With HID cards, a swipe is more than a swipe

  • AT&T Security Consulting conducted a social engineering experiment to gauge user susceptibility to physical security threats.
  • Make sure your proxcard reading system is protected against cloning attacks.

At AT&T Security Consulting, we get to do the coolest things! A few weeks ago, we were performing a social engineering test authorized by a client. In this test, user susceptibility to individually targeted threats — and how those threats impact the physical security of the organization — were evaluated. Typically after such a test, a social engineering awareness training is done for the client’s employees to educate them about the newest threats and how they can protect against such attacks.

Testing threat protection

AT&T Security Consulting has some very sharp consultants. One consultant came up with the idea to test whether the HID card (commonly called “proximity cards” or “proxcards”) readers used in the building could resist cloning attacks. A very valid test! So the team put together some equipment using micro-controllers that DIY enthusiasts would be well familiar with: SparkFun’s Pro Micro.

Using hardware and programming, the team was able to put together a working prototype which would be able to capture the Low Frequency HID cards at a distance of about six to eight inches. This is a distance at which you’re not really invading a person’s private space, and yet it’s also not too far. With the access-card-capturing hardware in place, the team procured some card writers from publicly available marketplaces.

Profiling through social media

With the hardware in our hands, we then started profiling the client’s employees via social media such as LinkedIn and found some employees’ pictures. On the day of the social engineering test, we roamed around the client’s office locations, and when we found an employee who had a picture up on LinkedIn, we followed him. Next, we had our consultant (carrying the card capturing hardware in his bag) pretended to accidentally bump against him.

Obviously, the goal was to get close enough so we could capture the proxcard in order to clone it afterwards. We went back and did find the proxcard information on our card capturing device, and we successfully cloned the card. The next morning, the consultant was able to gain access to the facilities without being challenged by anyone – he was now a “valid” employee!

Lessons learned

The basis of almost all security in an enterprise is physical security, which is often enforced using proxcards. Make sure your proxcard reading systems are not vulnerable to cloning attacks. Let us know in comments if you have seen any other interesting attacks, or if you have comments about this case study.

The Networking Exchange Blog Team About NEB Team