Is it True or Fake? Card Cloning like Mr Robot and stealing details in seconds
Table of contents
- Learning to code can be fun and interactive when you start with simple games that gradually get more complex.
- Real hacking isn't just about tech skills; it's about mastering the art of social engineering.
- Cloning RFID cards is easier than you think, especially with the right tools and a bit of social engineering.
- Cloning low-security RFID cards is easier than you think, and many still rely on default credentials that can be cracked in minutes.
- The rise of IoT devices brings incredible convenience, but their weak security can turn them into powerful tools for cyber attacks.
- You don't need all the gadgets to start your journey in cybersecurity; just grab a laptop and begin learning.
Learning to code can be fun and interactive when you start with simple games that gradually get more complex.
In the episode of Mr. Robot, the protagonist has to bump into an employee while going through a line. He carries a device in a bag on his chest, and when he collides with the employee, he grabs the information from their card. After this encounter, they return home, where they store the data from the card, clone it, and then use that cloned card as the first step in their plan.
To successfully clone these cards, the first action is to place the card on top of the Proxmark. Once positioned, the lights on the device should illuminate, indicating it is ready to perform an LF, or low-frequency search, to read the card's information.
Now, everyone, it's David Bombal back with the amazing OTW. Welcome!
Thank you, David. It’s always an honor to be back on your show, the best IT and cybersecurity channel on YouTube.
I always appreciate you saying that. For everyone who doesn't know, OTW is the author of the book Linux Basics for Hackers, which is a very popular book on Amazon. He has also written other books, including Network Basics for Hackers and Getting Started: Becoming a Master Hacker. I will put links below if you're interested.
OTW, I don’t want to put you on the spot, but hopefully, at some point, we’re going to get a new Linux Basics for Hackers, right?
Yes, it’s in the process right now. The preliminary schedule indicates it should come out around April or May of next year, 2025. It will be fully updated with the new Kali and some of the changes that have been taking place in Kali. As your viewers know, we’ve been doing a series on Linux Basics for Hackers, and I believe we’re up to chapter six or something like that. All of that is updated with new content.
We also have the complete course on Hackers Arise that viewers can purchase, or if you’re a student, you get it for free. I will put that link below for everyone who wants to watch the videos we’ve done discussing the basics of Linux with the updated book.
One of our most popular videos has been about Mr. Robot, and it’s been a long time since we’ve done a video on it. Many people have requested it, so I’m very happy to hear what you have to share today. I believe it’s a Mr. Robot hack discussion, and you’re also going to talk about the technology, right?
Yes, I love doing Mr. Robot content, and I think we should do more in the future. I enjoy it, and I believe the viewers love watching it. As you know, Mr. Robot is really my favorite hacker show, possibly my favorite show overall. It’s fun to go through the hacks he performs in the show, dissecting them to see what he’s actually doing. Many people don’t realize that the hacks depicted are real. There’s almost no hack in the show that isn’t based on reality; the only difference is the time frame. He accomplishes tasks very quickly, which in reality might take hours or days. That’s the only significant difference compared to many other TV shows and movies that are completely unrealistic.
I agree with you.
Real hacking isn't just about tech skills; it's about mastering the art of social engineering.
I'm very happy to hear what you've gotten to share today. I believe it's a Mr. Robot hack thing, and you're also going to talk about the technology, right? Yes, well, I love doing Mr. Robot, and I think we should do more in the future. You know, I love doing them, and I think the viewers love watching them. As you know, Mr. Robot's really like my favorite hacker show, maybe my favorite show overall. It's fun to go through the hacks that he does in that show and try to dissect them to see what he's actually doing. A lot of people don't know that the hacks he is doing are real hacks. There's almost—I can't think of any hack in the show that's not real. The only thing that's not real is the time frame; he does things very quickly that might take hours or days. That's the only real difference between what he's doing there and reality, unlike a lot of TV shows and movies that are totally unrealistic.
I agree with you; it's a great show for anyone who's interested in real-world hacking. But I want to keep quiet now and hand it to you. What are we going to be looking at specifically today?
