Long-Range RFID Hacking Tool to be Released at Black Hat

A tool that enables a hacker or penetration tester to capture RFID card data from up to three feet away will be released next week at Black Hat.

Out of necessity come many interesting inventions.

Fran Brown, a year ago, was working a penetration test for an electric utility doing an assessment of its SCADA network. His first challenge was to get inside the facility, meaning, in short that he had to break in. To do so, he decided to test the utility’s physical security systems, specifically, the low-frequency RFID proximity cards used for building access.

While past research on the problem existed, including Kristin Paget’s groundbreaking 2007 talk at Black Hat DC on RFID cloning, most of the work on the topic included tools that were never released or papers that were largely theoretical. His scouring for information included everything from past talks on the subject, to reading product manuals and even translating some information he found online from a Czech professor.

Next week at the Black Hat Briefings in Las Vegas, Brown will release the end result: a modified RFID reader that can capture data from 125KHz low frequency RFID badges from up to three feet away. Previous RFID hacking tools must be within centimeters of a victim to work properly; Brown’s tool would allow an attacker or pen-tester to store the device inside a backpack and it would silently grab card data from anyone walking close enough to it.

“This is the difference between a practical and impractical attack,” said Brown, managing partner at consultancy Bishop Fox. Brown said his attack has been tested numerous times with a 100 percent success rate; he added he’s been able to train other consultants to use the tool and have them capable of doing so within 10 minutes.

“Hopefully we can start getting ahead of these attacks as they become more applicable,” Brown said, highlighting the example of Disney moving to RFID readers for everything from ticketing, fast passes inside its parks, and souvenir purchases with a Disney-specific credit card. “Every office we tested, whether it was a Fortune 100 customer or government agency, I’ve not come across a system not using one of these legacy readers.”

The RFID systems have no security, such as encryption, behind them, making it trivial to intercept badge information. An attacker can in theory capture card data, clone it onto a new card, and be able to access a physical facility. Compounding the problem for enterprises is that these readers and badges are often managed by physical security teams and generally operate on a 20-year product lifecycle. For a large company with 100,000 employees, you’re looking at at least that many replacement badges and readers, often in many countries. HID, a leading proximity-card manufacturer, admitted in a June blogpost that its legacy 125KHz cards are vulnerable, yet are still in place in 80 percent of physical access control systems despite the availability of more secure alternatives.

“There is no security, they’ve been hacked, there’s no protection of data, no privacy, everything is in the clear and it’s not resistant to sniffing or common attacks,” said Stephanie Ardiley, product manager, HID Global.

Brown’s attack involves the customization of a RFID reader by using an Arduino microcontroller to turn it into a long-range reader capable of reading card data from up to 36 inches away making stealthy approaches possible.

“This involved the creation of a small, portable [printed circuit board] that can insert into almost any commercial RFID reader to steal badge info and conveniently save it to a text file on a microSD card for later use such as badge cloning,” Brown said.

Brown said penetration testers will be able to purchase an Arduino microcontroller, install the code he will make available after Black Hat, and replicate his tool and attack.

“[Hackers] who are seriously motivated can build custom stuff on their own. This is targeted toward the Fortune 500 security professional,” Brown said. “As with any penetration testing tool, this one can be turned malicious. But the way I think of RFID Hacking is that it’s where Web application security was 10 years ago. Until people are doing SQL injection and here’s me stealing with SQL injection, no one is going to be motivated to do anything about it.”

Brown said he will share some mitigation advice during his talk, including recommendations on which protective sleeves work better at thwarting these types of attacks, and which security screws should be used to secure RFID readers. He will also talk about software-based anomaly detection systems that should be configured to detect people using access cards at odd hours or unusual locations.

Suggested articles

BLEKey Device Breaks RFID Physical Access Controls

A device called BEKey which is the size of a quarter and can be installed in 60 seconds on a proximity card reader could potentially be used to break physical access controls in 80 percent of deployments.

Experts Converge at RFIDsec to Discuss NFC Security Implications

RFID security problems have been biting at the ankles of users and companies that deploy the technology for several years now, but they’ve been mostly on the fringes of mainstream security concerns. But now, as the technology becomes more widespread and pervasive, that is beginning to change.

Researcher Finds Holes Aplenty in Wireless Chips

[img_assist|nid=4398|title=|desc=|link=none|align=left|width=100|height=100]A new study from Prof. Avishai Wool of Tel Aviv University’s School of Electrical
Engineering finds serious security drawbacks in chips that are being embedded in credit, debit and “smart” cards. The
vulnerabilities of this electronic approach — and the vulnerability of
the private information contained in the chips — are becoming more
acute. Read the full article. [ScienceDaily]

Discussion

  • None on

    This is nothing new. Card scanners have been around for nearly a decade. And as far as the 3' range is concerned, the only way he's getting that is by using a reader with a very large read range already.
  • 名無しさん on

    125KHz tags have essentially no real security. EMV, NFC, and nearly all major public transport RFID deployments use 13.56MHz and varying levels of security from MiFARE Classic (broken and insecure) through to FeliCa (128bit AES, no publicly known exploits).
  • Mikael "MMN-o" Nordfeldth on

    Wow! This was harder than I thought when I started playing around with it. Glad to see someone better at radio transmitter voodoo do something about it :) Awaiting attack description to see where me and others could have improved!
  • Melvin on

    The way I see it, any company using those type of cards should also be using a keypad PIN anyway, just for the simple fact that if the card is lost or stolen you don't want someone else to just be able to walk into your building.
  • stoprfid on

    You can't do anything to avoid data collection if your badge card is not in a protection sleeve/case like scansafe tyvek at www.stop-rfid.fr
  • Tastic on

    The Arduino code, Fritzing PCB files, parts list, and presentation slides are up on our site. Videos and blog posts with additional info will be up soon as well. See: http://www.bishopfox.com/resources/tools/rfid-hacking/ http://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/ http://www.bishopfox.com/resources/tools/rfid-hacking/presentation-slides/
07/16/18 10:00
A new #phishing scam purports to send MYOB invoices – but really contains a novel banking #trojan: https://t.co/BZ7KDTdZxr

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.