+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Hackers can break into just about any office with electronics bought on Amazon

May 2, 2016, 20:21 IST

Chris Snyder/Tech Insider

Hackers can break into just about any office using a device that will steal the data from the employee badge sitting right on your belt.

Advertisement

That's just what white hat hackers from RedTeam Security demonstrated for us as we followed them during a security test of a power company in the Midwest. While the team started out using lock picks and jumping fences, they eventually were able to walk right into doors with badges they had cloned.

The hackers got those badges with nothing more than roughly $700 worth of equipment that steals badge data, along with some ingenious ways of getting it near targeted employees.

"Yeah we got the big, long range reader from Amazon," said Matt Grandy, security consultant for RedTeam Security. "They're also all over on eBay."

Grandy was referencing a badge reader that can be carried around in a bag, grabbing card data from up to three feet away. If it's positioned close enough to a badge, the approximately $350 device reads the badge info off the card and stores it on a microSD card.

Advertisement

RedTeam exploited a well-known issue with RFID, or radio-frequency identification, which is a common method many organizations use to give employees access to facilities. Employees typically hold up their RFID-coded badges to an electronic reader outside a door, which then tells the door, "Hey, let this person in."

The problem is that much of the time, that data is sent in the clear without encryption, giving hackers an opportunity to snatch the data right off an employee's card so they can clone it for their own purposes.

In order to get close to an employee, RedTeam came up with a number of possible methods, such as hanging around the company's smoking area with other employees, or social engineering their way inside under false pretenses. Security consultant Kurt Muhl went with the latter, pretending to be a college student and arranging a tour of the company's facility by one of its employees.

During his tour, Muhl carried what looked like a black laptop bag, which housed the RFID reader that eventually grabbed the employee's badge out of thin air. Once he had the badge data, all Muhl had to do was take out the memory card and plug it into a computer with a $300 device called a Proxmark, which takes that data and writes it to a new card.

Kurt Muhl carrying his RFID scannerPaul Szoldra/Tech Insider

Advertisement

"Basically, if the card gets close enough to a card reader, it just starts yelling out its ones and zeroes," Francis Brown, managing partner at security firm Bishop Fox, told eWeek.

Fortunately, there is at least some protection from this type of attack. The cheapest option would be to use a sleeve for cards that blocks RFID signals from going out, but the best option is to use a more sophisticated system that doesn't have everything a hacker needs right on the badge.

NOW WATCH: Hackers showed us how to break into the grid - and it was shockingly easy

Please enable Javascript to watch this video
You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article