WASHINGTON — Do you swipe or tap an access card in order to get into your workplace? If so, it might be easier than you'd think to break in, security researcher Kenny McElroy told the ShmooCon hacker conference here yesterday (Jan. 13).
Magnetic door sensors and weak magnetic door locks can be defeated by refrigerator magnets, McElroy said. Barbecue lighters or even electric socks can open infrared exit switches from the inside, and wire coat hangers can open capacitive-touch exit switches that sense the human body's electrical current. (In both cases, the attacker has to poke the device through the crack between the door and frame.)
Even radio-frequency ID (RFID) access cards that are tapped on a wall sensor can be defeated if you unscrew the sensor wall plate and clamp on a voltage sensor. Two Canadian researchers showed how to do this at the Black Hat security conference in 2015, transmitting captured voltage readings via Bluetooth to a nearby smartphone. Yesterday, McElroy showed how to gain greater range (and greater chances of not getting caught) by transmitting those ID-card readings via Wi-Fi instead.
MORE: Best Smart Locks
McElroy calls his device an ESPKey, and it's a small device that costs about $100 to make and has half a dozen wire clamps, a Wi-Fi transmitter and 4MB of memory. In an on-site demonstration, McElroy showed that it takes two or three minutes to break into an RFID card reader wall plate, attach the ESPKey and reinstall the wall plate. (The RFID card reader McElroy used for his demonstration had a single screw holding on the wall plate.)
The ESPKey's clamps don't break the wires, but they do measure the voltage levels on each wire. Every time an employee taps his card, the ESPKey will record the rising and falling voltage that indicates the transmission of binary-code ones and zeroes with the card reader. A hacker connected via Wi-Fi to the ESPKey needs only to play back the same sequence of voltage pulses from a laptop to open the door, as McElroy showed on stage.
Even better for the attacker, the ESPKey's 4MB of memory can capture the ID codes of everyone in the workplace. Some employees may have privileged access to restricted areas such as server rooms, and it's those card codes that would be the most valuable.
Biometric access devices such as fingerprint or iris scanners wouldn't be able to prevent such attacks, McElroy said, because the ESPKey would still be able to capture their internal signals. The only solutions would be to make the access devices very hard to break into physically, or to encrypt the signals within the devices.
McElroy's device isn't designed for criminals, but rather for penetration testers, who are security consultants paid to break into workplaces, both physically and digitally, to test their defenses. But the fact that a simple bit of electronic gear can defeat a sophisticated physical-access system should make us all wonder how safe office door locks really are.