The News‎ > ‎

Non Encrypted NFC tags...

posted Oct 9, 2012, 11:07 PM by Leigh Williams
The previous post talked about a Samsung Galaxy S3 (and possibly other phones) sporting a cool feature to launch the appropriate app based on the content read by the NFC reader, which can be turned against itself to do bad things...
In that post you will read that some NFC cards are not encrypted and you can read them with just about any NFC reader app. You can then use apps available from the Google Play Store to store and emulate the content read by the NFC tag. Or, you can read the NFC data from the non-encrypted card, get a blank card and write the content to that card.

Seeing most people carry their tags around their necks on a lanyard or in their pockets, it doesn't take much to read that card with your SGS3 (most probably any new NFC enabled phone will work) and duplicating that card. Target someone with some nice elevated privileges and you got yourself some pretty neat access to, for example, a university's computer labs, a data center, a building etc. Or, maybe you can even sell it on-line...

With physical security the way it is at most big organizations, you will surely be able to enter a building and swipe your card without someone even checking your identity, i.e. that your face matches the face on the card so you can get away with using a blank card. Most security gaurds does not even know the finer details of the company's access cards, so making a crude copy with all the right details such as the company name in the right place, an employee number that matches the format of the company you are targeting (e.g. three letters followed by 6 digits), the phone in the left top corner etc, you should be able to enter wherever you are trying to enter without raising any suspicions.

So please, encrypt that NFC card (or don't use NFC just because it is what the cool kids are using, do your homework) and do not let your employee access card lay around on your desk. But most importantly, do not be naive and assume that people will not exploit a weakness when they find it.
Comments