Gathering Proximity Card Credentials: The Wiegotcha

David Fletcher//

 

There are a number of items that I watch on eBay. Included in that group are long range proximity card readers.  As it turns out, I was recently able to pick up an HID MaxiProx 5375 reader, new in box, for less than $100.  I had to buy it!!  These devices were a centerpiece at Black Hat USA 2014 when Bishop Fox released the Tastic RFID Thief.

For those unaware, the reader seen below is typically used at gate or garage entrances so proximity cards can be read from a greater distance. Depending on the reader configuration and the card being used, this distance can be 1-6 feet.

The Tastic RFID Thief weaponizes this reader by adding a microcontroller (Arduino Nano) that acts as a door controller and stores credentials read from unsuspecting victims on an SD card for later use in provisioning a duplicate proximity card.  This activity exposes a lack of encryption and mutual authentication between the card, reader, and controller.

My initial goal was to build a Tastic RFID Thief using my newly acquired reader.  However, this proved to be somewhat difficult because the original parts on the Bishop Fox parts list were troublesome to source.  While searching for suitable replacement parts and researching refactoring the original code for a different microcontroller, I came across the Wiegotcha.

This device takes the Tastic RFID Thief to the next level by replacing the Arduino microcontroller with a Raspberry Pi.  The Raspberry Pi solution incorporates a wireless access point using hostapd.  By connecting to the access point using a phone, the operator can observe captured credentials real-time using an auto-refreshing web page that displays the card details.

The parts list for the device is pretty minimal, requiring:

  • 12/5V Battery Pack
  • Level Shifter
  • Real-Time Clock
  • Jumper Wires
  • Raspberry Pi

A fully assembled device, using a Raspberry Pi B+ v1.2, can be seen below.

The web interface displays captured credentials by the most recent date/time and supports searching and download of all credentials in a CSV file.

Raspbian Jessie is the release supported on the Wiegotcha GitHub repository. However, my devices are all running Raspbian Stretch just fine.  I’ve altered the build instructions from the repo to match my experience with Raspbian Stretch below.

Manual Installation Mode

“Manual” installation is what I used to get my devices up and running. Feel free to explore install.sh and laststep.sh to fully understand what they do.

  1. Burn a fresh raspbian SD card. You can use Stretch or Stretch-lite.
  2. Run sudo su – to become root
  3. Run raspi-config and change the default keyboard layout as necessary
  4. Ensure that the Git client and ntp are installed apt-get update && apt-get install git ntp
  5. In /root run git clone https://github.com/sunfounder/SunFounder_RTC_Nano.git
  6. Run cd SunFounder_RTC_Nano && ./install.sh
  7. The install script will set up the RTC and reboot the device
  8. In /root run git clone https://github.com/lixmk/Wiegotcha.git
  9. Run cd Wiegotcha && ./install.sh
  10. The install script will walk you through everything, including a reboot.
  11. After first reboot run screen -dr install (as root)
  12. Follow instructions to complete final steps of installation.
  13. Proceed to Hardware Installation.

Hardware Installation

Thorough instructions: http://exfil.co/2017/01/17/wiegotcha-rfid-thief/

Short version:

  1. Place the RTC on the RPi’s GPIO starting at pin 1 (top left), going down the left side to pin 9.
  2. Run RPi pin 4 to Level Shifter HV in.
  3. Run RPi pin 6 to Level Shifter LV gnd.
  4. Run RPi pin 11 to Level Shifter LV 1.
  5. Run Rpi pin 12 to Level Shifter LV 4.
  6. Run RPi pin 17 to Level Shifter LV in.
  7. Reader TB1-3 to Battery Ground (Black).
  8. Reader TB1-1 to Battery 12v (Red).
  9. Reader TB2-1 to Level Shifter HV 1
  10. Reader TB2-2 to Level Shifter HV 4
  11. Reader TB1-2 to Level Shifter HV gnd.
  12. OPTIONAL: Remove Speaker.
  13. OPTIONAL: Solder haptic motor.

The demonstrator above employs the HID MaxiProx 5375 reader which operates at 125 KHz.  This same setup will work, without modification, to run the Indala ASR-620 and HID R90 long range readers. The former is also a 125 KHz reader that supports the HID Indala card format and the latter operates at 13.56 MHz supporting HID iClass cards.

The combination of all three of these devices can be a valuable asset on physical penetration tests.  When used with the BLEKey and other physical security bypass tools and techniques they can give a customer a comprehensive understanding of any weaknesses in their physical security posture.