Cloning Wiegand Cards

I have, and perhaps many of you have read articles on cloning Wiegand cards. My question is does anyone know of any circumstance where the technology has actually been used to gain illegal entry? I would think an end user would discourage that from being made public. Thanks.


The circumstance would also be difficult to detect.

Unless rigid 'antipassback' provisions are in place, or lucky video/guard verification of credential holders caught them, someone might be able to use a cloned card completely undetected for quite a while.

I anecdotally heard a story from a nearby HOA-owned swimming pool that one of the paying patrons had cloned magstripe cards to let a bunch of (unpaying) kids get access.

We have moved to IClass readers for the most part. Most of the cloning technology, not all but most, requires access to the reader. In my thinking, tampering the reader is one significant way to slow this down, and an up sale.

Nobody does tamper on readers as far as I can tell and therefore while meaning no disrespect to the tamper wiring in an average HID reader, "tamper doesn't work" and therefore attacking the reader seems viable.

People (typically down to earth ex-Law Enforcement) walk up to me at conferences frequently and claim they've heard of cloning cases. I believe you can find online a record of attempts at presenting this at conferences, suppressed by HID legal.

This is why you should be using some DESFire-based card. Yeah, it's (pennies) more per badge.

Rodney,

HID has a reader version that has a tamper included. Other reader manufacturers also have tamper detection included in some readers (either as a physical tamper switch at the back of the reader or using an accelerometer (or other technology) to detect movement of the reader. I know of a manufacturer who actually sends and encrypted command between the door module and the reader every 30 seconds over the D0/D1 line to ensure the presence of the reader.

In addition, there are also some readers that communicate RS-485 with the door modules and will encrypt the communication between the reader and the door module and supervise the presence of the reader. Some are proprietary and some support the OSDP standard.

I always get nervous when someone claims DESFire is 'more secure' than HID formats. It is true, they are encrypted more strongly, but this is like claiming a lock is 'unpickable' simply because it has not been picked yet. I would guess its just a matter of time before some graduate level crypto-students break the format and write a thesis about it. :(

Also, tamper switches are fairly common on access readers and controllers. They are optical or mechanical switches that detect when the device is knocked off the wall:

Brian,

I have to disagree with you on the Desfire/iClass "more secure" subject. Who knows what the future will hold but right now, today, iClass has been compromised and DESFire has not.

I would not claim that DESFire is uncrackable (I'm not a cryptographer) but the fact remains that iClass HAS already been compromised and that no one has ever cracked DESFire. These are facts- you can easily buy equipment that will allow you to produce iClass cards.

That's the scary part about a cracked protocol: a bad guy can produce a perfect copy of your card in his basement and present it to a reader and the system will unlock the door-- and it is YOU that will have entered the door according to the access control system. It is not like a copied key- with an access control card, it is your name that is associated with the event. Then try to prove that it was not you that stole the laptop/file/whatever...

This is true right now, today, with iClass. If you absolutely must deal with HID, then buy the HID DESFire readers and cards. At least they are secure.

When you say "nobody does tamper on readers" what do you mean? Do you mean it is not available or that just no one bothers?

The "nobody does tamper on readers" matches my experience. In actual practice, I have found that many installers rarely use tamper switches on card readers or anything else.

In our specs, we require that all tampers be used when available and that additional tampers be provided on all panels, enclosures, and junction boxes containing splices. When conducting final inspections of systems, we often find that this requirement has not been complied with, making this one of the top five items usually found on our punchlists.

While it is true that IClass appears to have been compromised, you still need access to the reader to do it. Tampering and monitoring the reader can prevent that part. I must be honest and say I don't know DesFire that well. We are an HID house. Mifare was successfully and very publically hacked in 2008, Desfire was hacked in a lab setting in 2011. They are tougher to crack given the architecture, but even NXP admits customers need to move to the EV1. They all recommend card + pin as a second level of authentication. Customers don't want to hear that. Too much money.

The Desfire EV1 has not been cracked that I know of YET. But I am confident it will. That company owns 77% of the world wide transportation and vending market share and those are real dollars. They are targets of hackers all the time.

Are we talking the new IClass SE or the older IClass?

I'd have to agree that I've never done tamper on readers. On Edge controllers it was included and sent a discrete signal when it was triggered, but I don't recall ever connecting separate wires for tamper between reader and panel.

Though if I recall correctly, don't some HID readers have an optical tamper which, if activated, stops the reader from working? Though I suppose that's hardly the same as notifying personnel that someone is tampering with the reader.