However, these most common access control systems are incredibly easy to hack — and now more than ever before. Thanks to a $10 tiny device developed by two security researchers that can easily circumvent these RFID cards.
Dubbed BLEkey or Bluetooth Low Energy device is a tiny little device designed to be embedded in an RFID card reader, a small box you swipe or touch your card to open doors.
BLEkey exploits a vulnerability in the Wiegand communication protocol used by the majority of RFID card readers today in order to clone and skim your RFID-equipped cards.
Grab your BLEkey for Just $10
Mark Baseggio from security firm Accuvant and Eric Evenchick from Faraday Future who developed BLEkey are going to present their findings at next week's Black Hat security conference in Las Vegas, where the duo will also distribute first 200 BLEkeys for just $10 each.
The idea behind BLEkey is to aware technologies such as HID proximity cards, which distribute access cards used by majority of offices and buildings all over the world, as well as show that Wiegand protocol is inherently outdated and shouldn't be used anymore.
According to the researchers, BLEkey can be installed in less than two minutes and is capable to store data from more than 1,500 RFID cards, which can then be downloaded to a mobile phone via Bluetooth to clone the cards.
Now, these cloned cards can be used by hackers to gain physical access to sensitive areas, like a data center or check printing room.
Also, the tiny device also offers some unique functionality, such as disabling the card reader for two minutes after the intruder opens a door using cloned card.
Researchers estimate that around 80 percent of office buildings still use vulnerable RFID readers for physical access control.
Meanwhile the businesses replace these vulnerable systems with the more secure technologies, Baseggio suggested building to:
- Enable tamper switches to detect if someone has messed with the card readers
- Install a camera on the card readers to capture the photograph of an intruder
These are just temporary solutions that could be made it possible to see who used a cloned card, although it does not solve the root issue.
The duo will release the hardware design and source code of BLEkey online after their talk in Las Vegas next week. Their findings not only raises awareness among security professionals but also inspires manufacturers to develop the more secure technology.