Hacking RFID Tags Is Easier Than You Think: Black Hat
LAS VEGAS—Radio-frequency identification tags are widely deployed around the world and commonly used for building security system cards. As it turns out, those RFID security cards might not be all that secure.
That is the conclusion of Francis Brown, managing partner at security firm Bishop Fox, who detailed his research on RFID hacking on July 31 at the Black Hat security conference here. In an interview with eWEEK, Brown said he started out doing his RFID research focused on a specific requirement: He needed to break in to a building.
Although there are multiple types of RFID technologies, the focus of Brown's efforts is on the 125KHz frequency, which is the primary technology used for badge readers and physical security systems in buildings.
According to Brown there are three steps to hacking RFID. Step one is trying to steal the badge information from somebody as they walk by.
"I want to be able to silently and discretely steal that information as I walk by them," Brown said.
Step two is to make a copy of the RFID badge-reader card. Step three is the penetration tester, which is then able to get access to the target building.
"Out of those three steps, the part that was most lacking in terms of existing tools was step one," Brown said.
To aid in the silent theft of RFID information from unassuming passersby, Brown developed an open-source Arduino-based tool. Arduino is an open-source electronic prototyping platform often used by artists, designers and others.
"What I basically did, is take a long-range reader, that is typically meant for parking garages, to collect the RFID data," Brown said. "Normally, you'd run a wire from the reader down a pole and into a building with a computer that makes the decision on whether the badge is valid or not."
Brown is using the Arduino-powered tool to get the output, instead of it going into a building computer. At Black Hat, Brown is releasing the code that will need to run on the Arduino.
"I'm letting the reader do all the work, and the Arduino is processing it and writing it to a text file," Brown explained.
Brown, who acquired the RFID reader on eBa, explained that for legal reasons it's not possible to build an RFID reader due to a number of patent-related concerns.
The RFID output that the Arduino gets is a 10-digit hexadecimal. With that in hand, Brown said it's simple to replicate the remotely stolen information using a Proxmark device.
The unfortunate reality, according to Brown, is that with most of the building security badges that are running at 125KHz, there is no secure authentication mechanism.
"Basically, if the card gets close enough to a card reader, it just starts yelling out its ones and zeroes," Brown said.
He added that there are more secure solutions available from commercial RFID vendor HID, though they are not widely deployed.
So how can people protect themselves and their badge IDs from being remotely stolen?
The simple fix could be as easy as having a protective sleeve or wallet to keep the security badge information safe.
"The number-one catch with the RFID badge sleeve is that some of them work and some of them don't," Brown said. "My recommendation is that before you buy them, make sure you test them out to make sure they actually work."
Sean Michael Kerner is a senior editor at eWeek and InternetNews.com. Follow him on Twitter @TechJournalist.