Are you able to get into your office by simply bumping your purse or wallet against a reader? Then your office is using radio-frequency identification cards, or RFID cards, to manage building access and security.
And those RFID cards are vulnerable — now more than ever before, thanks to an invention by security professional Fran Brown that can read RFID cards from a distance and copy their data.
Using Brown's device, all a criminal has to do is walk past you on the street in order to "clone" your RFID-equipped cards, even if they're buried in your purse or pocket, and thereby gain access to your office.
RFID technology is all over the place. Some devices like E-Z Passes (used in cars for tolls) use RFID chips, but they have a much larger range because they contain internal batteries that boost the signal. [See also: Wallet Guards to Digital Masks: Top Privacy Tech]
Brown is apparently talking only about passive RFID chips that don't contain internal power systems and typically need to be within a few inches of a scanner to be read. But passive RFID-equipped devices are even more prevalent than battery-powered ones.
Certain credit cards — the kind you wave instead of swipe — use passive RFID to exchange data. Disney theme parks use RFID chips in their park passes. Many car keys use RFID chips to turn on the car's system when the key is inserted. Most Western and East Asian countries put RFID chips in their passports for easy identification. A school in California even uses the technology to keep track of their preschoolers.
Brown, who works for global security consulting firm Bishop Fox, said that every single Fortune 500 company uses passive low-frequency RFID readers in their employees' ID badges to regulate access into their office buildings.
Experts have long known that RFID systems are insecure. They contain no encryption, for example, so anyone who gets within range of a RFID card could easily copy the data and create a clone.
However, the range on RFID-equipped cards such as office ID cards, tickets and subway passes is so low that traditional RFID readers needed to get within inches of the device to get any data. Many thought that short range would be enough to keep the cards secure. Not anymore.
Brown's device, however, is capable of picking up low-frequency RFIDs from up to three feet away.
This means you could sit in a Starbucks using Brown's device, and in just a few minutes, you'd have the key codes for just about every office in the area.
Brown said his device has a 100 percent success rate. Moreover, he was able to train others to use the device in less than 10 minutes.
Brown will present his findings at Black Hat, a computer security conference held in Las Vegas next week. In his presentation, Brown will even teach attendants to make their own versions of the devices by modifying a commercial RFID reader with an Arduino microcontroller.
Is Brown worried that his releasing this information will equip potential criminals? Of course. But as Brown told security blog ThreatPost, explaining the flaw is the first step to fixing it.
“[Hackers] who are seriously motivated can build custom stuff on their own … As with any penetration testing tool, this one can be turned malicious. But the way I think of RFID Hacking is that it’s where Web application security was 10 years ago. Until people are [using RFID hacking for malicious purposes], no one is going to be motivated to do anything about it.”
At his Black Hat talk, Brown will also discuss preventative measures, such as protective sleeves for RFID-equipped ID cards, that could prevent the device from reading the cards.