No building access card? No problem if you have new Def Con tools

A slew of new RFID hacking tools will be released at the Def Con conference next month

An improved device for hacking RFID building card access systems will be released at the Def Con Hacking Conference early next month.

An improved device for hacking RFID building card access systems will be released at the Def Con Hacking Conference early next month.

RFID card access systems are used by most companies to let people into their buildings. But over the last few years, researchers have shown how these systems can be easily bypassed.

Francis Brown, a partner at the computer security firm Bishop Fox, has been on the forefront of much of the research. In fact, he recognized some of his tools and methods being used in the TV program Mr. Robot, which has been noted for highly accurate technical detail.

Lately, he's been looking closely at breaching high- and ultra-high frequency RFID (radio-frequency identification) systems, which are increasingly being used for physical security systems.

He's due to give a presentation at this year's Def Con Hacking Conference in Las Vegas early next month with a bevy of new and improved software and hardware goodies.

"There are all sorts of areas that people aren't thinking about at all that are ripe for exploitation," he said.

Brown said his aim is to make it easier for penetration testers to show how easy it is to clone employee badges, break into buildings and plant network backdoors -- without needing an electrical engineering degree to decode the vagaries of near-field communication (NFC) and RFID systems.

A couple of years ago at the Black Hat conference, Brown showed how it was possible to "weaponize" an NFC card reader so that an access card's details could be stolen merely by passing within a few feet of a targeted person, such as in a coffee shop.

It is, however, getting harder to clone high-frequency building access cards due to defensive measures people are taking to protect their cards.

Because of that, "the next step is to attack the building," Brown said.

Now Brown has been looking into how to harvest a large number of card details by tampering with the RFID readers that grant building access. He's improved upon a previous tool he developed called the Tastic PCB (printed circuit board).

To install the Tastic PCB, the lid is popped off a building's access card reader and wired in using vampire taps, Brown said. Once in place, it records badge values of everyone who scans their cards.

He's added a Bluetooth module to the Tastic PCB. With an accompanying Bluetooth app on his mobile phone, he can command the Tastic PCB to replay the card details of the last person who entered the building, opening the door.

The attack is clever since it totally routes around some of the newer cryptographic and authentication defenses that have been put in place for high- and ultra-high frequency NFC systems, Brown said.

"Essentially, I'm bypassing all of that by breaking into the reader," he said.

Once inside a building, an attacker needs to plant a backdoor in order to harvest network data. There are a variety of ways to do this.

For example, in an episode of Mr. Robot, an intruder removes a panel from a climate control system and wires in a Raspberry Pi. It's a bit of a fiddly job, though: He has to remove a panel from the climate control system, snip an Ethernet cable and wire in the mini-computer.

A company called the Pwnie Express had an easier solution. It made a device that looks like a power strip but on the inside contains a Raspberry Pi complete with a penetration testing toolkit. The device, however, costed US$2,000 and has since been discontinued.

At Def Con, Brown said he will release a 3-D printable file that will let penetration testers print out their own high-quality shell of a power strip customized to hold a Raspberry Pi. The design will be released here after Brown's presentation on Aug. 9.

The cost of printing the power strip is about $5, and a Raspberry Pi costs just $35, dramatically bringing down the cost of a very stealthy tool. It's a permanent backdoor that just needs to be plugged into an Ethernet port.

"Once I physically break into a building, I leave it behind somewhere like in an empty cube or an empty conference room plugged into their internal network," Brown said. "It looks like something completely harmless."

Bishop Fox has a page on their website with the full range of RFID hacking tools and software they've developed over the years.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags Bishop FoxsecurityAccess control and authentication

More about NFCTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts