Hack Your Access Control With This $30 HID 125kHz Card Copier

By Brian Rhodes, Published Apr 13, 2021, 09:00am EDT (Research)

**** ****** ******* ******* **** ***** 125kHz ***** *** ** ****** ****** by ****** $** **** ******. ** ******** **** **** ** the ***** *****:

*** **** ********* ***** ***** ***** the ***** ** ******* ******:

** *** *****, ** ****** ******** 125 *** ******* *** ****** **** on ******** *******. ***** **** ***********, the **** ****** *** *** *********** or ****** ********* ****** ** *** of *** **+ ***** ** ******.

The *** ****

******, ** ****** ******* *******, ***** copies **** ********* ** ***** *****.

*** **** ********** *****, ***** **** card ****** *** ***************** **** *** HID ******* ********:

IPVM Image

*** **** ** **** ************ ****** can ** **** *** **** ** gain ******, **** ** ******* **** or ****** ** ***** * *********.

Formats ******

*** ******** ****** ** **** ****: not *** **** ***** *** ******* are ** ****. **** ********** **** can ** **** ** **** ****** card *****, ********* ******* *** ****, ISOProx, *** **** ** *******, *** several ****** ******** **** ** ****** control **** ** ****** *** **** formats.

************, **** **** ****** **** *** 13.56MHz '*********' ******* **** ********* *** ******, ** *******/****** *********. *** ** *** ***** *********** between ***** ******* ** **.***** ******* are ********* *** *** **** **** hold **** ** ***** ******* ** the ********* ****** **** * ******** 'key' *****, *********, *** *********** **** transmit ** *** **** *** ** heavily ****** *** ********.

*******, **** ****** ******* *** ****** not ********* ** ***. **** ***** the ******* ** ******* **** ****** energizes *** ****, *** ****** *** information ** **********. **** ******* *** stored ** *** **** ******* ** the ****** **** ****, ** ********* card ******* *** ******** ***** *** easy ** **** **** **** ***.

Vulnerable *** *** ******

******* *** ***** ** ********* *** kHz ***** *** ****, **** *** commonly **** *** **** ********* ** many ********** *** ***-*****.

** *********** ****** ******* *********** ****, ***** ********** ***** ***** ******* 14% ** *** ******** *****:

IPVM Image

******, ***** *********** ********** ** ******* are ***** **** ** **** ** thousands ** *******, **** ******** ** issued *********** *********** ***** ***.

Cheap & **** ** ***

*** ****** ** ****** *** ********* for$** *******. *******, *** ***** ** *** unit ****** *** ******** ****** *** to *** ************* ** ******* *** formats, *** ***** ** *** ** $10 *** ** ********* ** **** basic ****** ******* *****.

*** *** ** ********* *** ******* with ******* ***** **-******** ******* *** we **** ********* * *** ** 50 ***** *****, ** *** ******** cost *** **** ******* ** **** than $**.

*** ******** ****** ** ***** ******** are **** ***********, ******* *********, *** sold ** ******** ******* ***** ** ship *** **** *** **** ** questions ***** *** ******, ***** ** honest.

How ** *****

*** ****** **** ** **** *** cards ***** **** *** **** *** as ****** **** *******, **** *********** coil, ***** ******, ** ****, ******, and **** **** ********** ****** ** both:

IPVM Image

***** *** ********* ********* ** *********** card *******, *** ****** ******* *** coil *** ******** ***** ********** ** the ****, ***** **** *********** ****** energy *** **** **** ** ** broadcast **** ******* **** ** *** copier. *** ***** ***** ***** * transparent ******* ** * ****, ********* all ***** **********:

IPVM Image

*** ****** ******** * ***** ****** of ****** ** ***** ***** *******, and **** ****** **** ** * blank ****, ******* **** *********** ** a ****.

Near ******* ********

*** ********** ****** ** **** **** is ***** ** ** ****** **** be **** ***** ** *** ******* antenna ** ****, * ******** ** less **** *". **** ** ******** a ******* ** *********** ******* ******* bent ** ******** *** ******** **** details **** ** **** ***** ** accomplish **.

*******, *** **** ****** ** ***** the *********** ** **** - **** than * *******, *** ** ** conceivable **** ******* ***** **** **** details ****** *** ****** ******* ********* it, ********** ** ******* ****** ** people.

