Everywhere around us, it seems like the traditional lock and key have been traded in for a plastic card or key fob device. These alternative devices use radio frequency identification (RFID), which gives us access to our cars, places of work and hotel rooms. Nowadays, RFID is a very popular part of our payment cards, allowing us to merely touch a point-of-sale (POS) panel to pay for purchases. This technology has created a convenience that many of us may take for granted, especially when it comes to security. Many consumers, and even vendors at times, have a false sense of security because they believe this technology is so complex that it is infallible.

Unfortunately, RFID technology is rather simple, has existed for many years and is commonly exploited by malicious criminals. Enterprises that implement RFID technology, especially where it is used to provide access-level controls, must understand the potential security risks involved. Consumers should also be cognizant of the risks and take precautions when paying at contactless payment or touch-to-pay terminals and when staying in hotels that use chip cards for room access.

Access Control Using RFID

RFID technology has been around since World War II. In many applications where it is used today, such as tracking production, asset identification and billing, improvements to the technology have helped lower security risks. However, the use of RFID in daily business and consumer operations is still considered new technology when used for access control. It can be more vulnerable to compromise.

Malicious actors know that the quickest and most profitable way to exploit this technology is to gain access to areas that contain physical property they can acquire. A simple search on the Dark Web or public internet can yield instructions and places to acquire hardware to perpetrate access control theft. Making matters worse, it is extremely easy to buy card stock and hardware that can enable virtually anyone to clone an access ID card.

With that said, we’re not painting all RFID locks with the same generic brush. RFID lock vendors offer varying levels of security, and enterprises are encouraged to thoroughly assess the technologies available to them and implement higher levels of encryption where possible.

A Saxophone, an RFID Key Card and an Opportunistic Attacker

Earlier this year, a close friend of mine — and a very popular session musician and performance artist — stayed at a world-renowned four-star hotel. She was traveling with her highly prized instruments and some audio equipment — approximately $20,000 in assets. After she checked in at the hotel’s reception, she rode the elevator to the 15th floor, entered her room, placed all of her baggage on the bed and went back downstairs to a café. After about an hour of enjoying a cup of tea, she returned to her room and found that all of her belongings were gone! Not only were her instruments missing, but so was her luggage, which contained cash, credit cards and her passport.

How could this happen? More concerning is the speed at which this perpetration took place. The hotel staff informed her that about 15 minutes after she initially left the room to go to the café, an entry was logged in the access key system. They even tried to convince my friend that the second entry was hers! There wasn’t any security footage at that hotel, so she couldn’t prove that it wasn’t her and the hotel couldn’t prove that it was.

Let’s try recreating the scenario: My friend enters the hotel lobby with all her baggage. Some of her bags take the shape of their contents, such as the saxophone and the trumpet. Lurking in the hotel lobby is the perpetrator. With all the activity happening in a large hotel lobby, he or she blends in with the crowd. More than likely, the criminal is watching for someone who looks like he or she may possess something of value. Either that, or the perpetrator is specifically targeting my friend.

Once the fraudster identifies the target, he or she has a couple of options for carrying out the evil deed:

  1. Intercept the RFID tag. If the criminal is near the target, maybe even in the elevator, he or she can intercept the RFID tag of the victim’s door key card by using a small, hand-held scanning device. These devices can be configured to exploit the card system in use at a particular hotel. Attackers simply search the web to find this information.
  2. Exploit the card reader. Some hotel card systems have card readers on the doors that can be exploited via a simple, freely available Android application. In this case, the fraudster doesn’t even need to scan the victim’s key card. He or she can follow the target and make a mental note of the room number while casually walking down the hall like a typical hotel guest.

Fortunately, this particular incident has a relatively happy ending. Local law enforcement officials gained a lead on the stolen saxophone from a pawn broker and my friend was able to recover some of her other stolen belongings. Victims of theft are typically not so lucky. This example illustrates how RFID can be vulnerable to relatively simple attacks that require neither technical savvy nor costly equipment.

RFID Attacks in the News?

RFID hacks are becoming increasingly common in the consumer realms, but news of enterprise-level incidents sometimes hits mainstream media as well. Earlier this year, for instance, a cybercriminal group took control of a hotel’s key card system, locking guests out of their rooms and preventing the hotel from issuing new cards. The malicious actors then held the key card system for ransom and demanded payment of two bitcoin before they would give control back to the hotel.

