Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tools Coming To Def Con For Hacking RFID Access Doors

Posted by samzenpus on from the protect-ya-neck dept.

jfruh writes: Next month's Def Con security conference will feature, among other things, new tools that will help you hack into the RFID readers that secure doors in most office buildings. RFID cards have been built with more safeguards against cloning; these new tools will bypass that protection by simply hacking the readers themselves. ITWorld reports that Francis Brown, a partner at the computer security firm Bishop Fox, says: "...his aim is to make it easier for penetration testers to show how easy it is to clone employee badges, break into buildings and plant network backdoors—without needing an electrical engineering degree to decode the vagaries of near-field communication (NFC) and RFID systems."

27 comments

  1. So? by Anonymous Coward · · Score: 1

    It's called the wiegand (https://en.wikipedia.org/wiki/Wiegand_interface) protocol. That's not rocket science to capture and replay it.

    If you're able to access the communication wiring, you probably can just reach in and grab the strike wiring too and supply 24v to it to open the door. Most secure places that care about security will also secure the cabling used for the readers.

    1. Re:So? by xxxJonBoyxxx · · Score: 4, Interesting

      >> if you're able to access the communication wiring, you probably can just reach in and grab the strike wiring too and supply 24v to it to open the door

      Hammer? Check.
      3x 9V batteries in series? Check.

      However, it's still more work than just tailgating someone with your arms full of lunch and a laptop...

    2. Re:So? by Anonymous Coward · · Score: 0

      Where I work, all the swipe doors have wiring going through metal conduit inside the wall (concrete block). You cant access it unless the door is open as the wiring goes right through the middle metal hinge which is closed......and no you cant pop the hinges off like a regular door.

    3. Re:So? by rogoshen1 · · Score: 1

      seriously, this guy will probably have the most sane post in this entire thread. Clever hacks and technical trickery are well and good, but the human element and gaming people are always going to be the easiest and most reliable ways to defeat security.

    4. Re:So? by Anonymous Coward · · Score: 0

      The reader does not control the door, so accessing the reader does not give you access to the strike. The strike is manipulated by the controller, readers do not make access decisions. The controller is deep inside the building in an MDF or IDF.

  2. 2005 called and they want their RFID hacks back by Anonymous Coward · · Score: 0

    Seriously, how is this tripe newsworthy?

  3. Tools? by Coren22 · · Score: 4, Funny

    I'm sure there will be many tools going to Def Con, what does that have to do with RFID hacking?

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  4. you can crack anything with about 5 mins thought by swschrad · · Score: 1

    doesn't mean in most cases you will get to anything interesting. unless there are open computers glaring at you in cubes, all today's valuables are in servers in the cloud. and you might get snagged in the hallway and get a Karma thrashing... dragged to a conference room and put on The Recovery From Hell.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  5. Re:you can crack anything with about 5 mins though by xxxJonBoyxxx · · Score: 1

    >> all today's valuables are in servers in the cloud

    Hmmm...I'd check to see what's actually on your "local" cell phone then.

  6. If all else fails... by freak0fnature · · Score: 1

    just break the window if you want in that badly.

  7. de haxx0rz by Anonymous Coward · · Score: 0

    r in ur d00rz nao

  8. Why not read the number on the RFID chip? by cycler · · Score: 1

    I might be missing the point but in the RFID access system I've seen the RFID only contains a number.

    So to clone it, put a reader in the close vicinity and just record the cards.

    In addition, all the access readers (magnetic strip or RFID) ALL have tripwire to detect if they are opened.

    As for hotwiring the lock, any decent installer will make sure that the wires are NOT accessible from the outside.

    /C

    1. Re:Why not read the number on the RFID chip? by cusco · · Score: 1

      ALL have tripwire to detect if they are opened

      No, not actually (although your installer probably claimed they did). It can be done, but it's expensive, a pain in the ass to set up and false alarms are frequent. For the most part if you have a decent set of security tools you can get into the reader (although not the controller) and do what you want with it. As long as the cover stays the same and the functionality doesn't change (LED colors are right, flashing or not, door opens when it's supposed to) the main risk would be getting noticed playing with the reader.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  9. Criminal by Stan92057 · · Score: 1

    new tools that will help you hack into the RFID readers that secure doors in most office buildings.

    Sorry,IMO this is a criminal act. Its one thing to find exploits and let the product maker fix them. Its very much another to create tools and make them public so the exploit can be used by ANYONE. Locks can be picked that doesn't mean your allowed to pick them, doing so will result in getting arrested as it should. Theses tools are created to break and enter nothing more nothing less.

    --
    Jack of all trades,master of none
    1. Re:Criminal by spire3661 · · Score: 1

      Why are you even on Slashdot? DO i have to spell out that the idea that Liberty does not need a reason to be enjoyed. IF i want to hack RFID at home for fun and not profit, who are you to say thats wrong? You catch me breaking into a building, you go right ahead and arrest me Mr Moral Crusader. Until then please shut up and let the grown ups use our tools. Am i not allowed to pick my own locks?

