Out of necessity come many interesting inventions.
Fran Brown, a year ago, was working a penetration test for an electric utility doing an assessment of its SCADA network. His first challenge was to get inside the facility, meaning, in short that he had to break in. To do so, he decided to test the utility’s physical security systems, specifically, the low-frequency RFID proximity cards used for building access.
While past research on the problem existed, including Kristin Paget’s groundbreaking 2007 talk at Black Hat DC on RFID cloning, most of the work on the topic included tools that were never released or papers that were largely theoretical. His scouring for information included everything from past talks on the subject, to reading product manuals and even translating some information he found online from a Czech professor.
Next week at the Black Hat Briefings in Las Vegas, Brown will release the end result: a modified RFID reader that can capture data from 125KHz low frequency RFID badges from up to three feet away. Previous RFID hacking tools must be within centimeters of a victim to work properly; Brown’s tool would allow an attacker or pen-tester to store the device inside a backpack and it would silently grab card data from anyone walking close enough to it.
“This is the difference between a practical and impractical attack,” said Brown, managing partner at consultancy Bishop Fox. Brown said his attack has been tested numerous times with a 100 percent success rate; he added he’s been able to train other consultants to use the tool and have them capable of doing so within 10 minutes.
“Hopefully we can start getting ahead of these attacks as they become more applicable,” Brown said, highlighting the example of Disney moving to RFID readers for everything from ticketing, fast passes inside its parks, and souvenir purchases with a Disney-specific credit card. “Every office we tested, whether it was a Fortune 100 customer or government agency, I’ve not come across a system not using one of these legacy readers.”
The RFID systems have no security, such as encryption, behind them, making it trivial to intercept badge information. An attacker can in theory capture card data, clone it onto a new card, and be able to access a physical facility. Compounding the problem for enterprises is that these readers and badges are often managed by physical security teams and generally operate on a 20-year product lifecycle. For a large company with 100,000 employees, you’re looking at at least that many replacement badges and readers, often in many countries. HID, a leading proximity-card manufacturer, admitted in a June blogpost that its legacy 125KHz cards are vulnerable, yet are still in place in 80 percent of physical access control systems despite the availability of more secure alternatives.
“There is no security, they’ve been hacked, there’s no protection of data, no privacy, everything is in the clear and it’s not resistant to sniffing or common attacks,” said Stephanie Ardiley, product manager, HID Global.
Brown’s attack involves the customization of a RFID reader by using an Arduino microcontroller to turn it into a long-range reader capable of reading card data from up to 36 inches away making stealthy approaches possible.
“This involved the creation of a small, portable [printed circuit board] that can insert into almost any commercial RFID reader to steal badge info and conveniently save it to a text file on a microSD card for later use such as badge cloning,” Brown said.
Brown said penetration testers will be able to purchase an Arduino microcontroller, install the code he will make available after Black Hat, and replicate his tool and attack.
“[Hackers] who are seriously motivated can build custom stuff on their own. This is targeted toward the Fortune 500 security professional,” Brown said. “As with any penetration testing tool, this one can be turned malicious. But the way I think of RFID Hacking is that it’s where Web application security was 10 years ago. Until people are doing SQL injection and here’s me stealing with SQL injection, no one is going to be motivated to do anything about it.”
Brown said he will share some mitigation advice during his talk, including recommendations on which protective sleeves work better at thwarting these types of attacks, and which security screws should be used to secure RFID readers. He will also talk about software-based anomaly detection systems that should be configured to detect people using access cards at odd hours or unusual locations.