Hack Demo Videos:

RFID Cloning With Proxmark

22 Oct 2013

Hi there, today we’re looking at Radio Frequency Identification and how you can mess around with and clone people’s access passes. I’m sure many of you now get into your offices and organisations using access passes a bit like this [holds up example pass card].

What I want to show you is a cool little tool called Proxmark, developed by a guy called Jonathan Westhues and then taken a lot further by others. Here it is, simple and available online if you Google Proxmark3, for about $400 you buy the kit ready to go, or if you’re good with a soldering iron you can do it yourself.

What I’ve done is connected it to my laptop, so you can see whats going on. Usually I’d just run it from a USB battery pack which I’d slip in my pocket, run the cables down my sleeve and put the aerial here into the palm of my hand. This means I can quite easily get close to someone and snaffle their card details.

The first thing I need to do is start it going, we’ve got it in record mode, I’ve got a pass, we get close to it, and it records. It really is that easy. Now, I had to get within 3-4 centimetres to get a good reading, so the downside is that you need to get really close to people to get a reading. OK, so we’ve recorded and stored the card value, all we have to do is play it back. Simple as. You can see we are now playing back the value from this card from this antenna. I could go up to the access controller and “beep” it would work. If you think about most security guards, if you’re dressed right and the door goes “beep” you must be OK to get in.

Now it could be that I was unlucky, and I followed someone from the office who didn’t have much access. Well, there’s a cool tool here called ProxBrute and written by a guy from Foundstone. He wrote a brute forcer that decrements the key value. Using this you can see that I’m now iterating the hex value downwards, and because we understand that most of these cards are issued in sequential batches we’ve got a good chance of stumbling on a card value that has high levels of access. Meaning that it will let us in to places I want to go, like the server room.

Another problem with Proxmark is that you have to get too close to get a reading without being easily found out. Here’s an example, I was on the tube coming back from London and I found a nice easy badge to clone [photograph on monitor]. It was hanging off his rucksack and I could have cloned it, but I could have just as easily have stolen it. Most people keep their cards in wallets in their back pockets, and you’re going to look pretty weird going for that.

To show how to get around that a guy called Fran Brown did an interesting presentation at DefCon21. He took a HID reader, modified with a battery pack to get readings from a much greater distance. You could get a reading from something in a satchel from 2-3 feet away which means you don’t have to go around hugging people in order to read their cards.

If you’re a bit paranoid and concerned about this there are things you can do. You can buy RF shielded containers, this is a passholder, it’s shielded. All I have to do is slip my pass in there and all of a sudden no reader can grab it. You might be worried about your credit cards and this is an RF shielded wallet, or for passports you can get passport wallets too, with a foil lining to stop them being read.

Hope you enjoyed it, thank you