LAS VEGAS — Many office access-card systems can be defeated by a tiny, cheap device that takes about 60 seconds to install, two Canadian researchers demonstrated yesterday (Aug. 6) at the Black Hat security conference here.
Mark Baseggio of security firm Optiv and Eric Evenchick of electric-car startup Faraday Future explained that their battery-powered device, called a BLEKey, intercepts codes transmitted and received by access-card readers made by Texas-based HID Global and used by thousands of companies across North America.
The BLEKey then transmits the code via a Bluetooth Low Energy (BLE) signal to a nearby smartphone, which can replay the code to grant unauthorized persons entry to a secure area, or retain the code to create counterfeit access cards. Baseggio and Evenchick had 250 BLEKeys made in China for about $10 each.
"If it seems that we're picking on HID, that's only because of its marketplace prominence," Evenchick said, adding that other makers of access-card systems were vulnerable as well.
The problem with most access cards and readers, Baseggio and Evenchick explained, is that the systems use a decades-old technology called the Wiegand effect. It's named after the physicist who discovered in the 1970s that with properly designed wires, magnetic induction could be used to transmit data at close proximity, usually less than an inch.
Wiegand "wires" are the basis of most keycard systems in North America, the researchers said, because even newer access-card systems using more secure technologies frequently "downgrade" to Wiegand protocols to ensure backward compatibility.
However, the BLEKey doesn't directly capture the magnetic signals transmitted between the keycard and the reader. Instead, you have open up the card reader and install the BLEKey, which is not much bigger than a quarter. But because the device simply crimps onto three existing wires without breaking them, it can be installed in about a minute, as a video by Baseggio and Evenchick demonstrated.
Once it's in the card reader, the BLEKey reads the electric pulses that travel through the wires whenever an access-card is read and transmits them to a nearby smartphone. The captured data can be used to grant unauthorized access to an office or other facility.
Even card readers that force users to enter a PIN into a keypad to gain entry can be defeated, the researchers said, because the PIN data is transmitted along the same wires that the BLEKey is crimped to.
(Sometimes you don't even have to intercept the codes, Baseggio and Evenchick pointed out; many keycards have the codes printed right on the back, and a photograph will do.)
The researchers demonstrated the BLEKey on a miniature door connected to an HID access-card reader. Evenchick swiped a keycard next to the reader, opening the door while Baseggio captured the code on his smartphone a few feet away. Baseggio then opened the door again from his smartphone.
By transmitting bogus signals, they explained, the BLEKey could also be used to deny authorized users access.
The pair showed off something that didn’t need a BLEKey — an extra-strength commercially available card reader with a range of several inches. They had rigged it up to a battery and placed it in a backpack, and explained that the reader could be used to capture keycodes from people walking in a crowd.
Companies can defeat BLEKeys, the researchers said, by implementing tamper-proof features on keycard readers, logging user entry patterns and using a video-surveillance system to match card entry ID with visual ID.
Evenchick and Baseggio handed out their stock of BLEKeys for free after their presentation, but we just missed out and won't be able to hack into our own office quite yet. The researchers plan to put their diagrams and instructions online so that anyone can replicate their efforts.
- 10 Worst Data Breaches of All Time
- 7 Easy Ways to Get Your Identity Stolen
- The Best (and Worst) Identity Theft Protection