Tools Coming To Def Con For Hacking RFID Access Doors

jfruh writes: Next month's Def Con security conference will feature, among other things, new tools that will help you hack into the RFID readers that secure doors in most office buildings. RFID cards have been built with more safeguards against cloning; these new tools will bypass that protection by simply hacking the readers themselves. ITWorld reports that Francis Brown, a partner at the computer security firm Bishop Fox, says: "...his aim is to make it easier for penetration testers to show how easy it is to clone employee badges, break into buildings and plant network backdoors—without needing an electrical engineering degree to decode the vagaries of near-field communication (NFC) and RFID systems."

Re:So?

[xxxJonBoyxxx]

>> if you're able to access the communication wiring, you probably can just reach in and grab the strike wiring too and supply 24v to it to open the door

Hammer? Check.
3x 9V batteries in series? Check.

However, it's still more work than just tailgating someone with your arms full of lunch and a laptop...

Tools?

[Coren22]

I'm sure there will be many tools going to Def Con, what does that have to do with RFID hacking?

Done before

[schitso]

This was done several years ago by another: see here.
The issue is that, even if you have the most secure, multi-factor biometric and smart card reader, it's still more than likely transmitting that data back to the access control panel via Wiegand, which is offers not even the slightest bit of security against interception, replay, etc. OSDP has been around for a while and offers encryption to at least combat this, but, honestly, nobody freaking cares, and the lack of industry adoption of OSDP reflects this. There's a dozen and a half easier ways to get into a building.

Missed link

[schitso]

Either I missed a tag or the PDF was filtered. Either way, just search for "Black Hat Gecko Wiegand".

Very much not new

[Change]

Take a look back to Zac Franken's talk at Defcon 15 (August 2007), where he introduced the same types of tools: https://www.defcon.org/images/...
tl;dr you clip into the data lines of an RFID card reader and record the (plaintext) transactions, then you can later play them back directly over the same bus so the access control system sees what it thinks is a card read from the reader.
Mitigation? Keep your access control readers behind an RF-transparent barrier (glass works, as long as it's not metallic-particle tinted).

Re:Very much not new

[adolf]

No, you wouldn't -- at least, not with any sensible topology.

The way it usually works is like this: You present your Wiegand card to the Wiegand reader, some magic RF resonance happens, and a stream of bits is produced on a wire.

At the other end of this wire, buried deep in the bowels of the building, is a computer (embedded or not) which verifies that your bits are the correct bits. If they are correct, it closes a relay that makes the door open, and (optionally) signals the reader to provide feedback to the user (blinking LED, sound, etc). If they are incorrect bits, it doesn't do anything with the door, and (optionally) provides feedback to that effect (in the form of a blinking LED, sound, dumping poison gas).

Getting access to the data lines at the reader does not magically equate to physical access to the building, except in Hollywood movies and horrifyingly-bad installations (whereby the insecure reader itself does the numeric verification, and/or uses its own internal relay controls the door).

IOW, you can pry the reader off of the wall and twist any wires together that you want..and nothing happens at all except perhaps a blown fuse somewhere upstream and a headache for whoever has to clean up your mess.