Frequently Asked Questions (FAQs)
Is the Boscloner Open-Source?
Yes, the every single element of the Boscloner is completely open-source! As a security tool aimed at penetration testers and security researchers, it is encouraged for the code to be reviewed, forked, and otherwise modified for your specific use case.
If I could make a Boscloner myself, why would I pay for the premium kit?
Great point! While you could build a Boscloner unit yourself, there are many reasons people consider purchasing a pre-assembled Premium Kit:
Sourcing the necessary parts online and assembling the unit yourself can take a good bit of time -- time you might not have if you are gearing up for an assessment. Brand-new and pre-assembled Boscloner units typically ship out from our facility within two business days, allowing you to receive the gear you need before an assessment.
If you intend to build everything from scratch, it will take prior experience with PCBs, soldering, flashing firmware; which quite frankly, it isn't for the faint of heart. This can be a barrier for some who do not possess the required skillset to perform these tasks with confidence.
Liability + Risk:
Building your own unit comes with its own set of risks. For example, if you purchase defective parts from a 3rd party, make a mistake, or damage a part while assembling it yourself, you are wholly responsible for any and all blunders/mistakes.
What is the reading distance of the Boscloner?
The Boscloner uses an off-the-shelf HID MaxiProx 5375 for its long-range reading operations. HID Global's official spec sheet for the MaxiProx 5375 claims a reading distance of up to 3ft. While it is certainly capable of reaching distances of 3ft, many environmental factors can cause the MaxiProx 5375 to read at distances much less than 3ft. The average distance that can be expected in standard day-to-day situations is roughly about 1.5ft-2ft, but can even be less than that in less-than-ideal conditions. Any limitations on reading distance are inherent to HID's MaxiProx 5375 and the RFID technology in general. The Boscloner's claims up reading distances "up to 3ft" come directly from HID's MaxiProx 5375 spec sheet:
I bought a Boscloner, but the reading distance is only a few inches tops. How do I resolve the issues?
Unfortunately, RFID can be a flaky technology at times and is highly susceptible to interference caused by countless environmental factors. Please be advised, that any issues with reading distance are caused by technical limitations inherent with RFID technology and are not unique to the Boscloner, as the Boscloner utilizes HID's MaxiProx 5375 off-the-shelf reader.
With that said, there are a few recommended troubleshooting steps you can perform to try to get the best performance out of your MaxiProx 5375 reader in your current environment:
- Reboot the MaxiProx 5375 by removing the power from the unit, waiting 10 seconds, and reconnecting the power.
- Ensure the MaxiProx 5375 reader is not near any other sources of power other than the included battery.
- Ensure the MaxiProx 5375 reader is far away from metal and all other RFID cards when first booted.
- Please consider only using the laptop messenger bag that is included with your Boscloner purchase. Some bags might contain metal zippers or use a material that causes static to build up, which may limit the effective reading range of the MaxiProx 5375.
- When the MaxiProx 5375 first boots up, it auto-tunes itself to the environment that it is currently residing in. Therefore, if one were to have the MaxiProx 5375 laid out on a bed in their hotel room and powered on the unit, then placed the unit inside of the messenger bag, took the elevator down 15 floors to the street level, then walked 6 blocks to the client site...the MaxiProx 5375 reader is no longer optimized for your new environment. It is always recommended to power on the MaxiProx 5375 unit in the exact environment you plan to use it in for maximum effectiveness and reading distance.
I can't seem to successfully clone/write a captured card to the included T5577 rewritable card. What gives?
Interference is the likely culprit in this situation. Due to the MaxiProx 5375's powerful reading antenna, this can cause interference when attempting to write/clone any badge ID to the included T5577 rewritable card.
Fortunately, there are many ways to remedy this common occurrence. You may attempt one or more of the following:
- Ensure the cable for the low-frequency writer is secure connected at both ends.
- Ensure the T5577 card is sitting as closely as possible to the center of the low-frequency writing antenna
- Restart the Boscloner Board + shield by removing and subsequently reenabling power to the unit.
- Keep the low-frequency write antenna as far away physically from the MaxiProx 5375 reader as possible.
- Power-off the MaxiProx 5375 reader, but leave the Boscloner Board + shield combo powered on. This will ensure that the MaxiProx 5375 is unable to cause any unwanted interference while attempting to perform writing operations.
- Use a Faraday cage to protect the low-frequency antenna and the T5577 card from the MaxiProx 5375's powerful reading antenna. There are a number of excellent products on the market, just look for products that specifically block 125kHz signals and are large enough to house the low-frequency antenna. You may also consider building your own Faraday cage using a cardboard box or paper cup and wrapping the outside of the custom-container in foil (don't let the low-frequency antenna come into direct contact with the foil). While very DIY, this method often yields the very best results.
Can you ship Boscloner products internationally (Outside of the USA)?
