Red Team stories – Bypassing RFID-based access control systems

During our physical security tests, we often find ourselves bypassing RFID access control systems. These vulnerabilities are often fascinating (and fun to exploit 😉). Below are a few cases that stood out to me.

Connect with the author on LinkedIn!

How Misconfigurations Can Let You Go from Zero to Server Room Access Without Being Caught

This story is also part of my presentation “How to Break into Organizations with Style: Hacking Access Control Systems”. If you’re interested in the full version (and want to learn more about RFID security along the way), feel free to check it out. 

In one of my past physical security assignments, the system in use at the target building was HID Prox. These are low-frequency, low-security cards that don’t use encryption – the credential stored on the card, consisting of facility code and card number, is used for authentication and authorization, and it’s sent in plaintext. 

(Un)surprisingly, systems like this are still in use today in many places.

Since these tags are easy to clone, I used a bit of social engineering (and a little luck 😉). After a few attempts, I managed to clone a cleaning-service card and another one belonging to an employee with access to low-security areas like open spaces.

Perfect! Step one – initial access – done. 

I could get into open areas and the staircase with those cards, but this wasn’t enough – my goal was to get inside the server room without alerting security or other employees.

There were only a few people with higher access level and oftentimes they have greater threat awareness, which makes cloning their cards a bit more complicated. But was that really necessary to directly scan their cards and risk detection by doing so? Maybe I could find another way to get the server-room access card? 

Let’s take a look at what I already had: IDs for two of the cards used in the building:

2006CE090D

2006CE0A9D

Obviously, the above IDs are an example and not the real ones I got during the test 😉

At a quick glance, it was obvious the numbers weren’t random – they were very close to each other – probably coming from the same box of consecutive numbered 100 fobs. So, I thought, what if I brute-force the reader and try other IDs close to these?

Unfortunately, there was a catch – I couldn’t just walk straight to the server room and start brute-forcing there. The reader was under a camera, and there were employees walking around. Plus, brute-forcing can take time, and I was using a Proxmark3 connected to my laptop, which would look pretty suspicious. Also, every time a (valid or invalid) card is presented to the reader, it beeps loudly…

So, I decided to look for another reader – maybe there was one that wasn’t under a camera? Bingo! I found one at the entrance to the staircase. It was a low access level reader, but that worked in my favor. Often, higher-access level cards (like the ones for the server room) will also open lower-access level areas, like the building entrance (or, in this case – the main staircase). So, if I brute-forced that reader, I’d likely get a list of all the valid cards used in the building.

I started brute-forcing, and while the first few attempts didn’t work, I quickly started getting hits that opened the staircase door:

2006CE0A79

2006CE0A7A

2006CE0A89

2006CE0A8C

2006CE0A8F

…

A few minutes and a couple hundred beeps later, I had about 30 valid ones for the staircase door.

The lack of monitoring helped a lot – apparently there were no alerts or suspicious activity checks. I was able to brute-force hundreds of cards, and no one seemed to notice.

But 30 IDs was still too many to go through unnoticed for the server room access. I needed a different way to narrow down which card has the higher access level.

One thing we’ve learned during Red Team assessments is to always check the printers. They’re often the targets vulnerable to playful magic.

In this case, it was also a printer that came to the rescue. My colleague discovered that in this building, you had to authenticate with your access card to use the printer that featured Follow Me Printing… and once you logged in, it displayed the name of the cardholder 🙂

We snuck into the printer room when no one was around and tried those 30 valid IDs that we brute-forced in the previous step. We matched them with names, and with a little bit of OSINT, we realized that one of them was a network administrator. That was our guy.

Now, it was easy. The server room didn’t require a PIN or physical key, just the card. We copied the network admin’s ID onto a blank card and walked straight into the server room. The reader lit up green, beeped friendly, and we were in 🙂

Forgetting to Change Encryption Keys Is Like Leaving the Default “admin:admin” Password

Earlier, I talked about a system with no encryption, but adding ciphers and keys isn’t always enough. 

Many times, we’ve seen very popular Mifare Classic systems with default key that let us clone cards. Even if those keys aren’t default, they can often be cracked because of flaws in the encryption algorithm – Crypto1 or embedded backdoors.

But Mifare Classic cards are not the only ones that face this problem. Lately we had a chance to work with a different system – Paxton, which is popular in the UK. 

These cards require a password to access data and authenticate to the reader. After a thorough search on the Internet, we were able to find the default passwords, shared by systems in the whole United Kingdom. And one of them worked, allowing us to make a copy of the tag.

Lesson: Always change the default key. And check that the credentials you’re using aren’t floating around online.

Red Teaming in practice: Physical Security Testing tutorial

Julia Zduńczyk 2024.11.05 ·3 MIN reading

Be Careful Who You Give Your Guest Cards To

Another common entry point are guest cards. Companies often focus on their employee cards, but the rules for temporary-access cards management are a lot looser.

We’ve gained access multiple times through social engineering or by simply waiting for the receptionist to leave and then grabbing the cards from the reception desk. These cards are often left unsecured, e.g. in an open cabinet.  More often than not, they aren’t deactivated when not in use, which means someone could steal them and get in.

Another issue is that guest cards often don’t have time restrictions, so we’ve used them to get access to the building in the middle of the night. This allowed us to run tests like setting up Raspberry Pi, scanning internal networks or lockpicking doors – without anyone noticing, as there was no one inside that could catch us. 

Ideally:

• Regular cards should be active only in specific hours and be valid for assigned areas of the facility defined by the employee’s scope of duties,
• If an employee lost their card, a temporary card should be valid only for the time needed to issue a new regular employee’s card; and the lost card should be immediately deactivated in the system,
• If a guest card is issued, it should be activated only for a short period of time e.g. only on the day of the event the guest was invited to. If it is issued for longer than one day, it should be active only in specific hours. It should also be valid only for specific door/set of doors the guest needs access to. Apart from this time, all temporary guest cards should be deactivated when not in use.

Conclusion

Access control security isn’t just about having readers that beep whenever someone puts their access cards close to them. It’s about configuring them well and taking into consideration many factors – using secure systems, setting custom keys, setting up proper monitoring, having time restrictions on cards… The list could go on. 

Physical Red Team assessment is meant to identify these misconfigurations and vulnerabilities, including the ones that might not be immediately obvious. 

During such assessments, our operators implement a threat-led approach, performing deep evaluation of attack vectors and exposed information to simulate actions feasible for real life adversaries.

We offer a comprehensive service, performing covert physical attack that validates not only physical access control systems but also facility’s internal network and company’s cybersecurity defenses.

Connect with the author on LinkedIn!

Julia Zduńczyk IT Security Consultant