is created such as modified links, buttons, or images, that entice users to click on those items, all of which point to a malicious URI. The techniques require use of specialized software that allow the adversary to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system in order to change the destination of various application interface elements.

Severity :

Possibility :

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-390: Bypassing Physical Security Bypassing Physical Security CAPEC-397: Cloning Magnetic Strip Cards Cloning Magnetic Strip Cards CAPEC-398: Magnetic Strip Card Brute Force Attacks Magnetic Strip Card Brute Force Attacks CAPEC-399: Cloning RFID Cards or Chips Cloning RFID Cards or Chips CAPEC-400: RFID Chip Deactivation or Destruction RFID Chip Deactivation or Destruction CAPEC-626: Smudge Attack Smudge Attack

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

Visit http://capec.mitre.org/ for more details.