Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

No building access card? No problem if you have new Def Con tools

Jeremy Kirk | July 29, 2015
RFID card access systems are used by most companies to let people into their buildings. But over the last few years, researchers have shown how these systems can be easily bypassed.

Once inside a building, an attacker needs to plant a backdoor in order to harvest network data. There are a variety of ways to do this.

For example, in an episode of Mr. Robot, an intruder removes a panel from a climate control system and wires in a Raspberry Pi. It's a bit of a fiddly job, though: He has to remove a panel from the climate control system, snip an Ethernet cable and wire in the mini-computer.

A company called the Pwnie Express had an easier solution. It made a device that looks like a power strip but on the inside contains a Raspberry Pi complete with a penetration testing toolkit. The device, however, costed US$2,000 and has since been discontinued.

At Def Con, Brown said he will release a 3-D printable file that will let penetration testers print out their own high-quality shell of a power strip customized to hold a Raspberry Pi. The design will be released here after Brown's presentation on Aug. 9.

The cost of printing the power strip is about $5, and a Raspberry Pi costs just $35, dramatically bringing down the cost of a very stealthy tool. It's a permanent backdoor that just needs to be plugged into an Ethernet port.

"Once I physically break into a building, I leave it behind somewhere like in an empty cube or an empty conference room plugged into their internal network," Brown said. "It looks like something completely harmless."

Bishop Fox has a page on their website with the full range of RFID hacking tools and software they've developed over the years.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.