Sign in with
Sign up | Sign in

Hackers Could Clone Your Entry Card from Your Pocket

By - Source: Tom's Guide US | B 15 comments
Tags :

Are you able to get into your office by simply bumping your purse or wallet against a reader? Then your office is using radio-frequency identification cards, or RFID cards, to manage building access and security.

And those RFID cards are vulnerable — now more than ever before, thanks to an invention by security professional Fran Brown that can read RFID cards from a distance and copy their data.

Using Brown's device, all a criminal has to do is walk past you on the street in order to "clone" your RFID-equipped cards, even if they're buried in your purse or pocket, and thereby gain access to your office.

RFID technology is all over the place. Some devices like E-Z Passes (used in cars for tolls) use RFID chips, but they have a much larger range because they contain internal batteries that boost the signal. [See also: Wallet Guards to Digital Masks: Top Privacy Tech]

Brown is apparently talking only about passive RFID chips that don't contain internal power systems and typically need to be within a few inches of a scanner to be read. But passive RFID-equipped devices are even more prevalent than battery-powered ones.

Certain credit cards — the kind you wave instead of swipe — use passive RFID to exchange data. Disney theme parks use RFID chips in their park passes. Many car keys use RFID chips to turn on the car's system when the key is inserted.  Most Western and East Asian countries put RFID chips in their passports for easy identification. A school in California even uses the technology to keep track of their preschoolers.

Brown, who works for global security consulting firm Bishop Fox, said that every single Fortune 500 company uses passive low-frequency RFID readers in their employees' ID badges to regulate access into their office buildings.

Experts have long known that RFID systems are insecure. They contain no encryption, for example, so anyone who gets within range of a RFID card could easily copy the data and create a clone.

However, the range on RFID-equipped cards such as office ID cards, tickets and subway passes is so low that traditional RFID readers needed to get within inches of the device to get any data. Many thought that short range would be enough to keep the cards secure. Not anymore.

Brown's device, however, is capable of picking up low-frequency RFIDs from up to three feet away.

This means you could sit in a Starbucks using Brown's device, and in just a few minutes, you'd have the key codes for just about every office in the area.

Brown said his device has a 100 percent success rate. Moreover, he was able to train others to use the device in less than 10 minutes.

Brown will present his findings at Black Hat, a computer security conference held in Las Vegas next week. In his presentation, Brown will even teach attendants to make their own versions of the devices by modifying a commercial RFID reader with an Arduino microcontroller.

Is Brown worried that his releasing this information will equip potential criminals? Of course. But as Brown told security blog ThreatPost, explaining the flaw is the first step to fixing it.

“[Hackers] who are seriously motivated can build custom stuff on their own … As with any penetration testing tool, this one can be turned malicious. But the way I think of RFID Hacking is that it’s where Web application security was 10 years ago. Until people are [using RFID hacking for malicious purposes], no one is going to be motivated to do anything about it.”

At his Black Hat talk, Brown will also discuss preventative measures, such as protective sleeves for RFID-equipped ID cards, that could prevent the device from reading the cards.

Email jscharr@technewsdaily.com or follow her @JillScharr. Follow us @TomsGuide or on Facebook.

Discuss
Display all 15 comments.
This thread is closed for comments
  • 0 Hide
    KelvinTy , July 25, 2013 11:09 AM
    We probably all see it coming, but never bothered to think about it...
    I, for one, have 5 of them in my wallet, they interfere each other constantly, and I have to pull one of them out to make it work. So, I am not sure if it still poses a security threat.
  • 2 Hide
    Lord_Kitty , July 25, 2013 11:41 AM
    Quote:
    We probably all see it coming, but never bothered to think about it...
    I, for one, have 5 of them in my wallet, they interfere each other constantly, and I have to pull one of them out to make it work. So, I am not sure if it still poses a security threat.



    I think you just found the solution to the problem.
  • 0 Hide
    rodbowler , July 25, 2013 12:47 PM
    Passive RFID's can indeed be encrypted, and in fact all of mine are. As to the strength of the encryption, that's another story.
  • 2 Hide
    rclarke250 , July 25, 2013 12:49 PM
    I fail to see how this is even news, this was a known threat years ago, how do you think they can steal your bank card and credit card information by passing you on the street. Same technology. People and companies need to be smart, get badge holders and credit card sleeves from places like Identity Stronghold.
  • -1 Hide
    _Cosmin_ , July 25, 2013 1:08 PM
    This is the first step in expanding it`s range... then these readers will be linked to security cameras and big brother knows every move you make!
  • 1 Hide
    velocityg4 , July 25, 2013 1:27 PM
    Why doesn't RFID die already? Is it really that difficult to swipe a card? A magnetic strip is secure. I use magnetic strip cards to pay for stuff all the time. I fail to see how it is so inconvenient to swipe instead of wave. You still have to manipulate the card near the reader in either case.
  • 0 Hide
    Honis , July 25, 2013 1:28 PM
    Passive RFID cards run off the readers power (the reader transmits a signal and the card broadcasts using that power similar to the wireless charging that's become popular lately.) It's not really a surprise that the distance factor was overcome. Before this was overcome, it was just a matter of concealing a reading antenna in a glove, briefcase, purse, etc and standing in a crowded place making sure to brush past other brief cases, purses, and hindquarters.
  • 1 Hide
    targetdrone , July 25, 2013 1:28 PM
    Welcome to more than 5 years ago.
  • 0 Hide
    dgingeri , July 25, 2013 2:49 PM
    They couldn't get my credit cards. I have a fermi cage wallet. :) 
  • 0 Hide
    Someone Somewhere , July 25, 2013 6:22 PM
    Think you mean Faraday cage. And yeah, that's a solution. Not a perfect one though - how many people are going to ignore it and just keep the card separate.

    RSA in RFID tags FTW. Have it broadcast the public key and sign a piece of random data sent to it.
  • 0 Hide
    ko888 , July 25, 2013 9:34 PM
    Mag stripe cards are also a joke. Smart Card chips are better.
  • 0 Hide
    InvalidError , July 26, 2013 8:15 AM
    RFID devices that hold important / private information need to use RFID micro-controllers with secure authentication; not mere RFID data tags.

    Example of secure system:
    1- security checkpoint detects a tag and sends a 1KB one-time pad to it
    2- RFID micro-controller encrypts the one-time pad with AES128 using its private key and returns a SHA1 hash with its account number or other ID
    3- security checkpoint device sends the pad, account ID and hash to authentication servers
    4- authentication servers verify that the returned hash is valid for that account's key and authorize/deny access accordingly
  • 0 Hide
    kujospam , July 26, 2013 9:49 AM
    All you need to do is make an RFID passive key fob. So it does a calculation that changes every 30 seconds. So the Reader sends power and a time stamp and then the RFID chip sends back the code. The code would only be good for 30 seconds or whatever. Just like they use for VPN authentication. The difference being you don't have to type in that stupid number back into the computer. RFID does it for you.
  • 0 Hide
    ddpruitt , July 26, 2013 8:38 PM
    Quote:
    Brown said his device has a 100 percent success rate.


    I question anyone claiming 100% success rate. Even a well tested design will glitch and fail occasionally. While this is old news my guess is whatever he's claiming is more than just a bit sketchy.
  • 0 Hide
    PhoneyVirus , July 30, 2013 11:48 AM
    Tell me something I don't already know, thanks for the reminder though.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter