bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

helpersCheckIsPostiesArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

hooksAmpRedirectArticle

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

moreOnThisArticles

urlAlias

commentCount

authorLocations

authors

corrections

sponsorType

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

socialHeadline

headline

flag

firstTopic

glossary

flattenTypeIds

publishedDate

additionalInfoBoxes

quizIds

images

image

relatedLinks

relatedNewsletters

__typename

createdDate

sponsor

paywallTypes

pdfFiles

seriesReverseOrder

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

readingTime

customTimezone

liveContents

James Griffiths

Security researchers have created a coin-sized device for around US$10 that can hack and clone contactless key cards used by staff to gain admittance to hundreds of thousands of offices around the world. 
The device is small enough to go unnoticed after it has been placed on the scanning machine outside an office entrance, where it stores people’s information throughout the day as they swipe their cards to open the door. 
In this way, it acts similarly to an ATM card skimmer, except that it piggybacks on top of an external radio-frequency identification (RFID) card reader rather than a cash machine. 
The deficiencies of RFID access controls have long been known, but little has been done to address the issue, security researchers Eric Evenchick and Mark Baseggio said.

"Do these companies not care about physical security, or do they not understand the implications of these weaknesses?" they said in a statement.
The pair said they will release the specifications of the device online to highlight the dangers of RFID following a talk on Thursday at the Black Hat hacking conference in Las Vegas, where they plan to give away hundreds of the tools for free.
“We wanted to create a device that would concretely and absolutely show and hopefully put the final nail in the coffin [for this kind of technology],” Baseggio told Motherboard. 
“These devices are no more secure than a standard key.”

The issue came up at the Chaos Communication Congress and DefCon hacking conferences in 2010 and 2014, respectively, when demonstrators showed how to bypass RFID access controls, but the researchers said this did not lead to an improvement in security standards.  
Baseggio and Evenchick's device can store data from up to 1,500 cards. This can be sent to a smartphone, which can then be used to access the building.
Users even have the option to temporarily disable the card reader for two minutes after they have used a cloned card, preventing security guards or anyone else from tailing them. 
RFID devices are not necessarily unsecure, however. 
The Octopus card, widely used in Hong Kong for transport and shopping, uses multiple layers of encryption and a shared secret access key that both card and reader must provide before a transaction is processed, making hacking the system very expensive and difficult.


This coin-sized device costs US$10 and can clone key cards and open office doors to thieves

Radio-frequency identification (RFID) card readers are used by offices around the world to allow staff to swipe into the building. Photo: SCMP Pictures

The device's size makes it hard to spot as office workers swipe their key cards and unwittingly transmit the data to would-be thieves. Photo: Accuvant

Two security researchers are releasing the device to draw attention to weaknesses inherent in many RFID door devices. Photo: Accuvant

The Octopus travel card that is widely used in Hong Kong is significantly harder to hack because it uses multiple encryption and a shared secret access key. Photo: Dickson Lee

Tech