*** *** ****** **** ** **** device ** ********* ** ***** ***** functional ** ****** ********* - **** claiming * **** ***** ** **** and ***** ***** ***********-***-***** ****-***** *******:

IPVM Image

***** ******-***** ******* *** **** **** expensive ($***+ **. $**), ********** ******, and ******* **** ***** **** * AA *********. *******, ******** *** ********** covertly ** * ******** ** ********* means **** ***** ******** ***** *** just ***** ** ****** **** ******.

Mitigating **** ****

** **** *** ** **** ** prevent **** *******? *** **** *************** step ** ** *********** ***** *** (or ***) *** *** *****, ****, and ******* *** ****** ** ********* and ****** **.** *** *******.

******** **** *** ***** *******, *** most ****** *** ******* *** ******* cost *** ****** ****** ****** ** the ********* *********** ** **** *** kHz ******* *** **** *****, ***** the ***** ********* *** *********** **** and **** ********** ****** ** ****** mounting * **.** *** ****** ***** existing ***** *** ***** ******** *** cards ** ***** ** ******.

*** **** *** ** *** ****, meaningful ******** ***********, *** *** ****** impact ** ** *** * *********** reader **** *** **** ******** **** frequencies *** *******, ***** ****** '*****-********' readers. **** ***** ***** *** *****-****:

IPVM Image

*** **** *******, *** *********** ****** ****** ******* ********* *****.

[****: **** ****** *** ********** ********* in **** *** *** ******* *** a *** ***** *** ***** ** 2021.]

Comments (94)

I used this very device and "Cloned" a card of the head of security of a large (1200 reader) end user during his visit to our HQ with his integrator....We got the green light on the smart card reader and credential upgrade on the spot. Must have for any outside sales person that is interested in demonstrating the advantages of using secure readers and credentials.. 

Agree: 9
Disagree
Informative: 17
Unhelpful: 1
Funny

Great test and I had to buy one! Has IPVM thought about cloning old iClass or MiFare 13.56mhz cards in a test? I have heard that you can download apps on smart phones to do the hack/clone.

Agree
Disagree
Informative: 1
Unhelpful
Funny

In terms of 13.56 MHz types, I believe the 'go to' gear for commercial copying/cracking product is sold under the ProxMark name by an outfit named RyscCorp.

They've commercialized 'kits' described by several whitepapers usually based on an Arduino.  Overall, the methods and kits they use require some technical skill to use right, while the card copier in this post essentially requires none.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Yes, I have seen these and even thought about building one but never had the time to.  I was recently working on a project that used MiFare Classic 1k cards and found some videos of people using smart phone apps to brute force hack them.  I believe they require a "jail broken" Android phone which I do not have.  Here is one example: 

Agree
Disagree
Informative: 4
Unhelpful
Funny

Wow, that's interesting and scary too.

The phone is using the onboard NFC and and an app to brute-force crack the card.

While that type of attack is bound to take a bunch of time and suck battery power down, someone could hide their complete hack toolbag into an Android phone!  It would be extremely difficult to detect/ mitigate that risk.

Agree
Disagree
Informative: 2
Unhelpful: 1
Funny

 (Yes, this is the widget I used for the card cloning demo at ISC West 2017.)

 

Some people use ISO 14443 cards ("13.56" in trunkslammer parlance) BUT ONLY USE THE CARD SERIAL NUMBER.  The CSN number is not safe.  You can buy blank cards, you can clone the card serial number.  Yes, you have to buy the 100 dollar sketch widget on Amazon instead of the 30 dollar widget.  CSN's are not safe (well, no safer than prox.)  You need to use DESfire or Mifare Plus or something that really uses encrypted data on the card (encrypted with something an outdated android can't crack, like AES.)  Or use PIV-like cards with full certificate-based crypto.

Agree: 1
Disagree
Informative: 3
Unhelpful
Funny

Hello Rodney:

The CSN is one of the only parts not impacted by which part type (A or B) of ISO 14443 is adopted. Does that sound right?

Agree
Disagree
Informative
Unhelpful
Funny

I believe that is correct.  This gets into the subtleties of A vs. B in that one is essentially a floppy disk drive in a credit card (a memory device) and the other is an Apple II in a credit card (a computer running a protocol, with a secure key store.)

Agree
Disagree
Informative
Unhelpful
Funny

FYI, Thyssen uses CSN.

Agree
Disagree
Informative
Unhelpful
Funny

So sorry to hear that. In their elevators?  Are they in the market for a security audit?  Happy to bid on that.

Hacking the card reader in an elevator.  What Could Go Wrong?

Agree
Disagree
Informative
Unhelpful
Funny: 3

A static signal encrypted or not, is a static signal. I can clone anything that is static if you give me enough opportunities. And I don't mean a few days. Just a few moments.

