Hackers Could Clone Your Entry Card from Your Pocket

Are you able to get into your office by simply bumping your purse or wallet against a reader? Then your office is using radio-frequency identification cards, or RFID cards, to manage building access and security.

And those RFID cards are vulnerable — now more than ever before, thanks to an invention by security professional Fran Brown that can read RFID cards from a distance and copy their data.

Using Brown's device, all a criminal has to do is walk past you on the street in order to "clone" your RFID-equipped cards, even if they're buried in your purse or pocket, and thereby gain access to your office.

RFID technology is all over the place. Some devices like E-Z Passes (used in cars for tolls) use RFID chips, but they have a much larger range because they contain internal batteries that boost the signal. [See also: Wallet Guards to Digital Masks: Top Privacy Tech]

Brown is apparently talking only about passive RFID chips that don't contain internal power systems and typically need to be within a few inches of a scanner to be read. But passive RFID-equipped devices are even more prevalent than battery-powered ones.

Certain credit cards — the kind you wave instead of swipe — use passive RFID to exchange data. Disney theme parks use RFID chips in their park passes. Many car keys use RFID chips to turn on the car's system when the key is inserted.  Most Western and East Asian countries put RFID chips in their passports for easy identification. A school in California even uses the technology to keep track of their preschoolers.

Brown, who works for global security consulting firm Bishop Fox, said that every single Fortune 500 company uses passive low-frequency RFID readers in their employees' ID badges to regulate access into their office buildings.

Experts have long known that RFID systems are insecure. They contain no encryption, for example, so anyone who gets within range of a RFID card could easily copy the data and create a clone.

However, the range on RFID-equipped cards such as office ID cards, tickets and subway passes is so low that traditional RFID readers needed to get within inches of the device to get any data. Many thought that short range would be enough to keep the cards secure. Not anymore.

Brown's device, however, is capable of picking up low-frequency RFIDs from up to three feet away.

This means you could sit in a Starbucks using Brown's device, and in just a few minutes, you'd have the key codes for just about every office in the area.

Brown said his device has a 100 percent success rate. Moreover, he was able to train others to use the device in less than 10 minutes.

Brown will present his findings at Black Hat, a computer security conference held in Las Vegas next week. In his presentation, Brown will even teach attendants to make their own versions of the devices by modifying a commercial RFID reader with an Arduino microcontroller.

Is Brown worried that his releasing this information will equip potential criminals? Of course. But as Brown told security blog ThreatPost, explaining the flaw is the first step to fixing it.

“[Hackers] who are seriously motivated can build custom stuff on their own … As with any penetration testing tool, this one can be turned malicious. But the way I think of RFID Hacking is that it’s where Web application security was 10 years ago. Until people are [using RFID hacking for malicious purposes], no one is going to be motivated to do anything about it.”

At his Black Hat talk, Brown will also discuss preventative measures, such as protective sleeves for RFID-equipped ID cards, that could prevent the device from reading the cards.

Email jscharr@technewsdaily.com or follow her @JillScharr. Follow us @TomsGuide or on Facebook.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • KelvinTy
    We probably all see it coming, but never bothered to think about it...
    I, for one, have 5 of them in my wallet, they interfere each other constantly, and I have to pull one of them out to make it work. So, I am not sure if it still poses a security threat.
  • Lord_Kitty
    We probably all see it coming, but never bothered to think about it...
    I, for one, have 5 of them in my wallet, they interfere each other constantly, and I have to pull one of them out to make it work. So, I am not sure if it still poses a security threat.

    I think you just found the solution to the problem.
  • rodbowler
    Passive RFID's can indeed be encrypted, and in fact all of mine are. As to the strength of the encryption, that's another story.
  • rclarke250
    I fail to see how this is even news, this was a known threat years ago, how do you think they can steal your bank card and credit card information by passing you on the street. Same technology. People and companies need to be smart, get badge holders and credit card sleeves from places like Identity Stronghold.
  • _Cosmin_
    This is the first step in expanding it`s range... then these readers will be linked to security cameras and big brother knows every move you make!
  • velocityg4
    Why doesn't RFID die already? Is it really that difficult to swipe a card? A magnetic strip is secure. I use magnetic strip cards to pay for stuff all the time. I fail to see how it is so inconvenient to swipe instead of wave. You still have to manipulate the card near the reader in either case.
  • Honis
    Passive RFID cards run off the readers power (the reader transmits a signal and the card broadcasts using that power similar to the wireless charging that's become popular lately.) It's not really a surprise that the distance factor was overcome. Before this was overcome, it was just a matter of concealing a reading antenna in a glove, briefcase, purse, etc and standing in a crowded place making sure to brush past other brief cases, purses, and hindquarters.
  • targetdrone
    Welcome to more than 5 years ago.
  • dgingeri
    They couldn't get my credit cards. I have a fermi cage wallet. :)
  • Someone Somewhere
    Think you mean Faraday cage. And yeah, that's a solution. Not a perfect one though - how many people are going to ignore it and just keep the card separate.

    RSA in RFID tags FTW. Have it broadcast the public key and sign a piece of random data sent to it.