Credential harvesting RFID Badge Readers


Most modern office buildings utilize RFID badge readers for employee access. While these badge readers offer long-term reliability and convenience to their users… they can also offer a plethora of information about employees, as well as relatively unfettered access to those seeking to gain access to secured buildings and areas.

To understand how this is possible, we must first know how an RFID badge access system works. RFID readers work by broadcasting a very limited power field that activates the coil embedded on a nearby RFID card. The coil on the card then powers up a chip on the card that transmits repeatedly, the information stored on the card. This information is then read by the RFID reader and checked against its database, either granting or denying access.

So, how is this technology susceptible to hacking? 

Well, in order to create a duplicate RFID card to bypass an RFID system, you must obtain valid credentials and know what RFID system is being used. A picture of the target RFID  reader is useful for the hacker to identify the system and model. RFID readers located outside of buildings are not usually protected and fences around such buildings offer a false sense of security. It takes just a couple of minutes to gain access to the reader unit and to install an ESP tool (approximately $30 USD). An ESP tool is a WiFi enabled tap for the Wiegand protocol, which is a very common protocol for RFID reader systems and this device targets 26-37bit HID cards. The tool is used for data logging (recording) and can transmit that data to a smart phone or nearby laptop. To the authorized user, everything functions normally. The hacker now not only has the ‘key’ to the compromised reader, but he effectively controls the lock.

Why would a hacker need to capture many credentials instead of just a few?

A hacker can look at the information captured to see when a large amount of people enter and leave at given times and can then deduce scheduled start times, lunch times, shift changes, etc.  If the same badge ‘hits’ the RFID reader at regular intervals throughout the day, it can indicate that the badge belongs to a security guard. Security guards tend to have greater access to restricted areas and their card access codes are of greater value.

Does the hacker need to make an RFID card to gain access?

Yes and no. The hacker can simply transmit authenticated RFID badge information from their smart phone or laptop, to the ESP tool inside the hacked badge reader to gain access. If the hacker wants to bypass additional RFID readers inside the building, he would need to create a cloned RFID card since the other badge readers would not have been compromised by the ESP tool as previously described.

How much do these tools used to bypass RFID readers cost?

An RFID card reader and programmer of RFID cards costs around $300 USD. RFID cards are a couple of dollars each. ESP tools cost about $30 USD. The cost of the ESP tool program app on the smart phone is $80 USD.