In our second episode of Technology Time Out, we examine how stealthy a silent hack attack can be by creating an RFID hacking device that can wirelessly and silently steal data from 3 feet away. GraVoc Associates Inc.’s information security team recently attended BankWorld at Mohegan Sun on January 23, 2015. Director and senior security consultant, namely Nate Gravel and Mike Kannan presented an RFID hacking device that aimed to prove RFID security systems are not as safe as is commonly believed.
Radio-Frequency Identification (RFID)
First off, what exactly is a RFID? You probably use one for work. An RFID stands for Radio-Frequency Identification and is the use of radio waves to read and capture information stored on a tag attached to an object. A tag can be read from up to several feet away and does not need to be within direct line-of-sight of the reader to be tracked.
Many companies will use Radio-Frequency Identification devices to protect their exterior doors to their companies or other sensitive information such as computer servers.
3 Differnet Types of Frequencies: Low (LF) | High (HF) | Ultra-High (UHF)
Between 70-80% of all physical access RFID devices in US use low frequency. However, low frequency RFID has been hacked and is insecure. Our hacking device aims to prove how easy it is for a low frequency RFID to become target to a hack attack.
RFID Hacking Device
For our silent hack attack security demonstration, we wanted to show how easy it is to steal sensitive information from one of these RFID devices. By simply passing by someone, we were able to steal their data, and create a new card with the stolen information.
The RFID hacking device that Nate and Mike created was modeled after BishopFox.com’s hacking tool guide entitled “Tastic RFID Thief”. The device captures RFID data from an RFID card wirelessly from approximately 3 feet away. The data is then stored on a microSD card built into the HID MaxProx device, which is an antenna. This is then transferred to a computer and copied onto a re-writeable RFID card using a tool called the ProxMark3, in essence effectively creating an exact duplicate of the card that was stolen silently and wirelessly.
The potential for this type of attack is high especially when dealing with low frequency RFID’s. By demonstrating the simplicity of creating one of these hacking devices, we hope business’ understand the potential for a silent attack.
Silent hack attacks can happen in the blink of an eye and without you even knowing which is why it is imperative that you protect your data and offices from these types of attacks. GraVoc’s information security team aims to prevent breaches such as an RFID attack from happening to you or your business. Our information security practice offers an array of IT Assurance services, including external penetration testing, internal vulnerability assessment, and risk assessment. To learn more about these services and how your company could benefit from them, click the link below to check out our practice
“Don’t forget physical security. Not all data thefts happen online. Criminals will tamper with computers or payment terminals or steal boxes of printouts” – Exective summary to 2014 Data Breach Investigations Report – Verizon
6 Tips to Prevent RFID Attacks
Below are a few recommendations that you can do to help decrease the threat of a possible RFID attack.
- Do not wear your RFID card in plain view. If your ID card is an RFID card, we would consider using two separate cards.
- Use RFID shield wallet cards.
- Monitor access with cameras.
- Use a two-factor authentication such as an RFID card + keypad, lock/key, etc.
- Upgrade RFID systems to use more secure protocols. (i.e higher frequency)
- Enhance testing methodologies to incorporate physical security with vulnerability assessments and social engineering.
Click the link below to view our presentation from BankWorld 2015
So is moving to the cloud right for your business? The answer is that “it depends” of course. In this article, we examine moving from on-premises Dynamics ERP’s to Dynamics 365.read more
What would it mean if you could spend less time touching documents, yet gain improved efficiency, visibility and control? We take a look at going paperless with DocLink and how a paperless office can benefit your business.read more
SQL Server 2008 R2 and Windows Server 2008 R2 End of Support means that Microsoft will no longer provide security updates, non-security updates, free support options & online technical content updates. EOS for SQL Server 2008 R2 will begin on July 9, 2019 and EOS for Windows Server 2008 R2 on January 14, 2020.read more