Welcome back, my Mr. Robot aficionados!
As you know, Mr. Robot is my favorite TV show even though the show last aired nearly a decade ago. Excellent writing and acting make this a must watch, but the real-life hacking almost makes it requisite for hackers and aspiring cyberwarriors.
In Season 1, Episode 5, Elliot and his f/society crew have stolen a mini-van (using a roll jam attack) and are racing to the Steel Mountain facility in upstate New York in an attempt to destroy the E Corp data tapes. They have decided that their best route to keep those tapes from the Dark Army is to social engineer their way into the impenetrable Steel Mountain facility, hack the HVAC system and turn the heat up high enough to disintegrate the tapes and the data they contain.
The first step is to get onto the grounds of the Steel Mountain facility that is protected by barriers that only authorized personnel can pass. Of course, the employees are authorized personnel. Their plan then is to find a Steel Mountain employee wearing his card key around his neck, copy the cards details, and then clone the card and use it to enter the facility.
They decide to hang out at a local coffee shop trying to spot Steel Mountain employees. When they do, Mr Robot (played by Christian Slater) places a small bag around his neck containing a card key reader.
These card keys use RFID technology and are susceptible to being read and cloned. Christian Slater clumsily bumps into the Steel Mountain employee and is able to get the card key reader close enough to the employee’s card to capture the data (in recent years, other security researchers have developed devices that can capture the data from 2-3 feet away). Once the data is captured by the reader, they plan to make a clone of the employees card key and use it to sail past the control gate into the Steel Mountain facility.
In this tutorial, I will teach you a little about RFID technology and how Elliot and f/society cloned that card that authorized their entrance into the impenetrable Steel Mountain data storage facility!
The card used in the Mr Robot episode is a low-frequency (see my article on RFID basics here) cards used for access control. These cards are notorious for the ease with which they can be cloned.
Step # 1: Obtain a Proxmark3
The first step in this hack is to purchase the proxmark3. The proxmark3 is the definitive tool for RFID card cloning and hacking. It can be obtained for under $100. Make certain to get a model with 512k RAM or more as the latest firmware is about 350k.
Step # 2 Install the client software into Kali
Now that you have your proxmark and set it up, we need to install the client software on your system. In this case, I’ll be installing it into Kali Linux.
First, make certain that your repository cache is up-to-date.
kali > sudo apt update
Next, install the dependencies.
kali > sudo apt install –no-install-recommends git ca-certificates build-essential pkg-config libreadline-dev gcc-arm-none-eabi libnewlin-dev qtbase5-dev libbz2-dev liblz4-dev libbluetooth-dev libpython3-dev libssl-dev libgd-dev
These will take a few minutes, so be patient.
Finally, download the client software from github.com
kali > sudo git clone https://github.com/RfidResearchGroup/proxmark3.git
Now, make certain that the proxmark is connected to Kali by using the lsusb command.
kali > lsusb
Now we need to make certain that the proxmark3 has permission to use /dev/tty/ACM0.
kali > make accessrights
kali > [-r /dev/ttyACMO] &&[ -w /dev/ttyACMO] && echo ok
Finally, we need to compile the software
kali > make clean && make -j
kali > sudo make install
Now, we need to flash the BOOTROM and the fullimage.
kali > pm-flash-all
Step # 3 Run the Client Software
If everything installed properly and the proxmark3 is coonected, we are ready to begin cloning access cards.
First, navigate to the proxmark directory
kali> cd proxmark3
Now, simply execute pm3, the proxmark binary.
kali > ./pm3
It should display a screen like that above.
It time to place the access card on the low frequency antenna on the proxmark3.
We can see whether the proxmark3 can read the card by simply entering;
pm3 –> lf search
As you can see, the proxmark can read the access card and displays its key information including;
the ID
the card type
chipset.
Our next step it is to read the card and store the data into memory.
pm –> lf hid read
Now, all we need to do is to clone the card with the card ID
pm> lf hid clone 2C00B6EF39
This card will now be an exact clone of the card that original card and will provide access to the same rooms or facilities as the original!
Summary
RFID or Radio Frequency Identification cards are a common method of controlling access to sensitive areas including hotel rooms, parking lots, server rooms, and other areas with limited access. The early low-frequency cards are easily cloned with a tool such as proxmark3such as in the Mr. Robot episode. Once the card is cloned, the cloned card will provide the same access as the original. In recent years, this vulnerability has been patched with cards with high frequency signals, stronger chips and better security but they too can be hacked!
Look for additional tutorals on RFID cards in the near future and our IoT Hacking class featuring RFID cards and IoT devices!