A modified RFID reader can now capture data from 125KHz low frequency RFID badges from up to three feet away.
Previous RFID hacking tools needed to be within centimeters of a victim to work properly, but this new tool will allow an attacker or pen-tester to store the device inside a backpack and it would silently grab card data from anyone walking close enough to it.
“This is the difference between a practical and impractical attack,” said Fran Brown, managing partner at consultancy Bishop Fox and who created the device. Brown will release the device at the Black Hat Briefings in Las Vegas next week.
Brown said he tested his attack numerous times with a 100 percent success rate; he added he’s been able to train other consultants to use the tool and have them capable of doing so within 10 minutes.
“Hopefully we can start getting ahead of these attacks as they become more applicable,” Brown said, highlighting the example of Disney moving to RFID readers for everything from ticketing, fast passes inside its parks, and souvenir purchases with a Disney-specific credit card. “Every office we tested, whether it was a Fortune 100 customer or government agency, I’ve not come across a system not using one of these legacy readers.”
The RFID systems have no security, such as encryption, behind them, making it trivial to intercept badge information. An attacker can in theory capture card data, clone it onto a new card, and be able to access a physical facility.
Compounding the problem for enterprises is these readers and badges often end up managed by physical security teams and generally operate on a 20-year product lifecycle. For a large company with 100,000 employees, you’re looking at least that many replacement badges and readers, often in many countries.
HID, a leading proximity-card manufacturer, said in June its legacy 125KHz cards are vulnerable, yet are still in place in 80 percent of physical access control systems despite the availability of more secure alternatives.
“There is no security, they’ve been hacked, there’s no protection of data, no privacy, everything is in the clear and it’s not resistant to sniffing or common attacks,” said Stephanie Ardiley, product manager, HID Global.
Brown’s attack involves the customization of a RFID reader by using an Arduino microcontroller to turn it into a long-range reader capable of reading card data from up to 36 inches away making stealthy approaches possible.
“This involved the creation of a small, portable [printed circuit board] that can insert into almost any commercial RFID reader to steal badge info and conveniently save it to a text file on a microSD card for later use such as badge cloning,” Brown said.
Brown said penetration testers will be able to purchase an Arduino microcontroller, install the code he will make available after Black Hat, and replicate his tool and attack.
“[Hackers] who are seriously motivated can build custom stuff on their own. This is targeted toward the Fortune 500 security professional,” Brown said. “As with any penetration testing tool, this one can be turned malicious. But the way I think of RFID Hacking is that it’s where Web application security was 10 years ago. Until people are doing SQL injection and here’s me stealing with SQL injection, no one is going to be motivated to do anything about it.”
Brown said he will share some mitigation advice during his talk, including recommendations on which protective sleeves work better at thwarting these types of attacks, and which security screws could secure RFID readers.