Okay, well, let's talk about the show a little bit so that the viewers who are new here can get some perspective on what's taking place. We're talking about episode 5 from season 1. In this episode, Elliot and the F Society crew have decided that they need to destroy the backup tapes from Evil Corp, also known as eCorp. Those tapes are all in storage at a company called Steel Mountain, which is apparently located in upstate New York, if I remember correctly. There is actually a real company in the United States called Iron Mountain that does exactly the same thing; they store tapes, digital media, and even paper media for companies. They put them in these fireproof, impenetrable facilities.
In the show, the Steel Mountain facility has a sign in front of it stating it is impenetrable. This is a mistake; you should never say "unhackable" or "impenetrable." If you do that, you're just asking for trouble. So, they have to find a way to get into this facility. In this case, they're going to put a Raspberry Pi inside the facility to control the HVAC system. One of the beauties of Mr. Robot is that they do a lot of SCADA hacking, like the prison hack, and this is a SCADA hack too, where they will go into the HVAC system and be able to turn the temperature up on one of the holding facilities so that it will make the tapes unusable.
This episode involves a lot of social engineering, and I'm going to repeat what I've said so many times on your show and in my classes: social engineering is really, really important. Anyone who ignores the importance of social engineering does so at their own peril because about 80% of all hacks have some social engineering aspect to them. There's always a technical aspect, but most of the time, there's also a social engineering aspect. This episode, episode five, has a lot of social engineering.
The first portion of the social engineering is that they have to somehow get inside the facility, which is well protected and claims to be impenetrable. In the previous episode, they hacked a car, which we've done here on your show. They drive this minivan up to upstate New York to get to the Evil Corp storage facilities, and they know that all the entry points are protected by card keys. To get in, you have to present a legitimate card key to get past the gate.
What they decide to do is find a coffee shop near the facility and look for people who have their card keys on lanyards around their necks from Steel Mountain. Once they've identified this, and this isn't explicitly stated in the show but is actually happening, they end up in a coffee shop. It then becomes a social engineering effort to get close enough to the card around the employee's neck to copy it. This technology has been around for about 10 to 12 years; it actually came out just before the show was presented. I think Bishop Fox was the company that first developed the cloning technology. Basically, it reads the data off the card, stores it in memory, and then you can clone the card to make an exact copy.
So that's what their strategy is here. Back when the show was made, the technology required that you get very close to the card—almost touch it. However, in recent years, several companies and security researchers have developed technology that allows you to clone or copy the card from up to two or three feet away. This is achieved by putting more powerful antennas in the devices. At the time the show was made, they had to find a way to actually get right next to the card, and that's where the social engineering aspect came in.
In this episode, Mr. Robot, not Elliot, but his father, played by Christian Slater, has to bump into an employee while going through the line. He basically has this device in a bag on his chest, and when he bumps into the employee, he grabs the information from the card. They then go back home, store the data from the card into the device he's holding, and later clone the card. They use that cloned card to get inside the facility, utilizing essentially his ID to gain access. After that, they have much more social engineering to do for those who have seen the show to be able to get inside the facility and find the tapes.
Cloning RFID cards is easier than you think, especially with the right tools and a bit of social engineering.
The technology that allows you to clone or copy the card operates within a range of up to two or three feet. It essentially involves putting more powerful antennas in place. At the time the show was made, the character had to find a way to get right next to the cardholder, which introduced the social engineering aspect. In the series, Mr. Robot's father, played by Christian Slater, bumps into an employee while going through a line. During this encounter, he uses a device concealed in a bag on his chest to capture the information from the employee's card.
After this encounter, they return home, where they store the data from the card into the device he was holding. They then clone the card and use it to gain access to a facility, essentially using the employee's ID. The plot thickens with further social engineering tactics to navigate inside the facility and locate the storage tape. This is where the excitement of the story unfolds, but the initial step remains crucial: they must first gain entry into the facility.
For those interested, we previously created a video discussing the tapes and the Raspberry Pi piece, which I will link below. This covered the OTW, which was quite informative. Now, I have to ask a question that I find amusing: since I often get called a boomer, I want to clarify that this technology was created before the days of Flipper Zero. Could something similar be accomplished today using the Flipper Zero?
