Security Resources

Archive for the RF Wireless Category

Skimmer Innovation Coming to a POS Near You

Matt Krebs recently posted another entry to his detailed and entertaining catalog of skimming devices, available at Krebs on Security. The device in question was found inside the credit card terminals of a yet-to-be-named U.S. retailer, and is presently being evaluated by Trustwave Spiderlabs. By itself, this is not particularly newsworthy, since there have been many similar cases involving devices attached PIN pads at retailers like Barnes and Noble, as well skimmers on/inside gas pumps and ATMs. So what makes this one interesting? The engineering and installation are worth a closer look:

  • The stolen data is encrypted using AES before being stored/transmitted
  • Card numbers and PINs can be retrieved by Bluetooth, and optionally, via cellular
  • The microprocessor was secured against tampering (lock bit set)
  • The PCB appears to have been produced professionally
  • There was delicate soldering work required to attach the device inside the credit card terminal

There is [very reasonable] speculation that the skimming devices were installed either early in the card terminal supply chain, prior to installation, or that the terminals were swapped out at some point with modified versions. Given the complexity of the connections, it is highly unlikely that the devices could have been modified on-site, even by a dishonest service technician.

The quality of these devices is increasingly impressive, and it seems plausible that future versions will be integrated into replacement system boards or peripherals, making their identification even more difficult.

Here are some photos of the Bluetooth skimming module:

BTSkimmer1 BTSkimmer2

Bluetooth Low-Energy Tracking – For Wallets!

When most people think about tracking people or things, RFID and GPS probably come to mind first. That’s not to say there aren’t plenty of other technologies just waiting to be put to good use. The Wallet TrackR is a project that uses Bluetooth Low-Energy to maintain contact between a small device and a smartphone or tablet. From their website:

“The Wallet TrackR fits easily into any wallet – just like a credit card. When combined with the free Wallet TrackR iPhone app, it becomes a powerful new tool to keep you from losing your wallet. When the Wallet TrackR gets separated from your iPhone or iPad, the Wallet TrackR app gently alerts you that you may be leaving your wallet behind. The app also takes a GPS snapshot of where your wallet was at the moment of separation in case you didn’t hear the alert. Tap a button within the app to make your wallet “ring” in case your looking for it around the house or in the dark. The technology works both ways, which means your wallet can beep to alert you that you’re leaving your phone behind. Works with your iPhone 4S, iPhone 5, new iPad, iPad mini and the new iPod Touch.”

Just like low-power mesh RF networks (802.15.4 / Zigbee) have shown promise as a tool for tracking objects and collecting data, Bluetooth Low Energy may enable interesting security and product protection solutions. The range, of course, will be much shorter – but the popularity of Bluetooth in existing handheld platforms makes it an intriguing option to explore.

The Wallet TrackR is still seeking backers for its first production run. I signed up for one, and will update this post when it arrives…

LTE Wireless Jamming – Anchor Post

This post will be updated periodically with information related to 4G / LTE vulnerabilities and strengths.



A post on ExtremeTech analyzed a claim published by MIT Technology Review that LTE networks can be shut down using a “simple jamming trick” utilizing a cheap software-defined radio. Their assessment was that it would be far more difficult than implied by the authors – both in terms of practicality (large transmit power requirements) and scope (attacks would affect close range devices only – not a whole geographic area).

Nevertheless – and unsurprisingly – it appears that LTE devices may be vulnerable to specific methods of jamming, just like other common wireless systems. As always, where wireless is used for security communication, multiple paths are a necessity.

Further reading:  MIT Technology Review Publication  and  Virginia Tech Response to NTIA RFC


RFID and Zigbee Hacking – Security Directors Beware…

In the security world, few technologies have become more entrenched than proximity-based access control. The cards and readers are everywhere – and overall, they provide a level of convenience and security that far exceeds the systems they replaced, such as mechanical locks, barcodes, magnetic stripes, and the like. A typical access card operates in the same manner as an RFID tag – since it is essentially the same thing. A reader emits RF energy, which energizes a coil inside the card powering a small circuit, which in turn, communicates a unique ID number back to the reader. There are many data formats and matched reader/card frequencies involved, but almost all systems operate in this (simplified) manner.

Over the years, there have been many documented examples of proximity access control hacking. From card emulation and brute-force transmissions at the reader, to surreptitious card data capture. So with that in mind, why revisit the subject here? The answer lies in the proliferation and rapidly declining cost of RFID components and other low-energy RF communications, which are poised to transform the way in which we connect and interact with systems and assets of all types.

The growing popularity of RFID tagging (especially in retail), environmental monitoring, intelligent edge devices, and building automation has spurred the development of a wide range of wireless/RF-enabled data collection and triggering. Examples include Zigbee (and similar 802.15.4 products), advanced RFID readers, and Z-Wave. For some developers, security is an afterthought, since the equipment is believed to be so obscure and/or specialized that it is unlikely to be attacked. What we are beginning to see, however, is that the same tactics used by “war-drivers” in the early days of commercial WiFi can expose insecure platforms and potentially open the door (pun intended) to serious security problems.

The good news is that security can be engineered into most of these platforms – in fact, it is often a core component – but it must be “switched on” and used properly. Follow the links below to read about some of the vulnerabilities and hacks that exist today. In practice, being aware of the potential for hacking – especially with immature products, proximity cards, etc… will help you make good design decisions. For example, once you understand how an access badge can be cloned – you probably won’t allow that badge to also disarm your alarm system, even if the vendor promotes it as a convenience feature. Likewise, if you are testing a new Zigbee-based data collection solution in your retail store, have a discussion with your vendor about how security has been implemented – and even if you like the answer, keep that network isolated until it is well-proven.

More on this subject:

Wardriving for Zigbee: Blog article describing a method for finding and mapping Zigbee networks

Kisbee: Open-source hardware project to capture Zigbee wireless communication

Bootable RFID Live Hacking System: A platform for hacking MIFARE access control cards

Proximity Card Cloning: HID ProxCard-II, ISOProx, and others

iClass Card Details and Cloning

RFID Tutorial

Long Range Cloning: 125KHz Proximity Cards

Software Defined Radio (SDR) as a Security Threat

There have been a number of DIY projects documented recently that transform inexpensive TV tuner dongles into software defined radios (SDRs) capable of receiving a wide range of broadcasts. While this potentially allows someone access to frequencies used for security equipment/communications, our concerns are primarily limited to the interception of data – which can be addressed in a variety of ways.

Now, some projects – like this one – are taking the concept further and adding the ability to transmit. As the hardware becomes more affordable, the likelihood of misuse will rise. These systems could, for example, transmit false GPS information, replay wireless transmitter signals, or mimic a wireless host or monitoring system. Many older wireless platforms use little or no security for transmission validation, and even those that do may be susceptible to certain types of attacks – such as brute forcing and jamming. Of course, the technology to interfere with wireless transmissions is already available, but it is generally cost prohibitive and complicated to operate.

Software projects like GNU Radio promise to simplify the user interface for those exploring SDR, and we will undoubtedly see a range of purpose-built attack tools in the future that can break or compromise various wireless systems. Many of these will be useful to pen-testers, but like all such tools, their existence in the wild must be considered when selecting wireless equipment or evaluating an existing infrastructure.