Agree
Disagree
Informative
Unhelpful
Funny

The 125 kHz hack seems to be getting easier and easier.  I think you'll be generating a few orders for this device .... for $30-40, it's worth having some fun with to show customers how easy it would be to clone a standard prox card.

Now, while the barn door is open, whatever happened after the magnetic exploit was exposed for thousands of Kaba Simplex pinpad locks a few years back?  

Agree
Disagree
Informative
Unhelpful
Funny

Now, while the barn door is open, whatever happened after the magnetic exploit was exposed for thousands of Kaba Simplex pinpad locks a few years back?

I looked up this subject and found much information, specifically from Marc Weber Tobias on his site, http://www.security.org/ . An interesting general article about him is at https://www.wired.com/2009/05/ff-keymaster/?currentPage=all.

As far as the question, Kaba came out with a fix. Tobias said it prevented an attack like the one to which the unfixed locks were vulnerable, but he didn't rule out a stronger or more-carefully-shaped magnetic field circumventing that fix.

As a side note, his book about cracking Medeco's high security locks is on Amazon.

Agree
Disagree
Informative
Unhelpful
Funny

Do you know if Kantech ioprox XSF is hackable using the same method ml

Agree
Disagree
Informative
Unhelpful
Funny

We will purchase an ioprox XSF card and try it out.  I'll report back here.

Agree
Disagree
Informative
Unhelpful
Funny

DO check out the antique crypto in the control panel while you're looking at Kantech.  (check out the marketing blur they give you when you ask if Hattix is safe - it touts a bunch of now-ancient crypto features in the Kantech panels.  So sad, they coulda used an Ultra.

Agree
Disagree
Informative
Unhelpful
Funny

So I bought one of these cloning devices and tested it on some Kantech ioProx XSF cards hoping it would give me an edge on an upcoming job bid. It doesn't work. It just flashes the read light ever second or so. I'm not knowledgeable enough to know what makes it more secure over the other cards, but it appears that ioProx XSF can be cloned from online services so maybe it's just a matter of finding a different cloning device?

Agree
Disagree
Informative: 1
Unhelpful
Funny

Our XSF test materials are still in transit, so I have not had the chance to examine this in detail yet, so this is good feedback.

In terms of cloning XSF, this particular $30 device may not be able to do it.

However, that does not mean that other devices cannot.  For example, this particular unit (~$430) isn't limited by formats, it can parse the general frequency.)

XSF Format can 'only' be used/understood by Kantech.  Kantech appears to use a non-standard bit format (that only XSF readers can read), at the expense of being proprietary for both readers and cards.  They also leverage software side 'decoding' that reorders the card data before associating it with a record on the database.  So even if the card can be read by a copier, the information might not be rewritten in a usable way - this is where more testing is needed.

In short, the effect of using this format protects it from hacks like this $30 reader, but at the expense of 'not playing nice' with the rest of the readers/card products on the market, which some customers may have a problem with.  Interesting strategy for Kantech, who can sell XSF's 'security' by its 'obscurity'.

Good feedback, Brian!  We look forward to checking into XSF ourselves.

 

Agree
Disagree
Informative
Unhelpful
Funny

 

I gather these various schemes are mostly different forms of radio being used to sqawk an unencrypted value.  "my badass radio tech uses four capacitors different than the other vendor" does not count as encryption even though some vendors act like it is.  Note that there are reader vendors out there who can read all sorts of stuff - it's because they reconfigure their radios among the various combinations.  I assume these duplicating houses have a bunch of readers and then some card generation gear.

Google "software defined radio" if you want to see why I have no respect for fancy radio waveform being a form of security.

Agree: 4
Disagree
Informative
Unhelpful
Funny

"my badass radio tech uses four capacitors different than the other vendor" does not count as encryption even though some vendors act like it is.

+1 agree

There is a big difference between being 'slightly weird' and being encrypted, but manufacturer marketing doesn't observe that.

I have come to be very skeptical/ suspicious of words like 'encrypted' in physical access products.  In many cases, it is just a non-standard implementation (like you mention), but it is not using cryptography at all.

