RFID card access systems are used by most companies to let people into their buildings. But over the last few years, researchers have shown how these systems can be easily bypassed.
Francis Brown, a partner at the computer security firm Bishop Fox, has been on the forefront of much of the research. In fact, he recognized some of his tools and methods being used in the TV program Mr. Robot, which has been noted for highly accurate technical detail.
Lately, he’s been looking closely at breaching high- and ultra-high frequency RFID (radio-frequency identification) systems, which are increasingly being used for physical security systems.
He’s due to give a presentation at this year’s Def Con Hacking Conference in Las Vegas early next month with a bevy of new and improved software and hardware goodies.
“There are all sorts of areas that people aren’t thinking about at all that are ripe for exploitation,” he said.
Brown said his aim is to make it easier for penetration testers to show how easy it is to clone employee badges, break into buildings and plant network backdoors—without needing an electrical engineering degree to decode the vagaries of near-field communication (NFC) and RFID systems.
A couple of years ago at the Black Hat conference, Brown showed how it was possible to “weaponize” an NFC card reader so that an access card’s details could be stolen merely by passing within a few feet of a targeted person, such as in a coffee shop.
It is, however, getting harder to clone high-frequency building access cards due to defensive measures people are taking to protect their cards.
Because of that, “the next step is to attack the building,” Brown said.
Now Brown has been looking into how to harvest a large number of card details by tampering with the RFID readers that grant building access. He’s improved upon a previous tool he developed called the Tastic PCB (printed circuit board).
To install the Tastic PCB, the lid is popped off a building’s access card reader and wired in using vampire taps, Brown said. Once in place, it records badge values of everyone who scans their cards.
He’s added a Bluetooth module to the Tastic PCB. With an accompanying Bluetooth app on his mobile phone, he can command the Tastic PCB to replay the card details of the last person who entered the building, opening the door.
The attack is clever since it totally routes around some of the newer cryptographic and authentication defenses that have been put in place for high- and ultra-high frequency NFC systems, Brown said.
“Essentially, I’m bypassing all of that by breaking into the reader,” he said.
Once inside a building, an attacker needs to plant a backdoor in order to harvest network data. There are a variety of ways to do this.
For example, in an episode of Mr. Robot, an intruder removes a panel from a climate control system and wires in a Raspberry Pi. It’s a bit of a fiddly job, though: He has to remove a panel from the climate control system, snip an ethernet cable and wire in the mini-computer.
A company called the Pwnie Express had an easier solution. It made a device that looks like a power strip but on the inside contains a Raspberry Pi complete with a penetration testing toolkit. The device, however, costed US$2,000 and has since been discontinued.
At Def Con, Brown said he will release a 3-D printable file that will let penetration testers print out their own high-quality shell of a power strip customized to hold a Raspberry Pi. The design will be released here after Brown’s presentation on Aug. 9.
The cost of printing the power strip is about $5, and a Raspberry Pi costs just $35, dramatically bringing down the cost of a very stealthy tool. It’s a permanent backdoor that just needs to be plugged into an ethernet port.
“Once I physically break into a building, I leave it behind somewhere like in an empty cube or an empty conference room plugged into their internal network,” Brown said. “It looks like something completely harmless.”
Bishop Fox has a page on their website with the full range of RFID hacking tools and software they’ve developed over the years.