The Dangers of Skimmers and Safes in Hotel Rooms

Posted on June 06, 2016 by Dale "Woody" Wooden

This is part two of my series on hotel safety for protecting intellectual property and personal information. We will be starting where my past article “Executive Hotel Rooms Are A Hackers Treasure Chest” ended.

You’re in your room and ready for bed. You put your wallet or purse on the nightstand and settle down for sleep. That is where the fun begins.

You have heard about RF skimmers—the product evil hackers use to skim or steal the information from your building access cards, credit cards, passports, transportation card, etc. I recently created several of these using an online recipe that was cheap and easy.

We’re not going to talk about devices that can scan your cards and fobs while you’re on the move. Let’s just look at that nightstand you trusted.

My first step as an adversary was again to rent the room typically rented by high rollers and executives. Then I simply installed a skimmer under the nightstand, above the top drawer. When you put your wallet or handbag there, it’s just one or two inches from the skimmer. That has been more than sufficient distance for all the skimmers I’ve made to start pulling the data. Another method hackers use is to put a skimmer in the false bottom of your hotel safe.

It’s not just the possibility that your credit card information is being stolen. Your building access card can be cloned, and really any card or fobs that use RFID can be manipulated. (I can see the rolling of eyes and shaking of heads. Yes, this is real.)

Many of you are laughing right now because you have a badge holder or RFID blocking wallet or sleeve. These are effective against standard skimmers. Please note, the publically available method I used to build a skimmer has defeated all of the devices I tested against it at 125 to-135 kHz range. I even doubled many of these RFID blocking sleeves and cases, and they were of no value.

These cards are very vulnerable to attack. They are typically used in identification and building access badges. This surprised me. I was expecting to show how using this RFID blocking equipment would help against the nightstand skimmers. This led me to think, “Okay, let’s go bigger.”

I stopped trying after two faraday bags and a RFID blocking sleeve didn’t stop the skimmer from pulling information. It is important to note that when using a sleeve, the range dropped dramatically from three feet to six to 12 inches at 125-135 kHz. The skimmer I have for 13.53-13.56 MHz is not a long-range skimmer, and reads those cards at approximately three to six inches. Faraday bags did not stop these from being read, but RFID blocking sleeves were effective. This again is not a high-power skimmer for that frequency. Your credit cards and passports are typically at 13.53-13.56 MHz range. I’ll be moving up to a higher power reader in this frequency in future testing. You can see more video from the tests at the end of this post.

What is the danger?

Let’s discuss the identification and building access badges. The fact that your company’s credentials can be copied and cloned should raise concerns. We did not find any devices that properly blocked the 125-135 kHz cards. I included some of the products that were given to me as a military member, and they too failed.

That means that the government, military, corporation and research labs using these RFID cards are vulnerable. I did find a few fixes using hacks such as tin foil. The problem? It took four layers tightly folded all the way around the card. That is not very practical. It was not 100 percent effective either.

The range of this skimmer was up to three feet without any type of protection. I know what you’re thinking, but I’ll take the Pepsi challenge against everything I presented in this article. For my next article, I would like to test against a larger group of products. Any company who would like to participate in this study please feel free to reach out to me to have your product included. (NOTE: I will give actual results and no sponsorship or favoritism will be permitted. Only submit if you’re willing to have your products actually tested and results revealed.)

Until we find a solution for this, how can you protect yourself?

I recommend that you leave your purse or wallet on your luggage away from the nightstand or hotel safe. Remember that a hacker will be limited in how many devices they can or would install in a room. This means, if you don’t put your skimmable products close to these popular locations, you’re much safer.

In our next article, I hope to give more guidance. I did not realize how few devices actually work at this frequency. Another interesting note: the skimmer can read the newer RFID hotel keys. All data skimmed can easily be sent back to the culprit using the hotels Wi-Fi as a backbone.

Now let’s talk more about hotel “safes.” That’s such a funny term. The premise of a safe is to be a place that has limited access to only the people who need it. Who has access to the hotel safe? First and foremost, the hotel has a master code. This means others have access to the safe. Past employees may also have access. Second, safe brands can usually be googled. Next time you’re in a hotel try to google the safe in your room and see if any of the sites on-line are correct.

Try this: “name of the safe in quotes” mastercode filetype:pdf. There have been occasions in overseas travel where the hotel safe actually had a door that could be accessed from the room next door. This is not always the case, but there are a wide variety of readers. Please do not trust that a safe in a hotel gives anymore protection than the refrigerator in the room. (Actually, that would give you better RF protection than the nightstand and protect from low-grade fire.)

We need to protect the RFID cards and fobs we carry. RFID blocking sleeves are decent protection at the 13.56 MHz frequency and decrease the range of attack at the 125-135 KHz range. The safe in a hotel room is really just there to make you feel a little better about leaving your valuables behind. A trained operative can get through the average hotel room door in less than 15 seconds. This is not due to a lack of effort by the hotels. Doors have to be built certain ways to allow injured or disabled people the ability to exit the room.

Hotels are continuing to make improvements against these attacks, but so are the bad guys.

I again ask anyone who wants a product tested to reach out to me. Please feel free to contact me at info@weatheredsecurity.com if you have any questions about this article or want to be included in my tests for the next article.

I would like to thank several groups for the assistances I needed to prepare this article. They have written amazing articles on-line and are the people I’ve looked at to learn and make the toys I played with. Some I have learned from personally others just through their research. If you don’t like this article, please don’t hold them responsible:

Bishopfox.com (great articles and practical online presentations about RFID and how it works)
Michael Ossman (his online presentations on software defined radios is a gift to anyone trying to learn about RF of any kind.)
Craig Hefner (This guys has taught me more than I can say about reverse engineering and discovering flaws in a system.)
Tim Kuester (The most patient instructor for teaching all things RF I could ever want.)
Adam Laurie (The face of RFIDIOt)

Contributors

Dale "Woody" Wooden

, Weathered Security

Business Perspectives

mobile security security awareness

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.