This coin-sized device costs US$10 and can clone key cards and open office doors to thieves

PUBLISHED : Wednesday, 05 August, 2015, 7:01am
UPDATED : Wednesday, 05 August, 2015, 9:22am

Security researchers have created a coin-sized device for around US$10 that can hack and clone contactless key cards used by staff to gain admittance to hundreds of thousands of offices around the world. 

The device is small enough to go unnoticed after it has been placed on the scanning machine outside an office entrance, where it stores people’s information throughout the day as they swipe their cards to open the door. 

In this way, it acts similarly to an ATM card skimmer, except that it piggybacks on top of an external radio-frequency identification (RFID) card reader rather than a cash machine. 

The deficiencies of RFID access controls have long been known, but little has been done to address the issue, security researchers Eric Evenchick and Mark Baseggio said.

"Do these companies not care about physical security, or do they not understand the implications of these weaknesses?" they said in a statement.

The pair said they will release the specifications of the device online to highlight the dangers of RFID following a talk on Thursday at the Black Hat hacking conference in Las Vegas, where they plan to give away hundreds of the tools for free.

“We wanted to create a device that would concretely and absolutely show and hopefully put the final nail in the coffin [for this kind of technology],” Baseggio told Motherboard

“These devices are no more secure than a standard key.”

The issue came up at the Chaos Communication Congress and DefCon hacking conferences in 2010 and 2014, respectively, when demonstrators showed how to bypass RFID access controls, but the researchers said this did not lead to an improvement in security standards.  

Baseggio and Evenchick's device can store data from up to 1,500 cards. This can be sent to a smartphone, which can then be used to access the building.

Users even have the option to temporarily disable the card reader for two minutes after they have used a cloned card, preventing security guards or anyone else from tailing them. 

RFID devices are not necessarily unsecure, however. 

The Octopus card, widely used in Hong Kong for transport and shopping, uses multiple layers of encryption and a shared secret access key that both card and reader must provide before a transaction is processed, making hacking the system very expensive and difficult.