Over the years, we have had great success in using a long-range RFID reader and the Proxmark3 for various onsite social engineering engagements for quite a few clients. Then, we had an idea about creating an RFID skimmer, but we were running into a few issues:
- Making it automated
- Making it convincing
- Solving the RFID interference problem
What is RFID?
RFID is a radio-frequency identification system that is wireless. There’s a ton of uses, such as supply chain visibility, tracking, access control, and more.
RFID Security Testing
Some current social engineering RFID security attacks are:
- Bishop Fox (long-range reader)
- BLEKey / ESPKey
Each of these has its own pros and cons, none of them are bad and they all work in their own way. This post isn’t to deter you from using these current technologies.
RFID enabled doors are becoming the norm for accessing buildings. We didn’t want to damage any of the reader wiring like the BLEKey/ESPKeys, but needed something quick and inconspicuous. We wanted to eliminate employee interaction, as sometimes we’re unable to get near a badge or there’s a short project timeframe. At times the physical interaction needed to be just right otherwise an employee would become suspicious and tip-off management. The whole project started with an idea and a drive to make it work.
Out of the main issues, solving the RFID interference issue would make this project most successful. When two RFID readers become within range of each other – it creates a reader-to-reader collision (see diagram below).
If there was a way to remotely cut voltage to the RFID reader, it would allow for the collision to stop and successfully skim an unexpected employee’s RFID badge. After a month or so of research, we were able to find a component called “USB PowerControl board” from SwitchDoc Labs. This inline USB board is a USB-to-USB solid state relay and can be controlled through a control line input.
RFID Skim Job Set-Up
The project went through multiple different iterations through trial and error. The following images show the proof-of-concept (POC) setup and the current iteration of the project:
All of the components utilized in the building of the Skim Job project include:
- Raspberry Pi Zero (wireless)
- USB PowerControl Board
- Proxmark3 RDv2
- Lithium Ion Polymer Battery – 3.7v 2500mAh
- Adafruit PowerBoost 500
- Polycase cover
- Custom wound antenna
- Misc connectors/wires
All components can be bought for around 200$.
How Does The RFID Skimmer Work?
Initially, the project started with some simple Bash scripts thrown together for a proof-of-concept. Eventually, the project was written in Python (Thanks Wes) and the details of scripts can be found on White Oak’s GitHub page. A more in-depth, full walk-through of setup and running the Skim Job project is demonstrated through this recorded webinar.
Skim Job Review
The purpose of revealing this project to the public was to help bring light to the security issues RFID technologies face nowadays and to help further the project by having similar like-minded individuals introducing new functionality, features, and improving the overall design of the project. Skim Job was created because the onsite social engineering engagements we were performing would either be a short timeframe or be very difficult to get close enough to an employee’s badge, so we did our thing – took the idea and created something. Let us know how you think we can improve this even further.
MORE FROM WHITE OAK SECURITY
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.