Tools Coming To Def Con For Hacking RFID Access Doors

jfruh writes: Next month's Def Con security conference will feature, among other things, new tools that will help you hack into the RFID readers that secure doors in most office buildings. RFID cards have been built with more safeguards against cloning; these new tools will bypass that protection by simply hacking the readers themselves. ITWorld reports that Francis Brown, a partner at the computer security firm Bishop Fox, says: "...his aim is to make it easier for penetration testers to show how easy it is to clone employee badges, break into buildings and plant network backdoors—without needing an electrical engineering degree to decode the vagaries of near-field communication (NFC) and RFID systems."

So?

[Anonymous Coward]

It's called the wiegand (https://en.wikipedia.org/wiki/Wiegand_interface) protocol. That's not rocket science to capture and replay it.

If you're able to access the communication wiring, you probably can just reach in and grab the strike wiring too and supply 24v to it to open the door. Most secure places that care about security will also secure the cabling used for the readers.

Re:So?

[xxxJonBoyxxx]

>> if you're able to access the communication wiring, you probably can just reach in and grab the strike wiring too and supply 24v to it to open the door

Hammer? Check.
3x 9V batteries in series? Check.

However, it's still more work than just tailgating someone with your arms full of lunch and a laptop...

you can crack anything with about 5 mins thought

[swschrad]

doesn't mean in most cases you will get to anything interesting. unless there are open computers glaring at you in cubes, all today's valuables are in servers in the cloud. and you might get snagged in the hallway and get a Karma thrashing... dragged to a conference room and put on The Recovery From Hell.

Re:

[xxxJonBoyxxx]

>> all today's valuables are in servers in the cloud

Hmmm...I'd check to see what's actually on your "local" cell phone then.

Re:

[rogoshen1]

seriously, this guy will probably have the most sane post in this entire thread. Clever hacks and technical trickery are well and good, but the human element and gaming people are always going to be the easiest and most reliable ways to defeat security.

Tools?

[Coren22]

I'm sure there will be many tools going to Def Con, what does that have to do with RFID hacking?

If all else fails...

[freak0fnature]

just break the window if you want in that badly.

Why not read the number on the RFID chip?

[cycler]

I might be missing the point but in the RFID access system I've seen the RFID only contains a number.

So to clone it, put a reader in the close vicinity and just record the cards.

In addition, all the access readers (magnetic strip or RFID) ALL have tripwire to detect if they are opened.

As for hotwiring the lock, any decent installer will make sure that the wires are NOT accessible from the outside.

/C

Re:

[cusco]

ALL have tripwire to detect if they are opened

No, not actually (although your installer probably claimed they did). It can be done, but it's expensive, a pain in the ass to set up and false alarms are frequent. For the most part if you have a decent set of security tools you can get into the reader (although not the controller) and do what you want with it. As long as the cover stays the same and the functionality doesn't change (LED colors are right, flashing or not, door opens when it's supposed to)

Criminal

[Stan92057]

new tools that will help you hack into the RFID readers that secure doors in most office buildings.

Sorry,IMO this is a criminal act. Its one thing to find exploits and let the product maker fix them. Its very much another to create tools and make them public so the exploit can be used by ANYONE. Locks can be picked that doesn't mean your allowed to pick them, doing so will result in getting arrested as it should. Theses tools are created to break and enter nothing more nothing less.

Re:

[spire3661]

Why are you even on Slashdot? DO i have to spell out that the idea that Liberty does not need a reason to be enjoyed. IF i want to hack RFID at home for fun and not profit, who are you to say thats wrong? You catch me breaking into a building, you go right ahead and arrest me Mr Moral Crusader. Until then please shut up and let the grown ups use our tools. Am i not allowed to pick my own locks?

Done before

[schitso]

This was done several years ago by another: see here.
The issue is that, even if you have the most secure, multi-factor biometric and smart card reader, it's still more than likely transmitting that data back to the access control panel via Wiegand [wikipedia.org], which is offers not even the slightest bit of security against interception, replay, etc. OSDP [siaonline.org] has been around for a while and offers encryption to at least combat this, but, honestly, nobody freaking cares, and the lack of industry adoption of OSDP reflects this. There's a dozen and a half easier ways to get into a building.

Missed link

[schitso]

Either I missed a tag or the PDF was filtered. Either way, just search for "Black Hat Gecko Wiegand".

Very much not new

[Change]

Take a look back to Zac Franken's talk at Defcon 15 (August 2007), where he introduced the same types of tools: https://www.defcon.org/images/... [defcon.org]
tl;dr you clip into the data lines of an RFID card reader and record the (plaintext) transactions, then you can later play them back directly over the same bus so the access control system sees what it thinks is a card read from the reader.
Mitigation? Keep your access control readers behind an RF-transparent barrier (glass works, as long as it's not metallic-particle tinted).

Re:

[freeze128]

Well, if I had access to the reader's data lines, I would ALREADY BE INSIDE THE BUILDING!

Re:

[adolf]

No, you wouldn't -- at least, not with any sensible topology.

The way it usually works is like this: You present your Wiegand card to the Wiegand reader, some magic RF resonance happens, and a stream of bits is produced on a wire.

At the other end of this wire, buried deep in the bowels of the building, is a computer (embedded or not) which verifies that your bits are the correct bits. If they are correct, it closes a relay that makes the door open, and (optionally) signals the reader to provide feedback to

Re:

[schitso]

Minor correction: the card would very likely not be a Wiegand card, as that's an old swipe technology. (The dude loved naming things after himself.) It'd more than likely be prox in the USA, since our adoption of smart cards is a decade behind the rest of the world.

Re:

[adolf]

You're right; I was mistakenly conflating Wiegand (the protocol) vs Wiegand (the contact-required card format that defined the de-facto and like-named protocol).

Point remains: Yanking the biometric/Wiegand/prox/NFC/whatever reader off of the wall and poking at the wires still does not gain the attacker access, unless Hollywood.

Also: Wiegand wire (the material that allowed the card to exist) is clever stuff.

Somehow not an issue for small businesses?

[kingbilly]

We have these readers at our new facility, but we also have an alarm that has to be disabled once you enter. When you have to mutilate the reader to insert this tool, you are just a few steps away from a 5 dollar wrench anyway. Who doesn't have a burglar alarm? For our facility this news is zzzz. Only a foolish company would rely solely on just an RFID reader.

Now a huge business that isn't concerned about access after hours, but is instead relying solely on RFID during the day for some secured parts