2014 March

Hacking RFID Systems to Bypass Physical Security Systems

The Red Tiger Security team has been doing a lot of red team exercises recently involving physically breaching critical infrastructure facilities. These exercises expose gaps in security, since we test not only the cyber security systems, but we a holistic all-hazards approach to test all of the various methods that attackers use to gain access:

  • External cyber access through the Internet
  • Phishing attack by sending targeted emails to employees
  • Wireless access by breaking encryption on wireless systems in use at the target site
  • War dialing to locate modems and access the network through dial-up access
  • Social Engineering by phoning internal employees to extract useful information
  • Physical breach by attempting to walk directly into secure areas


We are allowed to utilize both cyber and physical penetration techniques to gain access to sensitive computer networks. What we are finding is that often the cyber and physical security defensive systems are often not aligned or linked in any way. These two organizations often do not even report up to the same management team, so this creates the situation where the “left hand does not know what the right hand is doing.” In one of our recent projects, we were able to leverage RFID technology to physically walk into very sensitive data centers, corporate offices, industrial sites, and engineering labs. Physical access allowed our team to directly connect our laptops to computer networks that would normally be behind firewalls. Physical access trumps all investments in cyber security, and thus proves that physical security is just as important as cyber security.


For this reason, we decided to dedicate this month’s technical briefing to RFID (Radio Frequency Identification) technology. This is not new technology, and it first appeared in 1945 – designed out of the Soviet Union to be used for espionage. RFID implementations come in a few different forms. Electronic Product Code tags are stickers that contain a small capsule about the size of a grain of rice, and typically used in retail stores for loss prevention. RFID is used for tracking animals, so the owner of a lost pet can be contacted. It is also used in release of a saved animal back into the wild. Automated Toll Booths also read RFID tags on the window shields of passing cars for automated toll payment. RFID tags can be passive or active, and while all can be remotely read, many allow you to write back to the RFID device. The largest use for this technology is for card access thru doors or to limit access to certain areas, which brings us back around for the reason why we are discussing this topic.


RFID systems used for physical access control can be hacked in a few different ways. Physical access control or “card access” systems contain a centralized database of active badges or cards, scanners installed throughout the various buildings, and the physical cards, badges, or key fobs that are activated and assigned to individual workers. Often the card access database systems are directly connected to the corporate network, with remote access for maintenance. By hacking into the card access software program, an attacker can initialize a new badge, change the areas that a badge has access too, or delete existing users causing a range of problems for the target site. The RFID data is often sent or routed in clear text, so by connecting a network sniffer to the areas where the sensors are mounted, an attacker can intercept or sniff valid RFID traffic and parse valid RFID data out of the traffic. This is often difficult because the scanners may not be using Ethernet based communications and may be using a serial bus to communicate back to the centralized database. The above two methods attack vulnerabilities in the centralized RFID database and sensors, but a much easier way to attack the system is by cloning a valid RFID badge, which does not require any access to the centralized database or the building sensors.


Since all RFID devices can be remotely read, an RFID reader can be built for around $20.00, or can be purchased for $25.00 USD – shipping included. The RFID reader will allow you to read the data enclosed on the RFID device, but if you want to clone or duplicate the RFID card or badge, then you will need a RFID writer and blank RFID cards. Just like hacking anything else, it just takes the proper tools, knowledge and skills. These RFID reader/cloner devices are very small and can fit into an empty cigarette box.



Steps for Hacking Magnetic Card Strip Devices:


First step to hack RFID information is to be able to read a key fob, Visa, MasterCard, Discover and American Express cards with contactless information. For starters you can go to eBay for $19.99 + $5.00 shipping can get this http://www.ebay.com/itm/ViVOTech-ViVOpay-4000-Contactless-Credit-Card-Reader-/380872367793?pt=LH_DefaultDomain_0&hash=item58adc31eb1

This device allows you to read multiple types of RFID cards or key fobs.

Second step now is to be able to write the information you just read and that is done via a $299.00 device MSR206X MAGNETIC STRIPE CARD READER / WRITER http://hackershomepage.com/section6.htm

Steps for Hacking RFID Badges:

For RFID Badge access cards you can purchase a RFID Reader/Writer device and blank RFID cards. This will allow you to read an existing RFID badge, card, or key fob, and then write the data to a new blank card, effectively duplicating or cloning the RFID device. These usually require software and connect to a computer with a USB port. Because of this, an attacker would most likely lift or steal a badge, and then clone or duplicate it offsite at a remote location.

Portable RFID devices that read and then write back to a rewritable RFID badge can be built so that it can be carried in a small bag over the shoulder, or even in a front pocket. These small devices are battery powered, and collect RFID badge information to clone while walking past someone that has their badge clipped to the outside of their clothes, or by standing next to them in an elevator. The parts to build a portable RFID cloning devices can be purchased for around $350 USD. http://proxclone.com/pdfs/Long_Range_Reader_Cloner_schematic.pdf

Unfortunately, there is not much that can be done to defend against these RFID attacks. Some have advocated placing RFID badges or cards into metallic or shielding wallets to protect against RFID information leakage, but in tests none of these sleeves or wallets show 100% working protection unless you use a very inconvenient protective band or wrap it in tinfoil. Requiring a photo ID in addition to an active badge provides a second visual check. This could make it more difficult for the attacker, since the name on the cloned RFID cards would have to be changed when written back to the blank RFID. Unfortunately, in our own red team exercises, we have found that social engineering tricks like tail gating and following people into elevators, locked floors, and even sensitive rooms like data centers still works, and does not even require a working badge. In the last ten red team exercises that our team has performed, we were able to gain physical access to a live network port behind the firewall without any active RFID badges. In several cases, we used a camera to take a photo of an existing contractor or employee badge, and then using parts obtained from an Office Depot store, we were able to build a fake badge using simple office supplies for less then $10 USD.

Employee awareness and training is still the best defense against physical and social engineering tricks, so please pass along the link to this briefing to those that might benefit from this information. We also offer multiple training solutions ranging from a 1-day seminar or workshop to a full 5-day boot camp.


Ryan Salsbury and Jonathan Pollet