Yes! We are happy to ship the Boscloner internationally and have done so on numerous occasions. We have sent Boscloner units to Canada, New Zealand, Australia, France, the UK, and more!
That being said, there are a few things to keep in mind before placing your order:
- Please check your local laws to ensure that you are permitted to use the Boscloner inside your country, city, region, etc.
- Many countries charge a premium when it comes to import taxes and fees. The customer if fully responsible for these fees. We cannot accurately estimate the fees that will be accrued by receiving a Boscloner in your country. In some cases, we have seen import fees costing hundreds of dollars (USD) - adding to the overall cost of a Boscloner unit.
- Shipping costs can pricey when shipping internationally, please keep this in mind when ordering a Boscloner unit.
- The Boscloner power adapters and accessories were designed to work with power outlets in the United States; therefore, you may need to use power adapters/converters to get the Boscloner to work in your country.
Is the Boscloner patented?
No, the Boscloner uses open-source code and off-the-shelf parts; therefore, it does not require a patent. The Boscloner LLC, associated logos and image assets are protected, though. If you plan to use the Boscloner business name or any of the Boscloner's associated assets in marketing material, presentations, or otherwise, please reach out to us and seek formal permission. We'd love to be a part of your presentation and contribute!
Is the RFID and access control within my organization secure enough against attackers?
There are several very secure RFID technologies that exist today that are widely considered to be safe and are not vulnerable to the run-of-the-mill cloning attacks used by the Boscloner. However, most of the access control used throughout organizations today still utilize decades-old RFID technology that have had documented security issues. The Boscloner, for example, leverages the antiquated 125kHz, low-frequency and unencrypted RFID technology which provides the users of the technology absolutely no protections against trivially capturing and cloning the badges. In fact, the Boscloner uses HID's own MaxiProx 5375 long-range antenna to perform these attacks!
While this isn't an exhaustive list, if your organization uses any of the following RFID card types, you can safely assume that your RFID access control system is vulnerable to common attacks:
- 125kHz HID Prox (The Boscloner's current speciality)
- 125kHz EM4100
- 125kHz HID Indala
- HID iClass Legacy / Standard Security (The global authentication keys have been leaked online for several years)
- MIFARE Classic (Assuming one of the many default keys are utilized)
Even though there are no current mainstream tools to trivially capture and clone the other card types listed above, the Boscloner is on-schedule for some (free!) firmware updates that will enable the quick-and-easy capture of all of the above card types!
If newer and more secure technologies exist, why are so many organizations still using these outdated RFID types?
That's a great (and logical) question. While there are several factors at play, the three most significant reasons tend to be:
- Cost of upgrading equipment
- Lack of awareness of the seriousness of the vulnerability
- The company understands the vulnerability, but has ultimately decided this is an acceptable risk
Cost of upgrading equipment and acceptable risk:
Both of these points can be further summarized by discussing both at the same time, since they generally apply to one another. If an organization receives a quote that upgrading their access control system to a more secure alternative would yield a total cost of, let's say, $50,000...the organization must then choose if $50k would be better spent on upgrading their firewalls, hiring more security personnel, vulnerability management solutions, and beyond. After all, spending so much cash on a single attack vector that requires a malicious actor to be onsite at the organization is typically seen as much less of a risk and likelihood compared to the daily onslaught of hackers attempting to compromise their internet-facing assets.
Lack of awareness and the seriousness of the vulnerability:
Unfortunately, there tends to be a lack of awareness when it comes to the vulnerabilities facing these antiquated RFID technologies. There is a common belief that RFID technology is secure technology as-is or that the chances of a malicious actor capturing and cloning a badge is reserved for targeted attacks funded by foreign governments. Above all else, the Boscloner's primary mission is to increase security awareness across all organizations to truly understand the risks that they may face.
Does Boscloner LLC perform cybersecurity consulting services, penetration testing, or social engineering?
Through our exclusive partnership with Phillip Bosco (https://www.linkedin.com/in/phillip-bosco/), the creator of the Boscloner and the owner of the cybersecurity consulting firm Security Illusion (www.securityillusion.com), we are happy to offer services to help you identify vulnerabilities within your organization.
Services specifically regarding physical security and RFID access control:
- Perform an analysis of the card type(s) used at your organization (remotely or onsite)
- Create a personalized report, summary, executive presentation, etc. of your current access control security posture
- Provide various remediation and risk mitigation recommendations
Services and Penetration Testing Assessments Security Illusion Provides:
- Web Application Penetration Testing
- Mobile Application Assessment
- Social Engineering (Phishing, Vishing, Disguises, Fake IDs)
- Physical Security Assessments (Lock Picking, RFID Badge Cloning, Bypassing Barriers to Entry to Gain Access to Secure Areas)
- Wireless Network Assessments
- Internal and External Network Assessments
- Highly customizable security assessments to fit your organization's unique requirements
- Security Awareness Training courses designed specially for your organization's employees