Oct 11, 2024 12:23:46 PM | Adversarial Simulation Skim Job: Skimming Your Way In

Skim Job is White Oak Security’s RFID skimmer project, discover how we did this social engineering RFID security attack of skimming our way into client buildings.

Over the years, we have had great success in using a long-range RFID reader and the Proxmark3 for various onsite social engineering engagements for quite a few clients. Then, we had an idea about creating an RFID skimmer, but we were running into a few issues: 

  • Making it automated 
  • Making it convincing 
  • Solving the RFID interference problem

What is RFID?

RFID is a radio-frequency identification system that is wireless. There’s a ton of uses, such as supply chain visibility, tracking, access control, and more. 

RFID Security Testing

Some current social engineering RFID security attacks are: 

  • Proxmark3
  • Bishop Fox (long-range reader)
  • BLEKey / ESPKey

Each of these has its own pros and cons, none of them are bad and they all work in their own way. This post isn’t to deter you from using these current technologies.

RFID Skimming

RFID enabled doors are becoming the norm for accessing buildings. We didn’t want to damage any of the reader wiring like the BLEKey/ESPKeys, but needed something quick and inconspicuous. We wanted to eliminate employee interaction, as sometimes we’re unable to get near a badge or there’s a short project timeframe. At times the physical interaction needed to be just right otherwise an employee would become suspicious and tip-off management. The whole project started with an idea and a drive to make it work.

Project Issues

Out of the main issues, solving the RFID interference issue would make this project most successful. When two RFID readers become within range of each other – it creates a reader-to-reader collision (see diagram below). 

When two RFID readers become within range of each other – it creates a reader-to-reader collision as shown in this diagram from Science Direct.

If there was a way to remotely cut voltage to the RFID reader, it would allow for the collision to stop and successfully skim an unexpected employee’s RFID badge. After a month or so of research, we were able to find a component called “USB PowerControl board” from SwitchDoc Labs. This inline USB board is a USB-to-USB solid state relay and can be controlled through a control line input.  

RFID Skim Job Set-Up

The project went through multiple different iterations through trial and error. The following images show the proof-of-concept (POC) setup and the current iteration of the project:

POC setup of Skim Job RFID skimmer by White Oak Security
POC setup
2nd iteration of Skim Job RFID skimmer by White Oak Security
2nd iteration
Current iteration of Skim Job RFID skimmer by White Oak Security
Current iteration
(Don’t mind the purple electrical tape ☺) same current iteration but with some tape on the RFID skimmer
(Don’t mind the purple electrical tape ☺)
All components enclosed together in the "public facing box" of the RFID skimmer of Skim Job by White Oak Security
All components enclosed together

All of the components utilized in the building of the Skim Job project include:

All components can be bought for around 200$.

How Does The RFID Skimmer Work?

Initially, the project started with some simple Bash scripts thrown together for a proof-of-concept. Eventually, the project was written in Python (Thanks Wes) and the details of scripts can be found on White Oak’s GitHub page. A more in-depth, full walk-through of setup and running the Skim Job project is demonstrated through this recorded webinar. 

Skim Job Review

The purpose of revealing this project to the public was to help bring light to the security issues RFID technologies face nowadays and to help further the project by having similar like-minded individuals introducing new functionality, features, and improving the overall design of the project. Skim Job was created because the onsite social engineering engagements we were performing would either be a short timeframe or be very difficult to get close enough to an employee’s badge, so we did our thing – took the idea and created something. Let us know how you think we can improve this even further. 

 

Written By: Brett DeWall