Yes, there are many different types of cards. In the show, they utilize a low-frequency card that lacks significant encryption. However, there are dozens of card types, and it's important to note that many modern cards have additional encryption and security measures. The Flipper Zero is not equipped to handle these more secure cards. In contrast, the Proxmark has capabilities that include approximately 1,900 default passwords that can be attempted to break into these cards, along with brute force password cracking.
For the more secure cards, cloning them isn't straightforward; you need to have the encrypted password on the card to clone or modify any information. The Proxmark possesses this capability. Additionally, just last week, a new paper was released indicating that researchers in France discovered a backdoor in the Mifare Classic, which is one of the most widely used encrypted cards. This means that cloning these cards no longer requires a password.
Our goal here is to replicate what was done in Mr. Robot, which is a relatively simple hack. We can capture the information from a card as depicted in the show and then proceed to clone it using the Proxmark, which has been a leading tool for RFID card hacking for some time.
Now, regarding the article you mentioned, could you elaborate on what actually happened? Some researchers in France found backdoors in the most common cards, particularly the Mifare cards, which are developed by NXP Technologies, a subsidiary of Philips. These researchers reported significant vulnerabilities in contactless cards produced by Shanghai Fudan Microelectronics, which allows for instantaneous cloning of RFID cards used to open office doors and hotel rooms globally.
These FM11RF08 cards have a backdoor that the researchers discovered, making them vulnerable to cloning. This is particularly concerning as these cards are utilized in many secure facilities. The findings were released just last week, making this information quite recent. Notably, the events depicted in Mr. Robot occurred nearly ten years ago, where they executed some of the older attacks against these systems, which often involved low-frequency cards that are relatively easy to clone without needing to crack passwords or find backdoors.
Now, let's take a look at the Proxmark. I purchased mine for about $80, which gives you an idea of the cost. For those interested in using the Proxmark, it's essential to get the upgraded version that has 512k of memory. This is crucial because the new Iceman firmware requires about 350 megabytes of space. If you opt for an older model with only 256 megabytes, you won't be able to utilize the new firmware.
I have my Proxmark set up here on my desk. Setting it up can be a bit challenging due to various dependencies, but once configured, it works exceptionally well. I've organized it into a directory called Proxmark, and the command to use it is simply pm3. One of the advantages of the Iceman firmware is its comprehensive help screens, which include nested help options to guide users through the process.
To clone these cards, the first step is to place the card on top of the Proxmark, ensuring it is close enough for effective operation.
Cloning low-security RFID cards is easier than you think, and many still rely on default credentials that can be cracked in minutes.
The Iceman firmware for the Proxmark is going to take up about 350 megs. As a result, if you have the older versions that only have 200 or 256 megs, you will not be able to use the new firmware. I have a Proxmark sitting here on my desk, and I got it all set up. Setting it up is a little bit of a challenge due to its many dependencies, but once it is all configured, it works great.
I have organized everything into a directory called Proxmark, and the command to use is simply pm3. One of the beauties of the Iceman firmware is that it has a lot of great help screens, including nested help screens. You can access help screens from nearly any point to find out what you need to do.
The first step in being able to clone these cards is to place the card on top of the Proxmark, ensuring it is close enough to read. When it is positioned correctly, you should see some lights turn on. Next, we will perform a low frequency (LF) search to see if we can read the card. There it is! We have the basic information about this card. There are many things we can do with this information. We can also conduct a high frequency search, but upon trying that, it indicates that this is not a high frequency card; it is a low frequency card.
The device has detected that it is an EM410x card and has identified the chip set as t55xx, which is one of the older and least secure technologies used in these cards. Once we have this information, we can proceed with the LF HID read command. I will remove the tag from this card, and there it is—the unique tag ID. I will copy it and take another blank low frequency card.
Now, we want to use that tag ID. I will go ahead and enter the command LF HID clone followed by pasting the tag ID. It looks like it is preparing to clone. I will then run the HID reader to verify. It successfully cloned the card! Now, let's run the LF HID reader to verify again. Great job! We now have a card that is identical to the one identified in the coffee shop. This cloned card will enable access through the gate.
