Hackers can break into just about any office using a device that will steal the data from the employee badge sitting right on your belt.
That’s just what white hat hackers from RedTeam Security demonstrated for us as we followed them during a security test of a power company in the Midwest. While the team started out using lock picks and jumping fences, they eventually were able to walk right into doors with badges they had cloned.
The hackers got those badges with nothing more than roughly $700 worth of equipment that steals badge data, along with some ingenious ways of getting it near targeted employees.
“Yeah we got the big, long range reader from Amazon,” said Matt Grandy, security consultant for RedTeam Security. “They’re also all over on eBay.”
Grandy was referencing a badge reader that can be carried around in a bag, grabbing card data from up to three feet away. If it’s positioned close enough to a badge, the approximately $350 device reads the badge info off the card and stores it on a microSD card.
RedTeam exploited a well-known issue with RFID, or radio-frequency identification, which is a common method many organisations use to give employees access to facilities. Employees typically hold up their RFID-coded badges to an electronic reader outside a door, which then tells the door, “Hey, let this person in.”
The problem is that much of the time, that data is sent in the clear without encryption, giving hackers an opportunity to snatch the data right off an employee’s card so they can clone it for their own purposes.
In order to get close to an employee, RedTeam came up with a number of possible methods, such as hanging around the company’s smoking area with other employees, or social engineering their way inside under false pretenses. Security consultant Kurt Muhl went with the latter, pretending to be a college student and arranging a tour of the company’s facility by one of its employees.
During his tour, Muhl carried what looked like a black laptop bag, which housed the RFID reader that eventually grabbed the employee’s badge out of thin air. Once he had the badge data, all Muhl had to do was take out the memory card and plug it into a computer with a $300 device called a Proxmark, which takes that data and writes it to a new card.
“Basically, if the card gets close enough to a card reader, it just starts yelling out its ones and zeroes,” Francis Brown, managing partner at security firm Bishop Fox, told eWeek.
Fortunately, there is at least some protection from this type of attack. The cheapest option would be to use a sleeve for cards that blocks RFID signals from going out, but the best option is to use a more sophisticated system that doesn’t have everything a hacker needs right on the badge.
“There are two options,” Grandy said. “First, use a rolling code approach — which the transmitted code changes after each read based on an algorithm. The second is a challenge-response approach. Similar to the first except the reader sends a message to the card, the card computes a code based on an algorithm and then responds with that code.”
He added: “Both require new and more expensive technology so it’s hard to push for it after you already have an RFID system in place.”