 

Agree
Disagree
Informative
Unhelpful
Funny

I use a hackRFone, modified software toolkit, rpi with Linux and an additional toolkit. Pen-testing and generating revenue on the daily. Access control is merely a deterant. If you have access to the data bus lines beyond the readers and there is no encryption and to end all the way back to the panel you can gleen information right off of the data bus lines and play it back. There are clip-on devices that can be used to do that with Wi-Fi and other tool kits. Many customers are even too cheap to pay for the door contacts (Or integrators are too cheap or lazy to put them in)so they have no idea whether the doors actually open or not. If it's built into the strike or unlocking device it's better. If I want to keep it really simple, a decent pry bar goes a long way or a good steel toe boot. The walls adjacent to many "secure" doors can be punched right through, unless brick, block or mesh screen are in play. Now if secure and unsecured sides both have drop ceiling and there's a RTE device available and you have a collapsible ladder in the backpack, in you go. Many commercial spaces are not fortified like military or other hardened facilities. None of the above really works in correctional facilities they are a different beast altogether. Generally speaking in the commercial world, It's all a big facade..

Agree
Disagree
Informative
Unhelpful
Funny

You are right on the money with "Software Defined Radio".  Those systems are every hacker's dream!!!  Combine that with a $30 logic analyzer and a $5 Raspberry Pi Zero and the word "Security" takes on a new meaning.

 

 

Agree
Disagree
Informative
Unhelpful
Funny

I tried to copy an XSF card with this device and it would not read for our example copier either.

We may delve into XSF more deeply in a future post. However, like Brian H notes, there are several online services (like this one) that claim 99% copy success in duplicating those credentials. 

The shortcoming is likely just the $30 copier, more sophisticated scanners/ copiers apparently work.

Agree: 1
Disagree
Informative
Unhelpful
Funny

From the above with this device it appears the only 125-kHz proximity cards proven to be clone-able make use of FSK digital modulation.  Would be interesting to test with 125-kHz proximity cards that make use of other digital modulation schemes, such as ASK and PSK.

Note I've observed a trend of rising sales of keypad proximity reader products.  Adding an additional security layer to the access process (i.e. PIN: What one knows) may indeed be a response to the threat of unauthorized credential duplication.

Additionally, judging from my experience at the recent ISC West, interest is growing for highly proprietary 13.56-MHz contactless smartcard technology, such as NXP's DESFire EV1 and Legic's advent based cards. 

Agree
Disagree
Informative
Unhelpful
Funny

Legic? Only seen it in a museum.

Some 13.56 is less proprietary than others.  DESFire EV1/EV2 require vendor paperwork to have permission to learn how to encode them.  Mifare, Mifare Plus (uses AES) are encodable with freely available information.  PIV (NIST SP800-73-4 to be precise) is completely open.  And there are other formats...

 

 

 

Agree
Disagree
Informative
Unhelpful
Funny: 2

Ha!  Ok, in a museum, or Switzerland, Germany and Austria.

Agree
Disagree
Informative
Unhelpful
Funny: 1

Does having an RF shielded card holder guard against this exploit?  An example would be the Patriot TWIC/CAC card holder.  

Agree
Disagree
Informative
Unhelpful
Funny

When the card is inserted in the shield, the shield essentially reflects the energizing field emitted by this copier or by any reader.  The card remains unpowered, so the shield conceptually works.

Agree
Disagree
Informative: 3
Unhelpful
Funny

You can test the shield yourself by trying it against any card reader.  I have a cheap shield that I tested.  My bare access card slowly approaching a reader reads at about 4" on this particular reader.  Inside my cheap shield, the card reads at 1" (same reader).  The cheap shield helps, but is not perfect.  This 25% attenuation should be consistent with a long range reader.  

I like the looks of this Patriot shield... it looks much better than my cheap foil type.

Regards,
Josh Bensadon

 

Agree
Disagree
Informative
Unhelpful
Funny

My experience with some of the cheaper shields is that they do not do well with the 125kHz cards, but work better with the 13.56 MHz cards.

 

Mark...

Agree
Disagree
Informative
Unhelpful
Funny

...however these shields are made for 14443 not prox.    Prox is different radio tech than 14443

P.s. as a general matter if your physical security geeks are trying to talk to you about radio tech, they're talking about unencrypted cardholder data from a clonable device.  FSK, PSK, AWID, all that stuff is low level radio tech.  If your're not sending ciphertext over your radio then you're probably insecure.

Agree
Disagree
Informative
Unhelpful
Funny

Brian,

May I send this to the president of a non-profit with which I am affiliated?

I know they use card/token access, but I don't know what kind.

Thanks,

Craig

Agree
Disagree
Informative
Unhelpful
Funny

Hello Craig:

Yes, that is fine.  Thank you for asking.

