Entering your office building in the morning is generally an effortless task. Business operations continue throughout the day uninterrupted, knowing that the premises is secured by multiple layers of authorisation required for entry. These systems ensure that only select personnel may enter, with that trust typically represented by an access card, fob, or token associated with the individual. These small items grant the user with what is highly sought after by any malicious attacker - privileged access.
These devices typically use Radio Frequency Identification (RFID), a form of contactless authentication which can permit or deny physical access to specific locations. RFID readers are usually located on the outside of a building, on a doorway, or within an elevator, and are universally used within most offices, as well as government buildings. To work correctly, a RFID reader has an antenna coiled inside of it, sending out radio signals searching for cards or devices that enter within its range. Once inside this range, the RFID device is energised and responds back with the device’s credentials, including a unique identifier. The reader then sends this information electronically to a command station which will indicate to approve or deny the user.
While other security measures are normally paired with this system (such as physical security, manually gated access, security cameras, or elevator restrictions to user access levels), the overall security of the organisation is only as strong as its weakest point. Malicious attackers will continuously look for holes within the overall security of an organisation. Focus is placed on elements in isolation, particularly on identifying any overlooked element, no matter how small. For example, an entry point with swipe card access but no additional security monitoring provides an opportunity to perform reconnaissance on the RFID system, as well as any additional requirements needed for entry.
Through observing door traffic, an attacker may identify a target who has access to an entry point of interest and make attempts to clone their card. This is not always a straightforward process and often requires multiple attempts. Due to the low first-time success rate, an attacker may have to loiter outside of the building and make attempts to clone multiple people’s cards. This increases the likelihood that physical security management and staff are able to thwart these cloning attempts as they are trained in identifying people who do not belong, or who are exhibiting abnormal behaviour. However, if an attacker is successful in cloning a card, they have gained privileged access.
Powered by a concealable battery, the card cloning device can capture and decode data, running a wireless access point for a secondary device to connect to. This secondary device attaches to a commercial card reader, allowing data to be written to a blank card. Once the device is turned on, it can pick up any RFID card within its range of approximately 0-40cm, depending on the strength of the signal. This makes card cloning difficult to detect, as physical proximity is standard in crowded places such as public transport, organised seating, and elevators. In addition, many people store their building passes in accessible areas, such as around their necks or on their hips, allowing for cloning to occur inconspicuously.
Alcorn Group’s Red Team methodology involves consultants simulating a malicious attacker, sometimes using this specific method to gain unauthorised access to the target organisation’s physical premises. One of our senior consultants has created a ‘weaponised’ RFID card reader, which allows RFID-enabled tokens to be wirelessly cloned in the field. This gadget, like others of its kind, can be used by security testing teams to asses facilities exposure to these sorts of attacks.
Multiple layers of physical security controls as well as security awareness training are key to ensuring your organisation can effectively prevent unauthorised physical access. In support of all employees remaining vigilant to security control weaknesses, all employees should be aware of physical and environmental controls protecting their company’s premises. This should include awareness training on tailgating, as well as vetting visitors and always have them be escorted around the premises. It is important to layer security measures across all entry points of a premises by pairing active security cameras with all swipe access entry points. In addition, where active security patrols are adopted, these should practice a hard-to-predict patrol schedule. Additional training for physical security management and staff should involve awareness of this type of threat, as well as knowledge of procedures to follow in response to incidents of this nature reported to them. RFID blocking card holders are also a useful tool to deter malicious attackers swiping valid credentials.