When it comes to covert entry assessments, successfully capturing RFID badge values can mean the difference between failure and successful entry to a target site. In a previous Labs post, “I Don’t Need a Badge – Lessons Learned from Physical Social Engineering”, we introduced the ESPKey as a method of capture. Although the ESPKey is a useful tool, there are several potential issues with using it.

This article introduces the “Stealth Wiegand Data Interpreter” as an alternative, and demonstrates how it can be used to clone employee badges during an engagement along with the potential benefits and drawbacks.

Limitations of the ESPKey

For a time, the ESPKey was the best option for passive “hands off” RFID captures. However, it has three primary weaknesses:

  1. Installation – While an ESPKey can be attached to a reader’s wires relatively quickly, it still involves removing the badge reader from the wall and pulling the reader far enough out to be able to access the underlying wires. As such this is both conspicuous and, as wires within walls can be quite stiff, runs the risk of a tester struggling to push the wires back into the wall after the ESPKey is attached.
  2. Support – The attack itself is dependent on the target site using, or at least supporting, low frequency RFID, utilizing the Wiegand protocol, and having a two wire transmission configured.
  3. Tamper Detection – RFID readers can sometimes have tamper alarms installed, although it is worth noting that 1) these can sometimes be easily bypassed, such as with a magnet to mask the breaking of the magnetic connection between reader panel and outer casing, and 2) even if the tamper alarm cannot be bypassed, depending on the site in question, there is a good chance no-one is actively monitoring that alarm or it would only be noticed long after the engagement is already over.

What if there was an easier way, or even a totally different approach? I have often found that in any engagement where the human element can be exploited, that is the easiest path, especially when standard methods are not working and no low-hanging fruit vulnerabilities are present. This applies to anything from covert entry, phishing, or internal infrastructure engagements, depending on the scope.

The Stealth Wiegand Data Interpreter

If you cannot capture RFID badges by getting close enough to an employee or third-party vendor while carrying a portable reader, why not just have employees bring the RFID badges to you? Enter Practical Physical Exploitation’s “Stealth Wiegand Data Interpreter”.

A black rectangular object on a white wallDescription automatically generated

Stealth Reader

To quickly clarify, this is not a sponsored post, simply an article highlighting a tool which other physical security professionals may find useful while testing employee awareness.

The Stealth Wiegand Data Interpreter is effectively a fully functioning RFID card reader. The malicious reader is intended to act as a duplicate, or perhaps more accurately an imitation, of a legitimate RFID reader. Simply put, an attacker places the stealth reader on a wall next to a door, the reader captures any and all badge reads, and then the attacker returns to retrieve and remove the reader.

Pros and Cons

Having introduced what the Stealth Wiegand Data Interpreter is and does, it is worth discussing the pros and cons associated with this product.

The fact that the reader can be quickly attached to a wall and later removed with little to no damage to the wall are both strong points in the tool’s favor. Captured badges can then be accessed via the malicious reader’s wireless access point. In terms of protocol support, based on my understanding from reading the stealth reader’s documentation, the stealth reader can capture RFID badges which are not using the Wiegand protocol. However, this data will only be logged to the cards.csv output and not the reader’s associated web page. The raw binary and hex for all captures, including unsuccessful captures, can be found in said output file.

A screenshot of a computerDescription automatically generated

Captured badge reads output file example

One of the primary drawbacks of this tool is that (by design) it is visible once it is placed, but more to the point, it is easier to notice than its ESPKey alternative. Arguably the biggest drawback is the fact that the malicious reader will not actually open anything, as the reader is not attached to any other wires, which might cause confusion, or worse, questions. There are a few potential workarounds to lessen the likelihood that a malicious reader is caught, although this can be quite situational. Placing the reader next to a door that is always unlocked seems like one of the most logical options. This however either requires a successful tailgate or other method of entry, as the vast majority of unlocked doors will not be external building doors. This highlights another risk worth considering – exposure to the elements, i.e. rain, wind, etc. – in the event it is placed on an exterior wall, as these pose the potential of damaging the device.

Alternatively, placing the reader on the adjacent side of a door, ideally a pair of double doors is another possible option. For example, if there was a pair of double doors with an existing legitimate reader on the left side, simply placing the reader on the right side may result in badge captures. As the door will remain locked when the right reader is used, hopefully, the employee will simply scan the left reader and continue on with their day without giving it any more thought. As the malicious reader flashes green when a badge is successfully read, even if an employee does notice this strange interaction, they are slightly less likely to suspect the badge reader as being defective.

It is also worth noting the differences in speed of exploitation in between the ESPKey and Stealth Wiegand Data Interpreter. Since the ESPKey is directly attached to a valid badge reader and, more to the point the data wires behind the reader, a captured badge read can simply be replayed to unlock the associated door. The Stealth Wiegand Data Interpreter, however, would have to dump captured RFID values to then be programmed onto an RFID badge to be used. As with many processes, adding additional steps increases the potential for things to go wrong.

Another technical issue, shared by both types of planted RFID capture devices, is the knowledge of which badges can access which doors. It is not great from a stealth perspective to print five RFID badges using captured values and try all of them on all the relevant or important doors at a client site. Arguably an ESPKey has the advantage in that regard as it can be implanted on the RFID badge reader protecting an important target door, i.e. server room, storage room containing valuable assets, etc., as basically a guaranteed entrance and highly privileged badge. However, this requires access to said badge reader which might be behind other protected doors. A second badge reader suddenly appearing next to an important door, which also does not unlock the door upon badge read, is more likely to arouse suspicion.

Conclusion

RFID is arguably the most common method of access control technology at all types of locations and sites. Having a variety of means for capturing RFID badges, which can then potentially be used to gain access to restricted or sensitive areas, is of the utmost importance for physical security penetration testers. Relatedly, from a defensive perspective it is vital that both the human and technological elements of physical security are regularly tested for gaps and vulnerabilities.

If you are interested in having a physical security vulnerability assessment or covert entry assessment, please contact solutions@nettitude.com.