Spoofing: RFID and SMS

Spoofing, in Simple Terms

First, let's start with a definition - What is Spoofing? According to ForcePoint, "Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. Spoofing can apply to emails, phone calls, and websites, or can be more technical, such as a computer spoofing an IP address, Address Resolution Protocol (ARP), or Domain Name System (DNS) server." With that out of the way, let's get down to business.

RFID Spoofing:

The RFID chip is neither a new nor rare technology. RFID chips are used all over the world whether or not people are aware of them, and they have been proven many times to be thoroughly exploitable as security systems.You may know of them in reference to the retail space. A term growing in popularity in retail is “RFID protection” - usually meaning that the specific wallet, backpack, or other items, protects against RFID scanners that can steal your information.The simplest example of an RFID chip would be a room key for a door lock. You can find RFID door lock systems in banks, hotels, universities, corporate offices, government buildings, train stations, and anywhere an electronic key card is used to grant physical access. RFID spoofing is a technique that allows an attacker to convince an RFID system that it is reading a known or verified card. Keep in mind that this is similar to picking a lock, practicing RFID spoofing on unauthorized systems can be dangerous and illegal. The attack is twofold, requiring RFID scanning to gather input data for RFID spoofing.First, the RFID scanner reads an RFID card. This card can come from any source, and the information can be stored indefinitely and shared through other mediums once it has been scanned. For this example, let’s say an infiltrator is trying to gain access to a secured gold vault. Scanning the security team’s key cards might reveal a number of results. RFID exploits and defenses have been constantly evolving, so the RFID information can only be read if the scanner is compatible with the card’s version of RFID. Some versions include encryption and other defenses for increased security. Let’s say our infiltrator returns the key card after using the RFID scanner to successfully make a copy of its identifying data.The RFID spoofer can then be loaded with the information gathered from the key card. Some devices are capable of scanning and spoofing RFID, but these parts can be done on separate devices. The RFID spoofer is held to the card reader and the pre-programmed RFID data is transmitted to the reader. The reader confirms this data with a list of approved cards and unlocks the door. If everything works smoothly, the exchange will show up in the system’s database as a normal, approved action. Some RFID spoofers are capable of generating a “master key” from any discarded key, and this allows the attacker to unlock any RFID reader in the entire system. Newer security systems may require more planning and effort if they have not been cracked before, but many older systems are still vulnerable to tried-and-true RFID exploits.

SMS Spoofing:

There is nothing new about assuming a false identity in order to gather information and access. What will change over time are the techniques and technologies for communication that make these attacks possible. One nearly ubiquitous method of communicating is SMS. Texting is a very clear and casual way of communicating, but this can be more of vulnerability than a convenience. SMS spoofing allows an attacker to send a text message to a target under the assumed identity of any phone number.BackTrack and some versions of Kali Linux come equipped with an SMS Spoofing Attack Vector tool in the Social-Engineer Toolkit (SET). This command line tool is rather straightforward and allows you to send a text message to a target under the assumed identity of whatever phone number you enter. These tools come pre-installed on systems that may be considered outdated, so it is best to explore all options before choosing the correct method.Many online services offer another method for SMS spoofing. These services are typically paid, and as a web application, they are less secure and robust than a built-in command line program. However, these services are more accessible and already see a lot of traffic each day. Regardless of the service, users should carefully consider where they choose to enter phone numbers into online forms. A cursory search on any major search engine for “SMS Spoofing” or “Send SMS Spoof Message” will reveal many online SMS spoofing services.Lastly, the most advanced and secure method for SMS spoofing must utilize an API for SMS messaging. This may require the purchase and use of an SMS gateway to handle cellular traffic from a built-in web application. This technique allows the user to spoof their phone number as well as manage communications with a large number of targets. This method has great potential for gathering information and gaining secure access to restricted areas. A target can receive directions and information from any possible assumed identity for the purpose of social engineering and intelligence gathering.These methods will grow and evolve over time, but the main idea remains largely unchanged. The main practice is to send a written message to a target under the assumed identity of another. This may be a letter, a phone call, an SMS message, or even Bluetooth communications. As with many other aspects of cybersecurity, the most reliable and powerful approach requires the most skill and preparation.TLDR:There's nothing new here. Spoofing can be done - and is most prevalent - in communication mechanisms that lack a high level of security. Even the most experienced people in cyber can fall victim to this attack, but here are some easy steps you can take to protect yourself from a spoofing attack:

• Examine a communication method (email, text, transaction, etc.) to determine legitimacy.
• Don’t click unfamiliar links or unfamiliar/unexpected attachments.
• Don’t take phone calls at face value, and take caution of the information the caller is requesting.
• If you think your device or system may be infected, contact your system administrator immediately. Don't let the infection spread!