RFID tag skimming — breaching restricted areas.

RFID tag skimming can enhance the effectiveness of your penetration test by duplicating the credentials of workers with access to the building.

For those who do not know, RFID tags are a common component of modern credit cards, public transport systems and anti-shoplifting markers. RFID tags can be electronically duplicated with easily acquired equipment sourced from the internet.

Example RFID tag skimmer

With a properly constructed and prepared RFID skimming tool, the pen tester can copy nearby RFID tags embedded in security passes. The best way to do this is to wait in a neutral location near the objective where outsiders intermingle with workers. Examples of ideal locations are nearby coffee shops, eateries, parks with shared benches and tables and spots where smokers congregate.

By waiting at such a spot with a pretense — reading a magazine, smoking or eating food, the pen tester can wait for suitable targets who take a seat adjacent to them. Good spots give you access to the back and side of the target, and you should position yourself within short range so you are not mistaken for a thief or pickpocket. Remember to dress in non confrontational and location appropriate dress, such as business casual. The best RFID tags are located on the target’s hip, belt or waist.

With the device, you can make a copy of a valid RFID tag and use it to pass entry gates, operate locked elevators and gain access to restricted areas.

Example of the skimming process

When suggesting solutions to the client in regard to RFID tag skimming, I would suggest:

1. Mandate a body location to wear RFID embedded identification, preferably the chest, to prevent illicit access from the side or waist.

2. The distribution of RFID blocking sleeves, which are cheap and readily available. Encouraging employees to cover the Pass when outside business premises may reduce skimming.

3. The requirement of a different RFID pass for each sensitive area (i.e entry, offices, storerooms) to complicate the collection of RFID data.

4. The training of staff to promptly report visitors with incorrect passes to security. Training security to challenge the bona fides of any intruder and then to accompany them while their identification is validated or they are passed on to the police for trespassing.

5. Familiarise staff and security with the concept of RFID skimming, so they are aware of the equipment and processes involved and will report suspicious behaviour.

6. The discouragement of loitering around RFID machinery to prevent tampering or recording of the authentication process.

7. The obscuring and prevention of visual observation of the security processes around the entry area.

Being aware of techniques like RFID scanning will help develop your security mindedness and bolster your defences. Technological security solutions should always be supplemented with awareness of exploitable vulnerabilities and strategies.

This mindset is the core philosophy of HERT.