The Tastic RFID Thief is a silent, long-range RFID reader that can steal the proximity badge information from an unsuspecting employee as they physically walk near this concealed device.

 Overview

The Tastic RFID Thief is a silent, long-range RFID reader that can steal the proximity badge information from an unsuspecting employee as they physically walk near this concealed device.  Specifically, it is targeting 125KHz, low frequency RFID badge systems used for physical security, such as those used in HID Prox and Indala Prox products.

 

Our goal is to make it easy for security professionals to re-create this tool so that they can perform RFID physical penetration tests and better demonstrate the risks posed by these technologies to their management.  The hope is that they can get up and running quickly, even if they don’t have an RFID or electrical engineering background.

 

Design

We used an Arduino microcontroller to weaponize a commercial RFID badge reader (the HID MaxiProx 5375AGN00 – bought on Ebay) – effectively turning it into a custom, long-range RFID hacking tool.  This involved the creation of a small, portable PCB (designed in Fritzing) that can be inserted into almost any commercial RFID reader to steal badge info.

 

Note, this PCB can alternatively be inserted into an Indala reader for testing Indala Prox deployments (e.g. Indala Long-Range Reader 620).  Alternatively, the PCB could even be used to weaponize a high frequency (13.56MHz) RFID reader, such as the iClass R90 Long Range reader.  The PCB can be inserted into any RFID reader that supports the standard Wiegand DATA0/DATA1 output (which is pretty much all of them).

 

Tastic RFID Thief - Designed in Fritzing

 

The tool steals badge information silently, and conveniently saves it to a text file (CARDS.txt) on a microSD card for later use such as badge cloning.

 

Tastic RFID Thief - PCB Inputs and Outputs

 

This solution allowed us to read proximity cards from up to 3 feet away, making the stealthy approach an actual reality.  A typical attack would involve placing the weaponized reader into a messenger bag or backpack, walking by someone in line at the local Starbucks, and capturing the RFID badge info on their person.  A visualization of what the attack would look like is captured in the image below:

 

Visualization of the RFID stealing attack from up to 3 feet away.

 

Optimizing Read Range

Greater read distances can be achieved by reducing interference and providing clean, high voltage. For more details on improving read range, see the following resources:

 

Notes

Note: The design was compiled and loaded onto the Arduino Nano v3.0 using the Arduino v1.0.1 software with the added sdfatlib (05Dec2011) library to handle the microSD card writing.  See Arduino – Libraries for more info on adding additional Arduino libraries.

 

Note 2: Make sure to format the filesystem of the microSD card to FAT (not FAT32). This will require you to use a smaller size microSD card, 2GB or less.

 

A How-To Guide for Assembling:

Shubh.am-Guide to building the Tastic RFID Thief - 22Jun2014

 

Long Range Readers to Weaponize

The table below provides links to the 3 long range RFID readers sold by HID Global, that can be weaponized by the Tastic RFID Thief PCB. You can typically find all 3 available for purchase on eBay.

 

RFID Product Family

Frequency

Long Range Reader

URL

HID Prox

Low Frequency

HID MaxiProx 5375

https://www.hidglobal.com/products/readers/hid-proximity/5375

Indala Prox

Low Frequency

Indala Long-Range Reader 620

http://www.hidglobal.com/products/readers/indala/620

iCLASS

High Frequency

iCLASS - R90 Long Range reader

http://www.hidglobal.com/products/readers/iCLASS/r90

 

Tastic RFID Thief’s PCB can be inserted into almost any commercial RFID badge reader.  It has been successfully tested with the long range reader solve by HID Global for 3 of the 4 RFID product families they sell.

 

 HID RFID - 3 of 4 Product Families