In our second episode of Technology Time Out, we examine how stealthy a silent hack attack can be by creating an RFID hacking device that can wirelessly and silently steal data from 3 feet away. GraVoc Associates Inc.’s information security team recently attended BankWorld at Mohegan Sun on January 23, 2015. Director and senior security consultant, namely Nate Gravel and Mike Kannan presented an RFID hacking device that aimed to prove RFID security systems are not as safe as is commonly believed.

Radio-Frequency Identification (RFID)RFID

First off, what exactly is a RFID? You probably use one for work. An RFID  stands for Radio-Frequency Identification and is the use of radio waves to read and capture information stored on a tag attached to an object. A tag can be read from up to several feet away and does not need to be within direct line-of-sight of the reader to be tracked.

Many companies will use Radio-Frequency Identification devices to protect their exterior doors to their companies or other sensitive information such as computer servers.

3 Differnet Types of Frequencies: Low (LF) | High (HF) | Ultra-High (UHF)

Between 70-80% of all physical access RFID devices in US use low frequency. However, low frequency RFID has been hacked and is insecure.  Our hacking device aims to prove how easy it is for a low frequency RFID to become target to a hack attack.


RFID Hacking Device

For our silent hack attack security demonstration, we wanted to show how easy it is to steal sensitive information from one of these RFID devices. By simply passing by someone, we were able to steal their data, and create a new card with the stolen information.

The RFID hacking device that Nate and Mike created was modeled after BishopFox.com’s hacking tool guide entitled “Tastic RFID Thief”. The device captures RFID data from an RFID card wirelessly from approximately 3 feet away. The data is then stored on a microSD card built into the HID MaxProx device, which is an antenna. This is then transferred to a computer and copied onto a re-writeable RFID card using a tool called the ProxMark3, in essence effectively creating an exact duplicate of the card that was stolen silently and wirelessly.

hacker

The potential for this type of attack is high especially when dealing with low frequency RFID’s. By demonstrating the simplicity of creating one of these hacking devices, we hope business’ understand the potential for a silent attack.

Silent hack attacks can happen in the blink of an eye and without you even knowing which is why it is imperative that you protect your data and offices from these types of attacks. GraVoc’s information security team aims to prevent breaches such as an RFID attack from happening to you or your business. Our information security practice offers an array of IT Assurance services, including external penetration testing, internal vulnerability assessment, and risk assessment. To learn more about these services and how your company could benefit from them,  click the link below to check out our practice

 

IT Assurance Services

 

“Don’t forget physical security. Not all data thefts happen online. Criminals will tamper with computers or payment terminals or steal boxes of printouts” – Exective summary to 2014 Data Breach Investigations Report – Verizon


6 Tips to Prevent RFID Attacks

Below are a few recommendations that you can do to help decrease the  threat of a possible RFID attack.

  • Do not wear your RFID card in plain view. If your ID card is an RFID card, we would consider using two separate cards.
  • Use RFID shield wallet cards.
  • Monitor access with cameras.
  • Use a two-factor authentication such as an RFID card + keypad, lock/key, etc.
  • Upgrade RFID systems to use more secure protocols. (i.e higher frequency)
  • Enhance testing methodologies to incorporate physical security with vulnerability assessments and social engineering.

Click the link below to view our presentation from BankWorld 2015 

View Presentation

Related articles

 

Pin It on Pinterest

Share This