Agree
Disagree
Informative: 1
Unhelpful
Funny

I have the cloner bought from Aliexpress and it can copy any cards (it doesn't matter 125KHz or 13.56MHz) except, HID iClass SE/Seos cards and NXP DESfire cards.

It can copy any of cards even the card has card numbers in certain sector in block. The cloner can decode the encoded card numbers in the block and copy.

So, if end users are using cards except HID iClass SE/Seos cards and NXP DESfire cards then you can show the demonstration and ask them to change the cards.

 

HID iClass SE/Seos cards and NXP DESfire cards have encrypted card data in the card only.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Can you provide a link to the product?

Agree
Disagree
Informative
Unhelpful
Funny

Of course I can.  Aliexpress.com Link

Agree
Disagree
Informative: 4
Unhelpful
Funny

It looks to me that that device can only clone the UID of a 13.56mhz card though? 

So if the access control system is using something other then the UID of the 13.56mhz card (a site code based card format perhaps) its not going to grant access via the cloned card... 

Or am I understanding the technology wrong?

Agree
Disagree
Informative
Unhelpful
Funny

Be careful, there are different versions of this copier that look 'exactly' the same but cannot read the 13.56 MHz signal even though they claim they can. I've tried five different variants; two of the five actually were able to perform as advertised.

Agree
Disagree
Informative
Unhelpful
Funny

Note: this is the most read access control technical post we have ever done. I am happy to see the interest.

Agree
Disagree
Informative: 2
Unhelpful
Funny

nice to see you had the nerve to do the post.  Keep up the good work. 

 

Agree: 1
Disagree
Informative
Unhelpful
Funny

you had the nerve to do the post

Nerve? Do you see the posts IPVM publishes? It is not about nerve. We just did not think that there would be such interest. Happy to do more now. Rhodes just ordered another one of these devices to tests.

Agree: 2
Disagree: 1
Informative
Unhelpful
Funny

Thank you for sharing this Brian! This was a real eye opener. 

Agree
Disagree
Informative
Unhelpful: 1
Funny

Scary!! Food for thought when recommending a system!

Agree: 3
Disagree
Informative
Unhelpful
Funny

It's scarier when your customer figures it out first and asks you why you sold them prox. 

Agree: 11
Disagree
Informative
Unhelpful
Funny: 3

This makes me wish there was a "majorly agree" button. Certainly is scary. One step forward selling them a system, two steps back when a hack is released.

Agree: 1
Disagree
Informative
Unhelpful
Funny

With a little research, this items sell for $8USD in Alibaba. (I don't know why, but when I read Alibaba, I always think of the 40 thieves!)

https://www.alibaba.com/product-detail/ID-Card-Copy-Machine-ID-card_60397692772.html

You can find some on Amazon for $22-24USD

There are two models of the low cost unit. the other model is more expensive and it will copy HID Pro Card II security block and all this one is $20USD

The factory is just 20minutes walk from me.

Agree
Disagree
Informative
Unhelpful
Funny

Would you consider opening this article to non-members? This is such an important topic, and one I've bashed my head against the metaphorical wall of cheap customers who don't care far too many times. It'd be nice to just send them this link and say "please at least read this".

Agree
Disagree
Informative
Unhelpful
Funny

#6, I've made the post body public.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Much appreciated!

Agree: 1
Disagree
Informative
Unhelpful
Funny

Is it possible to blank out an enrolled card and re-write it using this device?

Agree
Disagree
Informative
Unhelpful
Funny

Yes, it is possible to over-write re-writable enrolled cards with copied information from this device. 

Edit: To be clear, this device only writes to re-writable cards, not those fixed at the factory.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Is there a standard? Are cards generally manufactured as re-writable or fixed if not specified by the customer?

Agree
Disagree
Informative
Unhelpful
Funny

Cards are not typically re-writeable.  Re-writeable cards are widely available and cheap, but the ones typically in access used are fixed and set at the factory with 'unique' details like factory codes and sequential numbers.

A sure way of knowing in your system is whether or not cards/fobs need to be programmed before they are issued.  If not, they are not re-writeable/ blank cards to begin with.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Some types of cards cards are rewritable if you have the keys.  In the physical security world there is an outdated notion nobody could generate the same card.  This "set at the factory" deal is a scam used to lock you into a specific card vendor.  The customer is supposed to be in charge of their own key material, it's not supposed to be held hostage by the card vendor.

Agree: 1
Disagree: 1
Informative: 1
Unhelpful
Funny

Some of the copiers lock the rewritable cards after writing to them so that only that copier can rewrite to the card in the future.

