You’re riding the subway to work, or taking a smoke break outside the office, or simply strolling down the street. Someone with a backpack is standing nearby, but you think nothing of it.
Thirty seconds later that very same someone has a cloned hard copy of your work ID badge, ready to stroll right into your office.
This is not only possible, but “very simple” according to security researcher Dennis Maldonado. Maldonado, the founder of Houston Area Hackers Anonymous and an Adversarial Engineer at pen-testing company Lares Consulting, was speaking to a packed house of hackers at the 25th annual DEF CON in Las Vegas on Thursday.
“In seconds you steal someone’s badge, have a complete copy, and you walk into the building.”
And they were very receptive.
“I’m going to assume everyone here is legit — is a pen tester, not a black hat,” Maldonado said to laughs as he showed off a custom system he built to remotely copy and clone RFID tags.
While you may not know what an RFID tag is, chances are you’ve used one. You may even have one in your pocket right now. Put simply, radio-frequency identification (RFID) is a means of using electromagnetic waves to track and identify specific tags. The tags are frequently embedded in company ID cards, and employees — especially in the tech industry — have become accustomed to tapping those cards against readers to unlock office doors.
They’re digital keys, albeit keys that are extremely easy to copy — even from a distance.
Maldonado proceeded to demonstrate a rig that would allow an attacker to remotely scan a card, from a distance of approximately 2 feet, and then send that data to a cloning machine (up to 30 feet away) which would then automatically write the card.
He even made the setup user friendly, developing an Android app that syncs to a Pebble watch and notifies him via chime if his read on the target card was good. And, because standing two feet away from someone is a normal thing to do in elevators and subway cars, the victim would presumably never be the wiser.
“You don’t have to go up to someone and touch their butt to get a card read,” he noted — shortly before observing out loud that someone was trying to break into his network mid-talk (it’s that kind of conference).
The basic technology he used is readily available for purchase on eBay, and he told the crowd that he had already posted his code to GitHub. If you don’t want to throw down the cash? Well, Maldonado pointed out that the remote RFID-scanning tech is all around us, like in parking garages, but he cautioned the hackers in attendance: “Don’t go stealing those.”
Which, well, that may have been the only part of his talk the crowd didn’t seem too interested in hearing.
“In seconds you steal someone’s badge, have a complete copy, and you walk into the building,” he told those gathered. For the attendees of DEF CON, Maldonado’s statement may have sounded like a challenge. For anyone who uses an RFID tag to badge into their office or home? They should take it as a warning.