A New Tool To Steal Credentials
RFID systems are a prevalent layer of defense, used extensively to restrict access to secure locations and sensitive information. Penetration testers, charged with the task of uncovering and exploiting security vulnerabilities, require tools to effectively assess these protections.
The go to tools for cloning badges and stealing credentials are typical:
Flipper
I-copy
proxmark
Chameleon
However, all of these devices require the tester to go find a target, ideally one who either is wearing their badge, or even better, left their badge unattended somewhere.
The Stealth Wiegand Data Interpreter, offered by Physical Exploit, is designed to get the badges for you by making the target do most the work and save you from effectively stalking people.
This review delves into its functionality, user-friendliness, and a practical engagement story that highlights its effectiveness in the field.
Overview of the Stealth Data Interpreter
The Stealth Data Interpreter is a card reader inside an HID case that allows for multiple card type reads. It operates just like any normal card reader, allowing users to badge in, but has no wires and isn’t connected to the access control system. Instead, it reads and stores the Wiegand data for you to use when you like which you can grab from its wifi.
This captured data can then be cloned onto a new badge, allowing attackers to gain unauthorized access as though they were the legitimate badge holders.
The device has the capability to grab the Wiegand data from the following card types:
iCLASS SE
SEOS
iCLASS SR
Standard iCLASS
SE for MIFARE Classic
SE for MIFARE DESFire EV1
HID
AWID
EM4102
Prox
I was able to take the device apart and play with it as well as bring it along with me onto an engagement where I actually tested it out.
Pros and Cons
Pros:
Quick to Deploy
Easy to use
Completely non destructive
No risk of alarms by disassembly readers
Multi card reader
13 hour battery
When you want to grab some Wiegand data, the currently standard method is to use an ESPkey. However, this requires you to remove the face plate of the reader, or otherwise get access to the wires and install the device. If the reader is setup properly with tamper protection and someone is actually monitoring these alerts, this could get you and your team caught.
I thing to note is that if you do manage to install your ESPkey, this will strip the wires very minimally, though your client may disagree.
That said, I am still a huge fan of the ESPkey and highly recommend it for its utility.
Cons:
Only one model currently sold
Honestly this is one of the very few cons I could think of after having used this tool in a real engagement. Basically, if your target building is utilizing card readers that say look like this
Than this card reader will stand out. That said, there is nothing that prevents you from stripping the interior of the Wiegand stealer and putting it into any card reader you like.
NOTES:
The 13 hour battery life is excellent for a single 9 volt battery, however do keep in mind that this means once the device is deployed it will have a maximum of one day use before needing to swap out the battery (or another reader if you have multiple).
The device has a stored memory. In my case the device was retrieved after the battery had died, but once a new battery was put into the device, all the previously grabbed credentials were still saved.
If the card type isn’t compatible with the reader, it will likely still grab the raw hex / binary data for you to analyze
In the image below, each line is a captured credential. The two highlighted captures were not the correct Bit length for the device, so while the Facility code and Card Number are blank, but the hex & binary data are still present.
Key Features and User Experience
The device's standout features include its real HID reader housing, easy deployment, and its capability to capture data across various RFID card types. According to the product's documentation, setting up the Stealth Data Interpreter involves a few simple steps:
Install the battery
Turn it on
Position it where you like
Thats honestly it, ok the docs are more thorough, but thats the high level overview. You can connect to the device via its own wifi and see the captured cards translated Wiegand data.
Real-World Application: A Stealthy Deployment
Covert Access Team was recently asked to run a physical pentest on the headquarters of an organization with approximately 100 employees operating inside the building.
Initial reconnaissance revealed that the organization utilized a card reader system that closely resembled the stealth reader —a detail we hoped would go unnoticed by employees.
Leveraging the building's open-access policy to the first floor lobby, our team during embedded reconnaissance was able to locate a prime spot to test out our new toy. During this phase, we identified a frequently used door that lacked any form of access control. Seizing this opportunity, we deployed the Stealth Data Interpreter at this location, positioning it to appear as if it were a newly installed security feature.
Later in the day, another team member revisited the site to monitor the device. Using its Wi-Fi capability, we quickly verified that several employees had apparently been tricked and interacted with the device, assuming it to be a legitimate part of the building's security system, and had inadvertently provided their credentials.
This deployment not only demonstrated the Stealth Data Interpreter's capability to blend seamlessly into the environment but also highlighted its effectiveness in capturing valuable credentials with minimal risk and effort.
Conclusion
The Stealth Data Interpreter is a very nice addition to a physical pentesters arsenal. The ability to deploy it fast and walk away is outstanding, further being able to do so without either any damage to the client’s wiring or risk setting off alarms by dissassembling the current card reader is a huge plus.
Note that you may need to modify the casing in some situations, but this should be a short and easy fix. Given the potential to easily steal credentials, this is something i would encourage pentesters to try out on an engagement.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 days of intensive physical security training focused on enhancing facility defenses and bolstering security measures against attackers
Elicitation Toolbox Course - 2 day course that focuses on elicitation and social engineering as critical aspects of Black Teaming
Counter Elicitation Course - 2 day course that teaches how to identify and protect from elicitation tactics aimed at extracting confidential information.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .