Hacking RFID Tags Is Easier Than You Think: Black Hat
UPDATE: You know all those security badges people use to get into buildings? Many of them are hackable, according to Francis Brown, an executive at Bishop Fox.UPDATED SEPT. 28, 2016: In the last three years, much has changed in RFID technology. In 2013, 125KHz RFID proximity badges were the default in nearly all deployments, but that's no longer the case in 2016. In a follow-up interview, Francis Brown, managing partner at security firm Bishop Fox, noted that since 2013, he has seen many organizations make the switch to newer, more secure high-frequency contactless card systems. Despite increased efforts and progress made by some companies in recent years to upgrade to more secure contactless card systems, the large majority of physical access control systems out there are still legacy 125KHz proximity card deployments, he said. "I think my 2013 talk really hit home for a lot of people, and finally broke the inertia and motivated companies to take corrective action and protect themselves," Brown told eWEEK. "It ended up getting a lot of attention, especially when the hit show, "Mr. Robot," ended up using the Tastic RFID Thief to pull off their biggest hack against Evil Corp. in Season 1 [July 2015]." The same Tastic RFID Thief tool that Brown built in 2013 still works in 2016. The original attack focused on the 125KHz RFID system, but since 2013, Bishop Fox has demonstrated how it can be used to attack newer high-frequency badge systems like those for HID iCLASS access control systems, Brown said.
At Defcon 23 in 2015, Brown released additional tools for RFID hacking of badges, readers and controllers. Bishop Fox maintains a web page where it lists the current tools that are available.
Bishop Fox demonstrated its Danger Drone airborne hacking technology at the Black Hat USA 2016 security conference. It's a tool that Brown unabashedly admits has been used for RFID badge stealing, too.
"I'll admit, the Danger Drone isn't as practical of a tool for RFID badge stealing when compared to walking by someone with the stealthy Tastic RFID Reader hidden in a messenger bag," Brown said. "However, it is a bit more fun. I'm sure you can imagine scenarios where we have the drone flying by unsuspecting business folks, getting within the couple feet necessary to get a read on their proximity badges ... and scaring the crap out of them. "
On a more serious note, Brown said that the Danger Drone was originally conceived as a possible alternative to RFID badge hacking attacks altogether. The Tastic RFID Thief was designed to steal badge info, so that Bishop Fox researchers could create a cloned card and then enter a target facility in order to gain physical access to restricted internal networks and devices. While the Tastic RFID Thief approach has been effective for Bishop Fox thus far, Brown said that with the Danger Drone, his company could eliminate its physical exposure and risk of being apprehended.
"Rather than breaking in and plugging in, we could instead land on the roof, hack the WiFi and obtain the same unauthorized access to a target building's internal network," Brown said.
Here's eWEEK's Original Report From July 31, 2013:
LAS VEGAS—Radio-frequency identification tags are widely deployed around the world and commonly used for building security system cards. As it turns out, those RFID security cards might not be all that secure.