【About】

You're riding the subway to work,About or taking a smoke break outside the office, or simply strolling down the street. Someone with a backpack is standing nearby, but you think nothing of it.

Thirty seconds later that very same someone has a cloned hard copy of your work ID badge, ready to stroll right into your office.

SEE ALSO: Meet the cyborg bringing biohacking to the people

This is not only possible, but "very simple" according to security researcher Dennis Maldonado. Maldonado, the founder of Houston Area Hackers Anonymous and an Adversarial Engineer at pen-testing company Lares Consulting, was speaking to a packed house of hackers at the 25th annual DEF CON in Las Vegas on Thursday.

"In seconds you steal someone's badge, have a complete copy, and you walk into the building."

And they were very receptive.

"I'm going to assume everyone here is legit — is a pen tester, not a black hat," Maldonado said to laughs as he showed off a custom system he built to remotely copy and clone RFID tags.

While you may not know what an RFID tag is, chances are you've used one. You may even have one in your pocket right now. Put simply, radio-frequency identification (RFID) is a means of using electromagnetic waves to track and identify specific tags. The tags are frequently embedded in company ID cards, and employees — especially in the tech industry — have become accustomed to tapping those cards against readers to unlock office doors.

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

They're digital keys, albeit keys that are extremely easy to copy — even from a distance.

Original image has been replaced. Credit: Mashable

Maldonado proceeded to demonstrate a rig that would allow an attacker to remotely scan a card, from a distance of approximately 2 feet, and then send that data to a cloning machine (up to 30 feet away) which would then automatically write the card.

He even made the setup user friendly, developing an Android app that syncs to a Pebble watch and notifies him via chime if his read on the target card was good. And, because standing two feet away from someone is a normal thing to do in elevators and subway cars, the victim would presumably never be the wiser.

"You don't have to go up to someone and touch their butt to get a card read," he noted — shortly before observing out loud that someone was trying to break into his network mid-talk (it's that kind of conference).

This Tweet is currently unavailable. It might be loading or has been removed.

The basic technology he used is readily available for purchase on eBay, and he told the crowd that he had already posted his code to GitHub. If you don't want to throw down the cash? Well, Maldonado pointed out that the remote RFID-scanning tech is all around us, like in parking garages, but he cautioned the hackers in attendance: "Don't go stealing those."

Which, well, that may have been the only part of his talk the crowd didn't seem too interested in hearing.

"In seconds you steal someone's badge, have a complete copy, and you walk into the building," he told those gathered. For the attendees of DEF CON, Maldonado's statement may have sounded like a challenge. For anyone who uses an RFID tag to badge into their office or home? They should take it as a warning.

---

Featured Video For You

---

Step inside the secretive class that turns people into hackers

---

Topics Cybersecurity

• Tech
• Life
• Science
• Social Good
• Entertainment
• Games
• Deals
• Shopping

• Best Apple deal: Save $19 on AirTag 4
• Poetry Rx: A Poem Not About Sex
• YouTuber accuses Casetify of stealing designs
• Staff Picks: Creek Boyz, Mechanical Chickens, and Trash Heaps by The Paris Review
• Shop the Google Pixel Pro 9 for $200 off at Amazon
• Five Summer Book Reports by Chia
• Why do 'Normal People' edits still dominate TikTok?
• Who Are You, Jack Whitten? by Jack Whitten
• Apple is actively looking at AI search for Safari
• On Stanley Kunitz and the Fine Arts Work Center by Geoffrey Hilsabeck

• $70 million Picasso painting 'accidentally damaged' before auction
• Facebook's 'People You May Know' feature is creepy as hell
• There's a 'Deadpool 2' Taylor Swift easter egg you definitely missed
• This 'Friends' theory about why Ross and Monica had to be related is sort of mind
• Yanny or Laurel? IT'S TEARING THE INTERNET APART.
• Harrison Ford crashed an interview with new Han Solo Alden Ehrenreich
• 'Whack
• 'Shaved Mario' is the most cursed image on the internet
• Mysterious blockchain
• Loads of delicious cookie dough spilled onto a North Carolina highway

• Best robot vacuum deal: Get the Roborock Q5 Max for 53% off at Amazon
• NYT's The Mini crossword answers for November 26
• Best early Cyber Monday AirPods deals: AirPods Pro at record
• 40 early Cyber Monday deals under $50 to shop in 2023
• NYT mini crossword answers for May 12, 2025
• The Melancholy of the Hedgehog
• 40 early Cyber Monday deals under $50 to shop in 2023
• How to Write a Feminist “Dead Girl” Story
• 'Mario Kart World' Nintendo Direct: 3 takeaways
• YouTuber accuses Casetify of stealing designs

• The Best Gaming Concept Art of 2016
• SmileDirectClub Australia: Everything you need to know
• 40 early Cyber Monday deals under $50 to shop in 2023
• Cyber Monday streaming deals on Hulu, Peacock, Max, and more
• Contingent No More
• BeReal introduces new features to draw users back to the platform
• Best early Cyber Monday laptop deals 2023 from Apple, Dell, so much more
• Grilling with Homer by Valerie Stivers
• WhatsApp launches 'Advanced Chat Privacy' to protect sensitive conversations
• How Like the Mind It Is by Ellen O’Connell Whittet