It is unfortunate that the subject of RFID vulnerabilities receives little to no attention at the consumer level, although personal RFID key card-related security incidents are numerous and can happen to anyone staying in hotels around the world. This silence may be due to laws that protect hoteliers from liability in the case of room theft as long as they provide room safes or allow guests to store valuables in the hotel’s main safe. If a guest doesn’t use these options and is a victim of theft, the hotel may be covered against paying for those valuables. Ironically, some hotels use RFID tags to prevent theft of their towels and bathrobes! A person carting off with such items would be scanned at the door just like in a major retail store, which would sound an alarm.

Another RFID Hack: Mobile Keys and Bluetooth

Another recent trend in the hotel industry is the switch to contactless access via mobile app-based keys. This system uses near-field communication (NFC), which is a subset of RFID technology. An NFC-enabled device can function as both an NFC reader and an NFC tag, which allows these devices to operate using peer-to-peer communication.

Guests download an app to their phones and then download their virtual keys from the cloud. Once downloaded, all they have to do is approach their hotel door and the Bluetooth-enabled RFID door reader intercepts a signal containing the key ID, which automatically opens the door.

Like RFID, virtual keys can be compromised. There are many how-to videos, articles and apps that demonstrate how to subvert the built-in security of these systems.

These security weaknesses are not always present in the RFID device itself. For example, a smartphone might contain a vulnerability that could allow a lobby creeper to remotely access a victim’s phone and grab the key file. Once the key ID is downloaded from the cloud, it maintains residency on the smartphone, allowing an attacker to exploit this weakness.

Best Practices for Mitigating RFID Attacks

There are numerous RFID lock manufacturers out there, each of which introduces its own security vulnerabilities, making it difficult to provide a comprehensive, bulleted list of countermeasures to fix all RFID-related issues. However, the best practices described below can help reduce exposure to RFID attacks and mitigate the risk of unauthorized access.

Faraday Cage/Shield

Faraday Cage technology, which is an enclosure used to block electromagnetic fields, can help block malicious actors as well. This type of shield has already been incorporated into some bags and wallets to prevent attackers from intercepting the RFID tag of a victim’s key card, for example. Unfortunately, this type of shield does not mitigate other attacks that target the RFID card reader or the victim’s mobile device.

Securing RFID

The use of RFID technology as an application for access control is still in an early stage of development from a security standpoint. Hotels and other enterprises that use this technology for access controls should take the following steps:

  • Use higher encryption levels. Most RFID systems don’t use ciphers. Securing tag data is essentially the same as encryption methods used to secure digital data in other areas of computing: Plaintext held on the tag is turned into a cipher using a specific algorithm. It is then deciphered back into plaintext by the software supporting the reader using the same algorithm.
  • Perform periodic assessments of your RFID system to ensure that the system’s firmware and applications are up to date.
  • Consider engaging a third party to perform an assessment of the RFID system.
  • Use a bidirectional RFID transceiver to enforce two-way authentication between the tag and the reader.

Consumer Awareness

Individuals are unable to alter their access cards or the card reader to add additional levels of security. The best way for hotel guests to mitigate theft is to be aware of the risk and take the following travel security precautions:

  • Traveling with small expensive items? Consider storing them in the hotel’s main safe. A receipt can be obtained for your items and the hotel may be held liable if they go missing. You may have to pay an additional fee, but the benefit of reduced risk often outweighs the cost. Another option is to rent a safety deposit box at a local bank. Many provide rentals for short periods of time.
  • Traveling with large expensive items? If the hotel’s main safe cannot accommodate them, a short-term travel storage company may be an option. These facilities use good old-fashioned steel keys and sometimes allow the use of an additional padlock.
  • Travel insurance can also be a wise investment when traveling with expensive items. Travel insurance is typically low cost, only needed for a few days and can compensate buyers if something goes wrong.
  • Purchase a door alarm. These very small and relatively inexpensive devices are tripped by motion detection and can be hung on the inside door handle. When an intruder opens the door, a very loud alarm is triggered, which could be just enough of a deterrent to scare the thief away.
  • Another way to identify potential thieves is to install a hidden surveillance camera disguised as an inconspicuous wall charger or USB stick.
  • Are you a well-known entertainer, CEO or other person of interest? Similar to spear phishing, which targets specific individuals or companies, an attacker lurking in a lobby may be looking to target the CEO of a particular company or a government employee. Simple reconnaissance conducted from publicly available information and social engineering may reveal when and where these individuals are traveling. If you fall into this category, you may want to take extra precautions and implement several or all of the aforementioned recommendations.

These tips can go a long way toward helping hotel guests stay safe and secure while traveling to visit loved ones during the holiday season. Remember to always be vigilant and wary of suspicious individuals, because they might just be digital pickpockets waiting to steal your valuables and holiday goodies when you least expect it.

Interested in emerging security threats? Read the latest IBM X-Force Research

 

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today