Access Control – Part 1: Magstripes Revisited

MSR-606

Background

You would think in this day and age that everyone would be using RFID for access control on their buildings / environment. You’ll be surprised that magstripes are still quite commonly in use. But unlike hotels (at least the reputable chains I’ve stayed at, I’ve always held onto the keycard and then analysed the keycard back at the office) which appear to encrypt their data, the access control mechanism employed, still use a straight clear protocol. So what is the threat?

The MSR-206 is infamous for its use in carding fraud since the 1990’s. As time has moved on these devices have become more affordable and easier to purchase. These devices make replicating magstripe data very easy; either swipe to read and swipe to copy, or program in the data manually and swipe a card to program the code. We will demonstrate how a similar device can be used as a means of subverting an organisation’s building access control.

Below is a brief introduction to the hardware and software requirements.

Hardware

Several devices are up for grabs on ebay, ranging from £100-£300(GBP) depending on model and package:

  • MSR605 – USB Serial – PL2303 Driver
  • MSR605 – USB Serial – PL2303 Driver
  • MSR609 – HID Device (no drivers necessary)

Software

When you purchase the device the seller should be kind enough to include a CD with Windows drivers (if necessary) and a Windows demo application (magstripwrite.exe); that can read/write magstripe data. Dead easy to use… by far easier than the opensource packages below:

Alternatives – Open Source

The package below works on a Linux platform (in theory should additional work on OSX), but should be trivial to adapt for Windows use; currently limited to reading RAW/ISO magstripes

The Attack

As was mentioned , the access control mechanism uses straight-clear magstripe data. If you can sneakily get a swipe of someones card you can easily impersonate them at the gate (building entrance/exit). Or if you could socially engineer a member of staff for their staff/contract number; it is usually the case that this is the same number on the magstripe. Pop this number into the program, write a new magstripe and your good to go.

Capture

And “ACCESS GRANTED!”

mag_swipe

Considerations

A £100 Magstripe Reader/Writer typically includes a set of blank cards (approximately 20). That equates to £100 to walk through one (your organisations) door on initial purchase. If I want to use the cards on multiple attackers / buildings the average cost drops to £5 per card. If Im successful and walk away I can simply re-program the card and the overall cost over a lifetime (currently 10 years) drops virtually to a penny!