Mr Robot Hacks: How Elliot and f/society Cloned the Key Card to Enter Steel Mountain

Cybersecurity Hacking Physical Security

Welcome back, my Mr. Robot aficionados!

As you know, Mr. Robot is my favorite TV show even though the show last aired nearly a decade ago. Excellent writing and acting make this a must watch, but the real-life hacking almost makes it requisite for hackers and aspiring cyberwarriors.

In Season 1, Episode 5, Elliot and his f/society crew have stolen a mini-van (using a roll jam attack) and are racing to the Steel Mountain facility in upstate New York in an attempt to destroy the E Corp data tapes. They have decided that their best route to keep those tapes from the Dark Army is to social engineer their way into the impenetrable Steel Mountain facility, hack the HVAC system and turn the heat up high enough to disintegrate the tapes and the data they contain.

The first step is to get onto the grounds of the Steel Mountain facility that is protected by barriers that only authorized personnel can pass. Of course, the employees are authorized personnel. Their plan then is to find a Steel Mountain employee wearing his card key around his neck, copy the cards details, and then clone the card and use it to enter the facility.

They decide to hang out at a local coffee shop trying to spot Steel Mountain employees. When they do, Mr Robot (played by Christian Slater) places a small bag around his neck containing a card key reader.

These card keys use RFID technology and are susceptible to being read and cloned. Christian Slater clumsily bumps into the Steel Mountain employee and is able to get the card key reader close enough to the employee’s card to capture the data (in recent years, other security researchers have developed devices that can capture the data from 2-3 feet away). Once the data is captured by the reader, they plan to make a clone of the employees card key and use it to sail past the control gate into the Steel Mountain facility.

In this tutorial, I will teach you a little about RFID technology and how Elliot and f/society cloned that card that authorized their entrance into the impenetrable Steel Mountain data storage facility!

The card used in the Mr Robot episode is a low-frequency (see my article on RFID basics here) cards used for access control. These cards are notorious for the ease with which they can be cloned.

Step # 1: Obtain a Proxmark3

The first step in this hack is to purchase the proxmark3. The proxmark3 is the definitive tool for RFID card cloning and hacking. It can be obtained for under $100. Make certain to get a model with 512k RAM or more as the latest firmware is about 350k.

Step # 2 Install the client software into Kali

Now that you have your proxmark and set it up, we need to install the client software on your system. In this case, I’ll be installing it into Kali Linux.

First, make certain that your repository cache is up-to-date.

kali > sudo apt update

Next, install the dependencies.

kali > sudo apt install –no-install-recommends git ca-certificates build-essential pkg-config libreadline-dev gcc-arm-none-eabi libnewlin-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev libssl-dev libgd-dev

These will take a few minutes, so be patient.

Finally, download the client software from github.com

Now, make certain that the proxmark is connected to Kali by using the lsusb command.

kali > lsusb

Now we need to make certain that the proxmark3 has permission to use /dev/tty/ACM0.

kali > make accessrights

kali > [-r /dev/ttyACMO] &&[ -w /dev/ttyACMO] && echo ok

Finally, we need to compile the software

kali > make clean && make -j

kali > sudo make install

Now, we need to flash the BOOTROM and the fullimage.

kali > pm-flash-all

Step # 3 Run the Client Software

If everything installed properly and the proxmark3 is coonected, we are ready to begin cloning access cards.

First, navigate to the proxmark directory

kali> cd proxmark3

Now, simply execute pm3, the proxmark binary.

kali > ./pm3

It should display a screen like that above.

It time to place the access card on the low frequency antenna on the proxmark3.

We can see whether the proxmark3 can read the card by simply entering;

pm3 –> lf search

As you can see, the proxmark can read the access card and displays its key information including;

  1. the ID

  2. the card type

  3. chipset.

Our next step it is to read the card and store the data into memory.

pm –> lf hid read

Now, all we need to do is to clone the card with the card ID

pm> lf hid clone 2C00B6EF39

This card will now be an exact clone of the card that original card and will provide access to the same rooms or facilities as the original!

Summary

RFID or Radio Frequency Identification cards are a common method of controlling access to sensitive areas including hotel rooms, parking lots, server rooms, and other areas with limited access. The early low-frequency cards are easily cloned with a tool such as proxmark3such as in the Mr. Robot episode. Once the card is cloned, the cloned card will provide the same access as the original. In recent years, this vulnerability has been patched with cards with high frequency signals, stronger chips and better security but they too can be hacked!

Look for additional tutorals on RFID cards in the near future and our IoT Hacking class featuring RFID cards and IoT devices!