Agree
Disagree
Informative
Unhelpful
Funny

This post is making a global impact.

Yesterday had an interesting chat with an international partner that involved this post.  We both pondered how many access credentials are sold today on the basis of convenience, as opposed to security?  And will the lessons learned in the shift from magnetic stripe to proximity to contactless smart card be reflected in the shift to mobile?

Also, we agreed this argument goes beyond integrators simply upgrading their end user customers to higher levels of security.  He mentioned that he promotes to his integrators that more secure contactless smart cards also allow them to deliver additional services to their end users, such as biometrics, cashless vending, cafeteria plans and time and attendance, allowing these integrators to grow their businesses with their existing customer base.

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny

You always read about and hear that Proximity card technology has been hacked. To that really meant nothing. Who cares right? Well the HID rep came in with this very device and cloned one of our cards and used it on a reader. Well the light bulb finally came on and that made sense. I bought one and 10 re-writable cards for less than $40. This is a game changer when talking to customers about why they need to get off of prox technology. I have disabled the beeper on mine so if the client has a card hanging from a lanyard or retractable cord I read the card without them knowing and then clone a card then read their door and they are blown away. I really should invest in the more expensive iclass cloner as well. 

Agree
Disagree
Informative: 2
Unhelpful
Funny

You mentioned that you read the card without them knowing then clone a card...

Forgive my ignorance here as I am still learning about access control. Are you able to determine the exact type of card based on visual inspection or do you have to ask which type it is? Then do you have to have stock of multiple different types of writeable cards in order to clone it or is there a one size fits all card?

Agree
Disagree
Informative
Unhelpful
Funny

I knew the card type before hand. This was an existing customer I did this with. I wouldn't do that to a potential customer without them knowing as could make me look a little shady. 

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

Ah. I could see that being shady (for a potential new customer) without first announcing how easy it would be to clone a card.

 

Thanks!

Agree
Disagree
Informative
Unhelpful
Funny

Also, some of the more elegant copiers can scan through various card types and determine which type of card it is on their own, automatically, and then tell you what type of card it is. Some of the copiers can store the card credentials in memory indefinitely or until you erase them and you can actually play them back from The copier as opposed to from a card in the event you do not have the correct card with you at the time you perform your copy.

Agree
Disagree
Informative: 1
Unhelpful
Funny

So, in summary which type of card is not easily duplicated?

Agree
Disagree
Informative
Unhelpful
Funny

of the standards based cards that would be Mifare Plus, DESFire, PIV.

Agree: 2
Disagree
Informative
Unhelpful
Funny

HID iclassSE has not been hacked or able to be cloned yet due to the several layers of security. 

Agree: 1
Disagree
Informative
Unhelpful
Funny

Awesome article. Been wanting to research which cloner to buy to demo the lack of security of these cards. This saved me a ton of time and money. Didn't imagine the cloners were this cheap! 

Agree
Disagree
Informative: 1
Unhelpful
Funny

As help to me and others with limited knowledge in this area. Could there be a IPVM table with access technology - wether it's secure or insecure based on what we know now. And how it's compromised - Chinese cloners, smartphones etc :)

Agree
Disagree
Informative
Unhelpful
Funny

We've got a second round of 'copier' tests upcoming that will focus on 13.56 MHz types, but in general unless you're using DESFIRE EV2 or iClass SE Rev 2, exploits are easy to find.  Most use phones or Arduino-based apparatus, not copier devices like this handheld.

I have not found a source claiming to have cracked DESFIRE EV2 or iClass SE. (EV1 is getting close to be an app-based, brute force copied format, but not quite yet. There are also claims from unrelated groups that SE has been broken, but the 'proof' hasn't been shared yet.) If anyone knows/ has seen these I am interested to learn more.

But make no mistake it will happen given enough time in the market, interest from hackers, and processing power as phone tech/ cheap CPU tech advances.

Some of the newest formats don't have widespread, convenient, $30 copiers that this post tests, but 'secure' technology is fleeting, just like 'unpickable' mechanical locks.

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny

This may be an entirely different discussion or a tutorial, but I'm wondering about the differences between access cards. You mentioned iClass SE. We use iClass DP cards. What's the difference? And how do they differ from other iClass cards, Mifare, Prox, ProxII, Desfire. How about chip, vs no chip and the difference between chips.

Manufacturers? HID, Gemalto, etc.?

I'd also love to know more about readers. We use iclass at some sites, multiclass at several sites (multiclass is our global standard, so most installs after that standard was established have multiclass readers), Prox readers, etc.

