A coin sized device has been created by security researches, with the ability to hack and clone contactless key cards used by staff to gain admittance to thousands of office premises globally.
The device is worth approx $10 and is small enough to go unnoticed, allowing it to be placed onto a scanning machine outside an office entrance without being acknowledged.
It acts similarly to an ATM card skimmer, except it piggybacks on top of an external radio-frequency identification (RFID) card reader rather than a cash machine.
The deficiencies of RFID access control systems have long been known, however little has/or is being done to address this issue.
Security researchers Eric Evenchick and Mark Baseggio said “Do these companies not care about physical security, or do they not understand the implications of these weaknesses?”
They also said “We wanted to create a device that would concretely and absolutely show and hopefully put the final nail in the coffin [for this kind of technology],”
“These devices are no more secure than a standard key.”
This topic was discussed at the Chaos Communication Congress and DefCon hacking conferences in 2010 and 2014, where demonstrators displayed their ability to bypass RFID access controls, however this did not lead to improvement in security standards.
The $10 device by Baseggio and Evenchick’s can store data from up to 1,500 cards which can be sent to a smartphones and used to access buildings.
Users were also able to temporarily disable card readers for two minutes after they used a cloned card, preventing security personnel or anyone else from tracking them.
RFID devices are not necessarily unsecure, but there are loopholes in the technology.