Tom Van de Wiele, a security researcher with F-Secure in Denmark, has an interesting project. The Belgian-born researcher has taken to photographing people with their company ID badges on display, and posting them on his Twitter page with the hashtag #protectyouraccesscard. So far, he’s managed to capture dozens of ID cards, mostly from people walking down the street, or riding public transport.
— Tom Van de Wiele (@0xtosh) March 28, 2017
There’s a serious point behind it, as Van de Wiele explained to me. Physical security is an important part of information security. If an attacker is able to get close enough to take a photo of an ID card, they’re also probably able to scan its RFID data.
This, obviously is bad. “[If] we copy someone’s card one-to-one so that now we have a clone of the card, that gives us access to the building. This allows the installation of rogue network devices, which gives us access to internal systems,” Van De Wiele explained.
Even if an attacker is unable to copy the electronic information on the card, often just the appearance of the card is enough to gain access to a building. De Wiele said that if security in a building is lax, you can simply wave your card at a guard to gain entry.
— Tom Van de Wiele (@0xtosh) June 13, 2017
The idea of copying ID cards feels inherently far-fetched, something which could only really take place in a video game, or in the world of the Mission Impossible movies, but it’s more plausible than you might expect.
“Even physical security departments are convinced that you can’t copy plastic or that ‘no one would do that,'” he said, “so we have to demo it and show them how easy it can be.”
Van de Wiele has issues with the cards themselves, saying that it’s far too easy to duplicate the same ID several times, and use it to gain access to a building. “One of the more popular test cases we include in our [F-Secure’s red team] attacks is to copy a card several times and enter the same building using a bunch of entrances with the same card.” The goal of this is to see if a security guard notices it, or if an internal security system sees it.
“Spoiler: it doesn’t, because it’s a valid card for a valid building for a valid timespan,” he said
— Tom Van de Wiele (@0xtosh) September 15, 2017
Ultimately, this is one element of security De Wiele wishes companies paid more attention to. Once an attacker has gained to an internal network, it’s pretty much a free-for-all, as most networks are flat, and encryption isn’t widely used due to the fact that it’s not open to the wider world.
And for everyone with a company ID card, Van De Wiele has but one piece of advice. “Your card is your key. If you are not using it, put it away and don’t show it to anyone for your own protection”