Hackers looking to break into companies could do so with the help of a $350 device that can be purchased online from Amazon or eBay, new research shows. By taking advantage of the way most employee ID badges work, hackers could simply manufacture counterfeit access cards that would work just like the original badges.
Researchers from RedTeam Security showed Tech Insider how easily it is to clone an access card belonging to any employee by simply roaming around. The hackers did not have to steal personal information belonging to that person and instead used a much simpler trick.
Using a particular device that costs just $350, researchers pretended to visit a target company. “[We] got the big, long range reader from Amazon,” RedTeam Security consultant Matt Grandy said. “They’re also all over on eBay.”
The attacker, posing as a student who requested a tour, carried the gadget in a seemingly harmless laptop bag that intercepted the unencrypted communication that takes place between an access card the moment it approaches a target. These work IDs use radio-frequency identification (RFID) to talk to doors and unlock them. Unfortunately, the data traffic isn’t protected by encryption, which means that it can be picked up by intrepid hackers armed with this device.
Purchased from Amazon, the portable RFID badge reader can grab card data up to three feet away. When positioned close enough to a target, the device grabs the data from the card who’s trying to communicate with it and writes it on a microSD card. That means malicious individuals simply have to find a reason to be in the vicinity of a known employee to try to grab his or her credentials.
The data is then transferred to a computer, where a $300 device called a Proxmark can write it on a fake employee badge. Using the manufactured card, hackers can then access any doors that badge is allowed to open.
There are ways that companies and employees can protect themselves against such attacks. One of them is using encryption to protect RFID data. The other one is using RFID-blocking sleeves for access cards – you can purchase them on Amazon at this link.