We have a Siemens SiPass system at one site. Prior to install, they confirmed for us that it was compatible with iClass readers. It turns out that it is but Siemens modifies the readers to make them proprietary.

So, there are many nuances between cards and readers. It would be great to have more info on this.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

This article was brought up by one of my sales guys yesterday when we were discussing a large client on Prox.

 

I'd love to move that customer away from Prox to Iclass, but they have a very old, very large system, including lots of R90 garage entrance long range readers.  I'm afraid that even if they were willing to re issue thousands of Iclass cards to their employees, they would be constantly chasing the rabbit of 'older' card readers that are Prox only and it would be months of hell on their security people, plus tons of reader upgrades along the way.   The R90 garage readers are the biggest PITA though, since HID doesn't make a multiclass version, you would have to change the reader first, then figure out how to let people into the garage while you're migrating them to Iclass cards.

 

 

So, long version, if you're considering using this article to migrate customers from Prox to Iclass, really spend some time thinking through the repercussions.   If anyone has any suggestions about how better to do this sort of roll out, I'd love to hear about it..

 

 

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny

One question on this: do they have R90 or MaxiProx 5375 long range readers?

The reason I'm asking is because I think R90 is 13.56 MHz/ iClass conformant, while the MaxiProx 5375 is the 125 khz model.

The 'migration' solution might be two use both long range readers in the same spot. There's a fair amount of work to go into that for certain, including adapting the controller for two readers which may not even be possible.

We're putting together a post on this topic for next week.  Thanks for sharing this!

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

Maxi Prox. Sorry, I used the wrong part.   Old big grey units,  Prox only. 

 

 

 

Agree
Disagree
Informative
Unhelpful
Funny

Look at the new BlueDiamond Bluetooth readers.  They give you the range and they have a piggyback reader that you can put on an existing reader to enable dual use during transition.  I'm hoping to test one soon.  I'm not sold on Bluetooth yet, but the features make them something to look at seriously.

Agree
Disagree
Informative: 1
Unhelpful
Funny

"I'd love to move that customer away from Prox to Iclass, but they have a very old, very large system, including lots of R90 garage entrance long range readers. I'm afraid that even if they were willing to re issue thousands of Iclass cards to their employees, they would be constantly chasing the rabbit of 'older' card readers that are Prox only and it would be months of hell on their security people, plus tons of reader upgrades along the way. The R90 garage readers are the biggest PITA though, since HID doesn't make a multiclass version, you would have to change the reader first, then figure out how to let people into the garage while you're migrating them to Iclass cards."

This probably depends on the customer's security budget, what they are securing, and whether or not they still feel adequately protected once you explain the situation to them. Almost always comes down to cost in the end. "Is it good enough on most days?"....

Agree
Disagree
Informative
Unhelpful
Funny

What you do is to inquire if that garage entrance is otherwise fully compliant with the organizations current requirements.  'Cause if it's not they already owe themselves a hardware refresh.  (and that gets even less pretty if we're having this conversation during an audit and I was about to submit this conversation in a report.)

And no I'm not trying to complain about the garage door opener the Queen uses to park the Rover in the garage sixteen layers inside the castle grounds. I realize the device features trump all but the most important security comments.

Agree
Disagree
Informative
Unhelpful
Funny

Regarding Prox cards 125khz... is there any difference in the ease of cloning between a 26 bit,  37 bit or 48bit card?

Agree
Disagree
Informative
Unhelpful
Funny

no.  the length of the unencrypted number on the prox card makes no difference.  none of those numbers are at all special

Agree
Disagree
Informative
Unhelpful
Funny

Thanks for the article! I'm going to order one for experimentation. 

Agree
Disagree
Informative
Unhelpful
Funny

Amazing article.

thanks alot

Agree
Disagree
Informative
Unhelpful
Funny

Great info

Agree
Disagree
Informative
Unhelpful
Funny

Simple yet in depth!!

Agree
Disagree
Informative
Unhelpful
Funny

Still to this day I will show a customer this "trick" and they still don't care! This is going to be a never ending process in my opinion.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Seems like your customer is willing to accept the risk. In my experience there is always some elements of risk that the customer is willing to accept.

Agree
Disagree
Informative
Unhelpful
Funny

What is appalling, is the fact that there are so many industry "professionals" that are unaware of the technologies that exist to defeat a number of these access control systems and card credential-only (no biometrics or multi-factor) based systems.

