At AT&T Security Consulting, we get to do the coolest things! A few weeks ago, we were performing a social engineering test authorized by a client. In this test, user susceptibility to individually targeted threats — and how those threats impact the physical security of the organization — were evaluated. Typically after such a test, a social engineering awareness training is done for the client’s employees to educate them about the newest threats and how they can protect against such attacks.
AT&T Security Consulting has some very sharp consultants. One consultant came up with the idea to test whether the HID card (commonly called “proximity cards” or “proxcards”) readers used in the building could resist cloning attacks. A very valid test! So the team put together some equipment using micro-controllers that DIY enthusiasts would be well familiar with: SparkFun’s Pro Micro.
Using hardware and programming, the team was able to put together a working prototype which would be able to capture the Low Frequency HID cards at a distance of about six to eight inches. This is a distance at which you’re not really invading a person’s private space, and yet it’s also not too far. With the access-card-capturing hardware in place, the team procured some card writers from publicly available marketplaces.
With the hardware in our hands, we then started profiling the client’s employees via social media such as LinkedIn and found some employees’ pictures. On the day of the social engineering test, we roamed around the client’s office locations, and when we found an employee who had a picture up on LinkedIn, we followed him. Next, we had our consultant (carrying the card capturing hardware in his bag) pretended to accidentally bump against him.
Obviously, the goal was to get close enough so we could capture the proxcard in order to clone it afterwards. We went back and did find the proxcard information on our card capturing device, and we successfully cloned the card. The next morning, the consultant was able to gain access to the facilities without being challenged by anyone – he was now a “valid” employee!
The basis of almost all security in an enterprise is physical security, which is often enforced using proxcards. Make sure your proxcard reading systems are not vulnerable to cloning attacks. Let us know in comments if you have seen any other interesting attacks, or if you have comments about this case study.