This $10 Device Lets You Easily Clone Office Access Cards

This tiny device can be hidden inside office card readers and clone as many as 1,500 access cards.

|
Jul 28 2015, 1:00pm

For years, security researchers have warned that the most common access control systems used in office buildings and elsewhere are incredibly easy to hack.

Now, two researchers are releasing a device, called BLEkey, that makes it even easier. BLEkey is a tiny device roughly the size of coin that can be hidden inside RFID card readers, the little box you swipe your card or fob against to open doors. The device takes advantage of a vulnerability in the box's communications protocol to clone and skim workers' access cards.

The two researchers who created BLEkey are Mark Baseggio, from security firm Accuvant, and Eric Evenchick, who works at Faraday Future. They are going to release the device's designs online after their talk at the Black Hat security conference in Las Vegas next week, where they will also distribute 200 BLEkeys, each worth just $10.

The BLEkey (Image: Accuvant)

Their goal is to show once and for all that technologies such as HID proximity cards, popular access cards used by offices all over the world, and the protocol that underlies them, known as Wiegand, are inherently obsolete and should not be used anymore.

"We wanted to create a device that would concretely and absolutely show and hopefully put the final nail in the coffin that is HID prox and Wiegand," Baseggio told Motherboard in a phone interview. "These devices are no more secure than a standard key."

"These devices are no more secure than a standard key."

The two researchers say that their device can store data from up to 1,500 cards, which can be downloaded on a cellphone using Bluetooth. An intruder can then use any of those cloned cards to access a building or office using his or her phone. BLEkey offers some unique features as well, such as the option to disable the card reader for two minutes after the cloned card opens a door. Such a functionality could be useful if security guards are tailing the intruder, Baseggio explained.

Baseggio and Evenchick estimate that 80 percent of office buildings still use these vulnerable technologies. Short of replacing these systems and employing new, more secure technologies, Baseggio said that these buildings can, in the meantime, enable tamper switches to detect when someone has messed with the card readers. Another possibility is to install a camera on the card readers. That way it'd be possible to see who used a cloned card, although that doesn't solve the root of the issue.

Baseggio said that in his work as a penetration tester in offices across the country, he has met a lot of clients who did not realize how insecure these access systems are, despite all the warnings in the past.

"In this day and age you'd think you'd seen all these presentations at security conferences, you'd think the word would be out, but in fact it is not," he said.

The two hope that will change after their talk in Las Vegas next week.

This piece has been amended. A previous version of this article stated that Eric Evenchick was a researcher at Accuvant, but he actually works at Faraday Future.