In our second episode of Technology Time Out, we examine how stealthy a hack attack can be by creating an RFID hacking device that can wirelessly and silently steal data from 3 feet away. Our information security team presented this demonstration at the BankWorld conference at Mohegan Sun in Connecticut on January 23, 2015. Information Security Director, Nate Gravel and Senior Security Consultant, Mike Kannan aimed to prove how RFID security systems are not as safe as is commonly believed.
Radio-Frequency Identification (RFID)
First off, what exactly is a RFID? You probably use one for work, your home, your gym etc.. RFID stands for Radio-Frequency Identification and is the use of radio waves to read and capture information stored on a tag attached to an object. A tag can be read from up to several feet away and does not need to be within direct line-of-sight of the reader to be tracked.
Many companies will use Radio-Frequency Identification devices to protect their exterior doors to their companies or other sensitive information such as computer servers.
3 Different Types of Frequencies:
Ultra High (UHF)
Between 70-80% of all physical access RFID devices in US use low frequency. However, low frequency RFID has been hacked and is insecure. Our hacking device aims to prove how easy it is for a low frequency RFID to become target to a hack attack.
RFID Hacking Device
For our silent hack attack security demonstration, we wanted to show how easy it is to steal sensitive information from one of these RFID devices. By simply passing by someone, we were able to steal their data, and create a new card with the stolen information. The RFID hacking device that Nate and Mike created was modeled after BishopFox.com’s hacking tool guide entitled “Tastic RFID Thief”. The device captures RFID data from an RFID card wirelessly from approximately 3 feet away. The data is then stored on a microSD card built into the HID MaxProx device, which is an antenna. This is then transferred to a computer and copied onto a re-writeable RFID card using a tool called the ProxMark3, in essence effectively creating an exact duplicate of the card that was stolen silently and wirelessly.
The potential for this type of attack is high especially when dealing with low frequency RFID’s. By demonstrating the simplicity of creating one of these hacking devices, we hope business’ understand the potential for a silent attack. Silent hack attacks can happen in the blink of an eye and without you even knowing which is why it is imperative that you protect your data and offices from these types of attacks. GraVoc’s information security team aims to prevent breaches such as an RFID attack from happening to you or your business. Our information security practice offers an array of IT Assurance services, including external penetration testing, internal vulnerability assessment, and risk assessment. To learn more about these services and how your company could benefit from them, click the link below to check out our practice
6 Tips to Prevent RFID Attacks
Below are a few recommendations that you can do to help decrease the threat of a possible RFID attack.
- Do not wear your RFID card in plain view. If your ID card is an RFID card, we would consider using two separate cards.
- Use RFID shield wallet cards.
- Monitor access with cameras.
- Use a two-factor authentication such as an RFID card + keypad, lock/key, etc.
- Upgrade RFID systems to use more secure protocols. (i.e higher frequency)
- Enhance testing methodologies to incorporate physical security with vulnerability assessments and social engineering.
GraVoc Security Consultant, Josh Jenkins, shows you the Art of Website Cloning and how hackers can clone websites for their own malicious purposes.
In our second episode of How Do Hackers Do Things, GraVoc Security Consultant, Josh, shows you how hackers harvest email addresses for malicious purposes.
The New York State Department of Financial Services (DFS) released guidance on a cyber fraud campaign targeting websites that collect non-public information (NPI).