Agree: 2
Disagree
Informative
Unhelpful
Funny

"What is appalling, is the fact that there are so many industry "professionals" that are unaware of the technologies that exist to defeat a number of these access control systems..."

What's even more disturbing is the fact that so many industry professionals ARE aware and continue to sell this older technology.

Agree: 3
Disagree
Informative: 1
Unhelpful
Funny

"What's even more disturbing is the fact that so many industry professionals ARE aware and continue to sell this older technology."

I think some integrators (or end users themselves) are applying a "cost/risk" assessment to the decision making process and determining an acceptable risk to take in order to have some baseline electronic security in place. As others have mentioned; if you use a 2FA method (i.e. PIN+card), even with the less secure 125khz prox readers, you can still be "secure enough" in some environments. Many lower cost or older systems will give you at least that capability....

Agree: 3
Disagree
Informative
Unhelpful
Funny

For those of you interested in penetration testing there is a great resource over at Smart lockpicking.

Smart lockpicking

https://smartlockpicking.com/slides/HiP19_Cracking_Mifare_Classic_on_the_cheap_workshop.pdf

There are still many, lets say unsecure or outdated installations out there and I believe It's important to build some awareness.

In the Nordics we almost always pair the card with a personal PIN code, which adds a much needed layer of security when dealing with outdated formats.

Agree
Disagree
Informative: 1
Unhelpful
Funny

In the Nordics we almost always pair the card with a personal PIN code, which adds a much needed layer of security when dealing with outdated formats.

That's an interesting MFA approach - how often are those PINs changed?

Agree
Disagree
Informative
Unhelpful
Funny

Whenever a catastrophic event such as a database corruption occurs I would wager.

Jest aside, I'm guessing the vast majority change them extremely rarely.

Agree
Disagree
Informative
Unhelpful
Funny

Does adding an additional layer of security, like an employee unique PIN, help the situation? Is the PIN encoded on the cards or inside the access control database?

Agree
Disagree
Informative
Unhelpful
Funny

The pin would be in the database of the ACS on a low frequency card.

Agree
Disagree
Informative
Unhelpful
Funny

Does adding an additional layer of security, like an employee unique PIN, help the situation? Is the PIN encoded on the cards or inside the access control database?

It can add security, and is one of the methods used in Multi-Factor Access Control.

Structurally, a weakness are PINs are often insecure themselves, but if kept secure and used wisely, the PIN can overcome the weakness of a copied card because an additional detail is needed to be entered before the door unlocks.

In general, PINs are kept/stored/managed totally separate from the card itself (by the access database) and so the information cannot be copied.

Agree
Disagree
Informative: 1
Unhelpful
Funny

I've successfully cloned 13.56 mhZ cards using a handheld device. This device can do iClass and standard Seos even (tried it on my gym last week). While they device is way more expensive than the ones discussed in this article, just a simple transition to standard 13.56 still prevents vulnerabilities.

We are working with HID on multi-credential card which will have several elite key Seos credentials. From my research, that's one of the highest forms of encryption available at the moment...would love to hear what others are doing.

Agree
Disagree
Informative: 1
Unhelpful
Funny

We tested at 13.56 MHz unit too: Smartcard Copier Tested (13.56MHz)

Like you mention, older formats are cracked, but no one has claimed SEOS or EV2/3 yet...

Agree
Disagree
Informative
Unhelpful
Funny

I just copied Seos last week using this decoder plugged into my device:

iCS Decoder for ICLASS SE & SEOS - iCopy-X: World's best RFID Card Cloning Device

I tried it on my gym pass which is a Seos only card and it worked. When it worked I contacted my HID POCs to talk through the vulnerability. Per HID after I spoke with them: The icopy devices can take a Seos standard credential, and clone it to an iClass 13.56 smart card...you can't copy Seos and clone to Seos, but you can copy Seos and clone to an iClass card. So, the multiclass reader that was at my gym simply needed to turn off all other credentials other than Seos and it would not have been able to read my cloned badge because it was utilizing an iClass card.

Keep in mind, this is just for Seos STD, if you have an ICE key applied to your card/Signo reader...that has proven to the most secure and my device can't clone those formats.

Agree
Disagree
Informative: 5
Unhelpful
Funny
Subscribe to IPVM Research to read the full report.
Why do I need to subscribe?
The IPVM Research Service includes products tests and shootouts plus competitive and financial analysis, helping decision-makers better evaluate purchasing, partnering, developing, and/or competing against companies in physical security.
Already have an account?
Loading Related Reports