Dan Gorbunov and John Dale Invent Winning Cybersecurity Device During HackUMass

Content

Undergrads Dan Gorbunov ‘26 of the Computer Science Department and John Dale ‘24 of the Electrical and Computer Engineering Department put together a winning entry in the 2022 UMass Amherst hackathon (or HackUMass) by creating a groundbreaking “man-in-the-middle” device called “RFID Thief.” The device performs groundbreaking security functions on widely used access-control systems, including sniffing, replay, and denial-of-service attacks. See video detailing the winning project.

As Gorbunov and Dale explain, “Cybersecurity in a world of the Internet of Things and embedded devices is very difficult. Our group took a venue of ethical hacking to expose some of the vulnerabilities that are apparent in the devices that surround us.”

HackUMass is a hackathon hosted by UMass Amherst in which participants come together for 36 hours to solve problems through innovative and creative software and hardware projects. Students work in teams to solve problems and attend educational workshops. This year, HackUMass had over 600 attendees, many of whom came from outside the UMass campus.

With their innovative device, Gorbunov and Dale revealed vulnerabilities in a widespread and heavily adopted RFID communication protocol that is used in more than 50 percent of global access control systems.

As Gorbunov and Dale explain, “We reverse-engineered Wiegand protocol using bit-banging. By creating a ‘middle-man’ adversary with malicious intent, we are able to demonstrate how, given a couple minutes with an RFID reader, a hacker can sniff RFID tags before being sent to a local server. This allows the hacker to save authenticated data from users and ‘replay’ it to gain remote access without having the correct RFID tag present.”

In order to further secure RFID readers with this vulnerability, Gorbunov and Dale utilized a two-factor authentication system by implementing a fingerprint reader.

“This reader is independent from the RFID reader and will send data into the Cloud to be analyzed with a RFID reading,” say Gorbunov and Dale. “The lack of physical connection between the fingerprint circuit and the RFID circuit allows for more security.”

According to Gorbunov and Dale, other features of their device include simulating denial of service on the RFID reader, enabling or disabling two-factor authentication modes, a full Graphical User Interface to display RFID ID's, and simulating replay attacks from the Cloud.

Gorbunov and Dale completely developed this device during the 36-hour hackathon and demonstrated attacking a model access control system. In addition to winning the hackathon, they were awarded a $500 grant from the Berthiaume Center for Entrepreneurship to develop the technology.

As Gorbunov and Dale conclude about the educational value of their creative adventure during the 36-hour hackathon, “We learned to use many different sensors, implement interrupts, view data with oscilloscopes, use libraries, and debug like crazy!” (November 2022)