Want to clone a badge? Now is your chance
By David Bryan, Hacker, X-Force Red
Nearly every organization distributes access cards to its employees. They use the cards to gain access to offices, data centers, and in some cases, printers. What organizations may not realize is that many of the access cards are easy to clone. Some organizations may deploy physical security controls — adopting security through obscurity techniques — to prevent bypassing physical locks. For many of those controls, however, it's only a matter of time before someone figures out a method to break into them quickly and easily. For example, lock bumping attacks rose fast and furiously into the public spotlight. The technique involves leveraging the inherent weaknesses of parts that make up cast locks (which are cheaper) v.s. machine milled locks. The open source group TOOOL published a paper on lock-bumping (the last revised issue was published in January 2005) which provided information about the technique to the public - defenders and attackers alike.
Using keys for access to a building can become a logistics nightmare. Employees may misplace or lose their key at some point, and employee turnover can also be an issue. A master key system is one solution for access however many of the systems introduce a weakness into the locks, which makes the locks even more suspectable to lock picking. Many of the traditional locks also don't have audit mechanisms. Never mind the expense of having to re-key all of the locks, and then create new keys for everyone at the site. The process ends up being extremely costly and could take days to weeks to complete. Despite these challenges, however, the biggest issue is that keys are not a cost-effective, long-term security solution.
Another option is deploying electronic access controls. These controls allow the company to revoke a single credential quickly and easily. The cost, time, and ease are the most important factors when a badge is lost. The company can revoke the employee's credentials from all of its readers in seconds vs. weeks. Issuing a new card can be as cheap as 5€-10€. While the solution sounds ideal, however, many of the electronic access controls can be easily cloned.
To defeat cloning attacks, many vendors are turning to cryptography and using proven strong crypto algorithms such as AES to protect both the content of the card and over-the-air communications. A new class of attacks, however, has emerged which targets the very processors performing the encryption and uses methods such as 'glitching', 'fault injection' and 'differential power analysis' to defeat even the most sophisticated systems. Using one or more of these methods can allow an attacker to bypass checks built into the software, gain access to hidden parts of the code or even recover the cryptography keys.
To show you firsthand how badges can be cloned, our X-Force Red hackers have written a card-cloning demo. One of the demos is a web interface for the Proxmark3-RDV4 hardware, which allows quick and easy access to cloning cards. The other will attempt to recover keys from a piece of hardware live. Come see it for yourself at Black Hat Europe 2019. Visit the IBM Security booth #505 to make your own cloned badge. And, if you successfully clone one of our badges you can win a prize.