Getting physical: A $10 device to clone RFID access keys on the go

A tiny open-source skimmer is due for public release within weeks.

ghostshellcredsymantec.jpg
Symantec
A $10 device capable of skimming access cards on the go is soon to be released into the open-source community.

Radio-frequency identification (RFID) cards are a quick and convenient way for businesses to track as and when their employees are on site, and also act as a way to both restrict and permit access to particular corporate locations. While RFID technology can help secure enterprise offices in this way, the ease in which these access controls can be hacked has hit the spotlight in the form of a tiny device which costs only $10 to make.

Researchers Mark Baseggio from security firm Accuvant and Eric Evenchick from Faraday Future are the developers of the Bluetooth Low Energy device (BLEKey), a coin-sized device which skims RFID cards, allowing users to clone items such as access cards.

The security professionals plan to discuss their hardware at Black Hat USA in Las Vegas next week, and will also distribute 200 BLEKeys before releasing the device's design online.

"Over the years, we have seen research pointing to deficiencies in every aspect of access control systems: the cards, the readers, and the backend," the researchers said. "Yet, despite these revelations, there has been no meaningful change in their design or reduction in use around the world. "

BLEKey is open-source hardware designed to be embedded within an RFID reader, the small device which you swipe to access everything from offices to hotel rooms. The hardware exploits vulnerabilities within the Wiegand communication protocol to copy and clone RFID cards.

The Wiegand system is used to send ID data from third party devices to an RF reader, using both signals and TCP/IP protocols when users attempt to open doors. The protocol is the most common standard in use by today's access control systems today.

Once the data has been logged, up to 1,500 cards can be stored and sent in one go to a cell phone or PC using Bluetooth. Not only this, but a tampered RFID reader can be remotely locked for up to two minutes after a cloned card has been used to open the door, potentially to prevent security from tailing intruders.

must read

How Amazon's Whole Foods purchase could solve its grocery supply chain puzzle

The $13.7 billion deal marks a turning point in Amazon's strategic efforts when it comes to cracking the $600 billion grocery market.

The Black Hat demo will include the results of a test in which the researchers attempted to break into buildings using the open-source hardware.

The team says the release of the tool is "valuable for understanding the risks associated with insecure access controls and what steps companies can take to lower the risk of access control attacks."

Ultimately, the team wishes to prove the Wiegand communication protocol is outdated, archaic and should be retired from common use -- and the cards which use this protocol, such as HID proximity cards, should become extinct.

In an interview with Motherboard, Baseggio commented:

"We wanted to create a device that would concretely and absolutely show and hopefully put the final nail in the coffin that is HID prox and Wiegand. These devices are no more secure than a standard key."

Read on: Top picks

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All