      --
      Good-bye
  10. Done before by schitso · · Score: 3, Informative

    This was done several years ago by another: see here.
    The issue is that, even if you have the most secure, multi-factor biometric and smart card reader, it's still more than likely transmitting that data back to the access control panel via Wiegand, which is offers not even the slightest bit of security against interception, replay, etc. OSDP has been around for a while and offers encryption to at least combat this, but, honestly, nobody freaking cares, and the lack of industry adoption of OSDP reflects this. There's a dozen and a half easier ways to get into a building.

  11. Missed link by schitso · · Score: 2

    Either I missed a tag or the PDF was filtered. Either way, just search for "Black Hat Gecko Wiegand".

  12. Amiibo by Anonymous Coward · · Score: 0

    What about other NFC stuff like Nintendo Amiibo?

    I really don't want to pay for an overpriced figurine just for a chip to enable content on a game I already paid for.

  13. Very much not new by Change · · Score: 3, Informative

    Take a look back to Zac Franken's talk at Defcon 15 (August 2007), where he introduced the same types of tools: https://www.defcon.org/images/...
    tl;dr you clip into the data lines of an RFID card reader and record the (plaintext) transactions, then you can later play them back directly over the same bus so the access control system sees what it thinks is a card read from the reader.
    Mitigation? Keep your access control readers behind an RF-transparent barrier (glass works, as long as it's not metallic-particle tinted).

    1. Re:Very much not new by freeze128 · · Score: 1

      Well, if I had access to the reader's data lines, I would ALREADY BE INSIDE THE BUILDING!

    2. Re:Very much not new by adolf · · Score: 2

      No, you wouldn't -- at least, not with any sensible topology.

      The way it usually works is like this: You present your Wiegand card to the Wiegand reader, some magic RF resonance happens, and a stream of bits is produced on a wire.

      At the other end of this wire, buried deep in the bowels of the building, is a computer (embedded or not) which verifies that your bits are the correct bits. If they are correct, it closes a relay that makes the door open, and (optionally) signals the reader to provide feedback to the user (blinking LED, sound, etc). If they are incorrect bits, it doesn't do anything with the door, and (optionally) provides feedback to that effect (in the form of a blinking LED, sound, dumping poison gas).

      Getting access to the data lines at the reader does not magically equate to physical access to the building, except in Hollywood movies and horrifyingly-bad installations (whereby the insecure reader itself does the numeric verification, and/or uses its own internal relay controls the door).

      IOW, you can pry the reader off of the wall and twist any wires together that you want..and nothing happens at all except perhaps a blown fuse somewhere upstream and a headache for whoever has to clean up your mess.

      --
      Kid-proof tablet..
    3. Re: Very much not new by Anonymous Coward · · Score: 0

      What did you think of Franken's tool, the Gecko, when you used it? Oh wait, he never actually released it, so its basically nothing more than a photo on the internet. Wouldn't it be great if someone actually released a tool you could use? Like this, maybe?

    4. Re:Very much not new by schitso · · Score: 1

      Minor correction: the card would very likely not be a Wiegand card, as that's an old swipe technology. (The dude loved naming things after himself.) It'd more than likely be prox in the USA, since our adoption of smart cards is a decade behind the rest of the world.

    5. Re: Very much not new by Anonymous Coward · · Score: 0

      What did you think of Franken's tool, the Gecko, when you used it? Oh wait, he never actually released it, so its basically nothing more than a photo on the internet. Wouldn't it be great if someone actually released a tool you could use? Like this, maybe?

      Look at Bishop Fox's MaxiProx 5375 evil twin attack.... a proximity heist - you don't have to tamper with their box. Just get close to some execs in an elevator. Most boxes will have an anti-tamper switch signaling the controller when the cover is opened... so you aren't likely to even install Zac's "Gecko" without being detected.

    6. Re:Very much not new by adolf · · Score: 1

      You're right; I was mistakenly conflating Wiegand (the protocol) vs Wiegand (the contact-required card format that defined the de-facto and like-named protocol).

      Point remains: Yanking the biometric/Wiegand/prox/NFC/whatever reader off of the wall and poking at the wires still does not gain the attacker access, unless Hollywood.

      Also: Wiegand wire (the material that allowed the card to exist) is clever stuff.

      --
      Kid-proof tablet..
  14. Somehow not an issue for small businesses? by kingbilly · · Score: 1

    We have these readers at our new facility, but we also have an alarm that has to be disabled once you enter. When you have to mutilate the reader to insert this tool, you are just a few steps away from a 5 dollar wrench anyway. Who doesn't have a burglar alarm? For our facility this news is zzzz. Only a foolish company would rely solely on just an RFID reader.

    Now a huge business that isn't concerned about access after hours, but is instead relying solely on RFID during the day for some secured parts of the building - sure something like this could be an issue. But even then, for the amount of work for a one time event you might as well pickpocket someone else's card.