BLEKey Device Breaks RFID Physical Access Controls

A device called BEKey which is the size of a quarter and can be installed in 60 seconds on a proximity card reader could potentially be used to break physical access controls in 80 percent of deployments.

LAS VEGAS – A device the size of a quarter that can be installed in 60 seconds on a proximity card reader could potentially be used to break physical access controls in 80 percent of deployments.

The device, dubbed BLEKey, is used to read cleartext data sent from card readers to door controllers to either clone cards or feed that data to a mobile application that can be used to unlock doors at any number of installations.

The hack today unveiled at Black Hat is worrisome for facilities reliant on proximity cards and readers for access to buildings in critical industries or enterprises. Researchers Eric Evenchick, an embedded systems architect at electric car manufacturer Faraday Future, and Mark Baseggio, a managing principal consultant at Optiv (formerly Accuvant), used the ubiquitous HID cards and readers in a number of successful demos during their talk, but said that it’s likely the same weaknesses that facilitate their attacks are present in devices from other manufacturers.

The problem lies around the Wiegand protocol, an “Apollo 11-era protocol,” as Baseggio characterizes it. Wiegand has been studied by other security researchers who have also noted its simplicity—and lack of native security. The protocol’s lack of encryption makes it simple to steal card codes, facility codes and other data necessary to clone physical badges for access, for example.

RFID readers such as those built by HID constantly beacon a signal. When an RFID card is in proximity, the card is energized by the reader, the researchers said, and sends bits back in the clear to the reader, which then sends that data to the door controller over the Weigand protocol. Some readers have a pinpad that acts as a form of two-factor authentication requiring a PIN in addition to the card swipe. Those models, however, are plagued by the same cleartext weakness negating the second form of authentication.

In addition, manufacturers such as HID—the researchers put up a screenshot of its online marketing material—claim the cards cannot be cloned, but in most cases Evenchick and Baseggio said that’s not true.

The duo today also released to open source the schematics for building a BLEKey, posting it to Github. BLEKey is 18×30 mm in size and is based on BLE, or the Bluetooth low energy model. In addition to a battery, which accounts for most of the form factor, it also includes a Nordic chip popular in wearable activity monitors, a processor, radio and software stack in addition to other passive design components.

During their talk, Evenchick and Baseggio demonstrated a number of proof of concept attacks. They built a miniature version of a door—about 36 inches by 24 inches—replete with a card reader and wired door controller. An attacker would need access to the reader, which has a top cover held on by four screws. The researchers played a video showing them installing BLEKey in 60 seconds flat. Once the cover was unscrewed, there are four wires in the reader, two power and two data wires. One wire handles transmissions over Wiegand and BLEKey crimps into it, as does the other data wire and one of the power wires. Reconnecting the top and reinstalling it took a few seconds.

The researchers demonstrated card-present and card-not-present attacks via Bluetooth connections between the reader and BLEKey to a mobile device. The app reads card and facility codes, making it easy to clone cards or carry out remote replay attacks of those numbers.

For businesses reliant on these cards and readers for physical access, the researchers said reliance on the vendor for fixes may not be the best option. There are tamper detection features in the readers, for example, that can be switched on. Monitoring logs generated by the systems for anomalies, or even video surveillance of doors are other security options.

Some devices also support the Open Supervised Device Protocol (OSDP) which does offer a secure channel between the reader and door controller, but must be configured properly otherwise it will fall back to transmitting over Wiegand, the researchers said.

Suggested articles