Behind Closed Doors: Bypassing RFID Readers
This presentation demonstrates various physical security bypass techniques for RFID-based access control systems, including under-door tools, card cloning, and Wiegand protocol interception. The speaker highlights the inherent insecurity of the Wiegand protocol due to its lack of encryption and demonstrates how to perform a downgrade attack by writing stolen credentials to insecure cards. The talk concludes with practical recommendations for securing physical access control, such as using OSDP with encryption and implementing proper tamper detection.
Physical Access Control Systems Are Still Broken
TLDR: Physical security remains the weakest link in many organizations, as demonstrated by the ease of bypassing RFID readers using simple tools like under-door bypasses and Wiegand protocol interception. By exploiting the lack of encryption in legacy Wiegand communication, attackers can perform downgrade attacks to clone secure credentials onto insecure cards. Security teams must transition to encrypted protocols like OSDP and implement robust tamper detection to mitigate these risks.
Physical security is often treated as a secondary concern compared to network or application security, but it remains the most direct path to total system compromise. If an attacker can walk into your server room, they do not need to worry about your firewall rules or your hardened kernel. The recent research presented at Black Hat Asia 2025 serves as a stark reminder that many organizations are still relying on fundamentally insecure, decades-old protocols to guard their most sensitive assets.
The Reality of Physical Bypass
Most physical access control systems rely on RFID readers that communicate with a controller. The vulnerability starts with the protocol used for this communication. The Wiegand protocol, which is still widely deployed, was never designed with security in mind. It transmits data in plaintext, meaning any device capable of tapping into the data lines can capture the card credentials as they are sent from the reader to the controller.
During the demonstration, the speaker showed how simple it is to gain access to these data lines. By removing the reader from the wall, an attacker can access the wiring. While some readers include tamper sensors, these are often poorly implemented or simply ignored by security teams who prioritize system uptime over physical hardening. Once the wires are exposed, a device like The Tick can be installed to sniff the traffic. This tool, along with others like ESPKey, allows an attacker to capture credentials and even replay them to open the door remotely.
The Downgrade Attack
The most concerning aspect of this research is the ability to perform a downgrade attack. Many modern systems use secure, encrypted cards like HID Seos, which are difficult to clone because the authentication data is encrypted. However, if a system is configured to support legacy credentials—such as older HID Prox cards—the security of the entire system is effectively reduced to the level of the weakest credential.
An attacker can capture the decrypted ID from a secure card reader and then write that same ID onto a cheap, insecure card. Because the system is configured to accept the legacy format, it will treat the cloned card as a valid credential. This bypasses the need to break the encryption on the secure card itself. It is a classic example of an Identification and Authentication Failure, where the system fails to properly validate the authenticity of the presented credential.
Real-World Engagement Strategy
For a penetration tester, these findings change the scope of a physical assessment. You are no longer just looking for unlocked doors or tailgating opportunities. You are looking for the specific hardware models in use. If you see a reader that supports multiple frequencies or legacy protocols, you have a high probability of success.
During an engagement, the process is straightforward:
- Identify the reader model and check if it supports legacy protocols.
- If the reader is accessible, use a tool like the Proxmark3 to test for card compatibility.
- If the system supports legacy cards, attempt to capture a valid credential.
- If you cannot clone the card directly, look for the controller. If the controller is in a public or semi-public area, you can intercept the Wiegand traffic directly.
The impact of a successful exploit is absolute. Once you have a working clone, you have the same physical access as an authorized employee. You can enter secure areas, access server racks, and potentially install persistent hardware implants that provide remote access to the internal network.
Hardening the Perimeter
Defending against these attacks requires a shift in how we view physical infrastructure. First, stop using Wiegand. Transition to the Open Supervised Device Protocol (OSDP), which supports AES encryption and provides a much more secure communication channel between the reader and the controller.
Second, ensure that your controllers are physically isolated. If an attacker can reach the controller, the encryption on the reader side becomes irrelevant. Third, enable secure mode on your OSDP-capable devices. Many systems support OSDP but are left in a legacy, unencrypted mode for compatibility reasons. Finally, treat your physical security logs with the same rigor as your server logs. If a reader is tampered with, it should trigger an immediate, high-priority alert in your security operations center.
Physical security is not a "set it and forget it" deployment. It requires the same level of auditing and maintenance as your software stack. If you are still using legacy RFID readers, you are essentially leaving your front door unlocked. Start by auditing your current hardware and identifying where you are vulnerable to these simple, yet devastating, bypass techniques.