It is important to note that not all of these cards are this simple to clone. The one in the show is indeed easy to clone, but there are some that are much more challenging. Typically, the cards used in gates are low frequency cards that lack robust security features. These are the types of cards that researchers have found vulnerabilities in.
There are various types of Mifare cards available, and the security levels vary. Some cards have relatively low security, while more advanced ones utilize DES, triple DES, and even AES encryption. These cards contain a small chip and an antenna that can store credentials, providing some level of security.
One function of the Proxmark is that it can attempt to crack the credentials by using default settings. Surprisingly, many of these cards still have default credentials, which is a common oversight in the cybersecurity world. If default credentials are present, it only takes a few minutes to crack them. If they are not, it may take hours to perform a brute force attack.
The passwords are typically just two bytes long and numeric, making it relatively quick to try all possibilities. If you know the back door, you may not even need the password to clone these cards. In some institutions, these cards are used for various purposes, such as bus tokens in cities or student identification in schools and cafeterias. Once you can break the encryption on these cards, the possibilities for misuse are significant.
The rise of IoT devices brings incredible convenience, but their weak security can turn them into powerful tools for cyber attacks.
In the realm of IoT hacking, one of the least understood areas involves the vulnerabilities associated with two-byte numeric passwords. These passwords can be compromised through a Brute Force attack, which, while it may take some time—sometimes hours—can be executed relatively quickly due to the limited number of possibilities. Once the encryption is broken, not only can the cards be cloned, but the amounts stored on them can also be altered. This is particularly concerning as these cards are utilized in various institutions, such as bus tokens in cities or cafeteria cards in schools and universities.
Recognizing the importance of this topic, we have organized an IoT hacking class scheduled for October. This class will cover various technologies, including RFID, NFC, Bluetooth, and BLE, which are commonly used in IoT devices.
In a related incident, I recently heard about some hotels at DEFCON conducting forced inspections of rooms, confiscating tools. Although I wasn't present, I understand that the hotels felt uncomfortable with the presence of numerous hackers and took measures to inspect rooms for Wi-Fi hacking and other tools. This action may deter many security researchers and hackers from returning to those hotels in the future. The hotels' concerns are understandable, especially considering that they had previously suffered from ransomware attacks that cost them millions of dollars. However, conducting inspections without permission may not be the most effective way to address their fears.
As IoT devices continue to proliferate at an exponential rate, many of them are connected through various wireless technologies, such as RFID, NFC, and Bluetooth. Unfortunately, these technologies often have relatively weak security. My primary concern is that these devices could be hacked and subsequently become part of botnets. Such botnets can be directed against companies or even countries, leading to significant disruptions.
For instance, if a million IoT devices were to send packets to a specific web server, the attackers could demand a ransom to halt the DDoS attack. I recall a similar incident at Hackers Arise, where attackers threatened to take down our website unless we paid them. Although we managed to block their attack, it was a reminder of how vulnerable we can be. If the attackers had utilized millions of devices in a more sophisticated manner, the outcome could have been drastically different.
Many of these IoT devices run on a tiny Linux kernel, which can be exploited to send packets globally. The Mirai botnet, which emerged around 2018, is a prime example of this vulnerability, as it utilized millions of IoT devices with default passwords to launch attacks against various companies. I have been warning our students and clients about the potential for similar attacks in the future, emphasizing the importance of being prepared.
DDoS attacks have proven particularly effective in cyber warfare, where one country may target another to disrupt communications during conflicts. The potential for IoT devices to generate unprecedented DDoS attacks is a growing concern. Additionally, devices like RFID cards, which secure access to various facilities, are also susceptible to cloning. As we see in shows like Mr. Robot, older RFID systems are relatively easy to clone, while newer systems with cryptographic security can still be compromised, as highlighted in recent articles.
In conclusion, the vulnerabilities associated with IoT devices and their potential for exploitation in DDoS attacks and unauthorized access are critical issues that require ongoing attention and education.
You don't need all the gadgets to start your journey in cybersecurity; just grab a laptop and begin learning.
Cyber warfare tactics have been very effective, especially in scenarios where a country will DDoS another country as they invade, effectively cutting off communications. If you can DDoS a country, you disrupt communication between military branches and the government. This has happened multiple times. IoT devices can generate incredible DDoS attacks that are larger than we've ever seen before. Moreover, these devices, such as the RFID devices we are discussing, are often used to secure various facilities. They are utilized for access control to secure locations, schools, and businesses. In the case of Mr. Robot, these devices were used to gain access to Steel Mountain.
The older RFID devices are relatively simple to clone, while more modern ones incorporate some cryptographic security, which can also be broken. An article in Security Week highlights that some of the most widely used technologies, like the Mifare Classic, have backdoors built into them. This makes it easy to change data on the card, such as identity, facility access, and dollar amounts, once the password is obtained. If an attacker has access to a backdoor on these cards, they can clone the card and input any data they desire.
When it comes to choosing between a Flipper Zero and a Proxmark, I have both devices. The Proxmark offers a lot of capabilities for RFID hacking that the Flipper Zero does not. I want to express my gratitude to the developers of the Flipper Zero for raising awareness about all the radio hacks and signals that can be exploited. This area of cybersecurity has been underappreciated, and the introduction of the Flipper Zero has opened the eyes of many to its possibilities. However, I believe the Flipper Zero is a limited device. If you are serious about RFID hacking, the Proxmark3 is the device of choice.
The Flipper Zero has indeed raised awareness and sparked interest in cybersecurity among a new generation. It shows the potential of what can be done, but I want to emphasize to many viewers that starting in cybersecurity does not require purchasing all the devices. You can start simply with your laptop and utilize tools like Kali Linux or other cybersecurity Linux distributions. You do not need to buy every gadget available. Many people have expressed concerns about affording all the necessary devices to become a cybersecurity hacker, but I assure you, you don't need all the gadgets.
Start small and simple, and you will eventually figure out which gadgets you actually need. There are many gadgets out there, and many serve the same purpose. In a previous video, I mentioned that you don’t need the latest and greatest laptop to get started. In hacking, 80% of success comes from the human being behind the screen, while only about 20% is dependent on the computer itself. Computer speed is not crucial; what matters more is your skill level and the tools you use. Even if you can only afford a 10-year-old laptop, that is sufficient to begin your journey.
Some people mistakenly believe that hacking requires a supercomputer, similar to gaming. However, a gaming computer is very different from a hacking computer. You do not need a super graphics card to hack, although it can be useful for password cracking. There are alternative methods for cracking passwords that do not require a GPU. Therefore, I want to reiterate: get started. Don’t worry about the machine; just ensure you have one and begin studying. David's channel is a great resource for learning.
Regarding books, I often receive inquiries about recommendations. One book I highly recommend is Occupy the Web. We will be using segments of this book in our IoT hacking class. It is written by experts in the field and published by No Starch Press, which is known for producing excellent materials. I found Occupy the Web to be great, although it delves into many details. There is a specific section on radio hacking, which includes RFID, and it also covers Bluetooth and Bluetooth Low Energy. These topics will be included in our upcoming IoT hacking class. The book also discusses WiFi hacking and the IoT threat landscape, providing insight into what types of threats to be concerned about.
I highly recommend investing in this book. You can almost always guarantee that a No Starch Press book will be excellent. I have a personal connection with No Starch, as I have published works with them, but even before that, I had many of their books on my shelf because they are outstanding.
I want to clarify that while No Starch has sent me some books for review, I have purchased many myself. I am not compensated for reviewing their books; I simply receive them for free. However, I agree that many No Starch books are excellent, written by industry experts. You can't go wrong with their publications.
Cybersecurity is a vast field, which is why I enjoy interviewing different guests who focus on various aspects, including IoT. There are countless areas to explore, and I encourage anyone starting in this field to find what interests them. You don’t need all the gadgets to get started. Many people think they need a Raspberry Pi, a Pineapple, a Flipper Zero, or a HackRF, but that is not the case. Begin with a laptop and familiarize yourself with Linux and the tools available in distributions like Kali. Understand networking and the basics before considering additional gadgets.
In conclusion, I appreciate the opportunity to share these insights, and I encourage everyone to just get started. Always a pleasure to be on your show!