4 min read

1 Backpack, Many HIDs

The following information, illustrations and design are for educational purposes, and the furtherance of protecting secure areas with the explicit permission of the owners. Please do not use such devices for any illegal purposes.

At Bitcrack, we often find ourselves conducting a red-team, or penetration test that involves access control assessment,  Wi-Fi assessments, RFID and so forth.

One thing that often gets in the way of a successful assessment is having to stop and take stock of collected data, process logs and so forth. We have thus embarked on a project to consolidate our attack hardware into a platform that can be easily used and deployed in the field.

In this blog post we are detailing our HID RFID clone tool. It is loosely based on the Tastic RFID thief, with some modification.

The Problem

We liked the Tastic RFID Thief (thanks to BishopFox) for our assessments, but it had some issues for us. A major one being that one has to capture HID tag IDs, then stop somewhere, eject the SD card and open it on a computer/laptop to clone the HID using a Proxmark or something similar.

The Solution

Build an all-in-one solution to capture-and-write cards on demand with nothing more than your backpack and mobile phone/tablet.

To do this, we did the following;

1. Build our own Tastic version and modify it to suit our needs.

2. Build a central control unit to manage our "captured" RFID cards, and writing the cards on the fly.

3. All the necessary programs and scripts written to run it.

Below is a picture of our final products, shown individually:

The items above are;

1. a HID ProxPro II Reader

2. a 2.1A 5V Li-Ion Battery Pack

3. an Elec House Proxmark 3 RDV2

4. a custom-built Tastic RFID Thief with a home-made 3D-Printed box, LCD display. We removed the SD card and its associated program code. We also modified the code for our serial data requirements, and added a Li-On battery.

5. a Raspberry Pi with our code running on it.

The Tastic RFID unit close-up and on, looks like this:

We take all our components, and put them in a back-pack to create an easy-to-use walk-around HID read-and-clone system


HID Card Reader in Front of Bag

Tastic + Raspberry Pi + Battery Pack in center of backpackProxmark in side pocket

The Attack Process

The attack process is:

STEP 1Get the bag near a HID RFID card (if it is worn, simply hang around people with cards in close proximity, around +/- 20-25cm)

STEP 2As the system obtains RFID cards from people around you, the website open on the Phone/Tablet automatically updates to show you what cards you've captured.

STEP 3Take a "blank" card out of your pocket, hold it against the side of the bag against the Proxmark  and click CLONE ME for the corresponding captured card you wish to clone.

DONE! The cloned card can now be used to access the areas the original card would have access to. A Red-Team simulated attack or Penetration Test can now continue. The system verifies that the cloned card is a match of the captured card you chose.

TODO: Still on our list to add to our system is;

  1. Support for other TAG types by simply holding them against the side of our bag to the Proxmark and using the phone interface to modify/clone them.
  2. Addition of a Wi-Fi dongle to our Raspberry Pi and the building of a Wi-Fi attack module into the website to allow for Wi-Fi audits directly from the hand-held via the Backpack while walking around in the environment.