Hack Your Access Control With This $30 HID 125kHz Card Copier

Author: Brian Rhodes, Published on May 01, 2017

You might have heard the stories or seen the YouTube videos of random people hacking electronic access control systems.

The tools that claim to do this are available widely, including at eBay for just $30.

We bought one of these cheap gadgets, shown below:

Inside, find our full test results, including a demo video of how easy it is to do, how widely these cards are deployed, and what steps you can take to cut the risk.

Easy HID Card Copies

Our demo video below shows how the $30 copier can be used in seconds to spoof HID 125kHz formatted access cards:

In our test, we copied multiple 125 kHz formats and tested them on multiple readers. While very cheap, the card copier did not malfunction or create corrupted copies in any of the 15+ cards we copied.

The Big Risk

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Indeed, to access control systems, these copies look identical to legit cards. The screenshot below, for our test shows that multiple copies are indistinguishable from the HID factory original:

The risk is that unauthorized copies can be made and used to gain access, with no outward sign or record of being a duplicate.

Formats Matter

One specific caveat to this test: not all card types and formats are at risk. This particular tool can be used to copy 125kHz card types, including popular HID Prox, ISOProx, and Prox II formats, and several others commonly used in access control such as EM4100 and AWID formats.

Specifically this tool cannot copy any 13.56MHz 'Smartcard' formats like HID iClass, or DESFire/MIFARE varieties. One of the major differences between those formats is 13.56MHz formats are encrypted and the data they hold must be first decoded by the companion reader with a specific 'key' value, otherwise the information they transmit in open air is heavily hashed and obscured.

However, most 125kHz formats are simply not encrypted at all. This means the process of copying them simply energizes the card, and stores the information it broadcasts. Card details are stored on the card exactly as the system uses them, so sensitive card numbers and facility codes are easy to pull from thin air.

Vulnerable 125 kHz Common

Despite the risks of unsecured 125 kHz cards and fobs, they are commonly used and even preferred by many installers and end users. In our Favorite Access Control Credentials 2016, those vulnerable types command 32% of the favorite votes:

Indeed, these credentials vulnerable to copiers are still used in tens of thousands of systems, with millions of issued credentials circulating every day.

Cheap & Easy To Get

The copier we tested was purchased for $30 shipped. Overall, the price of the unit tested was slightly higher due to the configuration of copying HID formats, but units as low as $10 can be purchased to copy basic EM4100 formats alone.

The kit we purchased was shipped with several blank re-writable keyfobs, but were not a suitable blank format needed to copy HID cards. So we bought a box of HID compatible card formats (T5557) for $0.35 cents each, for a total test package costing less than $45.

The chilling lesson is these products are very inexpensive, readily available, and sold by multiple vendors eager to ship next day with no questions asked to anyone, crook or honest.

How It Works

The device used to copy the cards works much the same way as normal card readers, with transceiver coil, power supply, IC chip, buzzer and even LEDs components shared by both:

Given the principal operation of contactless card readers, the copier excites the coil and delivers power wirelessly to the card, which then momentarily stores energy and then uses it to broadcast card details back to the copier. The image below shows a transparent example of a card, revealing all these components:

The copier includes a small amount of memory to store those details, and then pushes them to a blank card, writing them permanently as a copy.

Near Contact Required

One particular factor of this unit are cards to be copied must be held close to the copying antenna to work, a distance of less than 1". This is somewhat a benefit to cardholders, because someone bent on stealing and spoofing card details must be very close to do it.

However, the time needed to steal the information is fast - less than 5 seconds, and it is conceivable that someone could have card details copied and stolen without realizing it, especially in crowded groups of people.

But the method used by this device is available in other forms functional at longer distances - some claiming 5 feet range or more and often using modified off-the-shelf long range readers:

These longer range copiers are much more expensive ($500+ vs. $30), physically larger, and require more power than 2 AA batteries. However, carrying the components covertly in a backpack or briefcase means that those stealing cards can just blend in better with crowds.

Mitigating This Risk

So what can be done to prevent this exploit? The most straightforward step is to discontinue using HID (or any) 125 kHz cards, fobs, and readers and switch to encrypted and hashed 13.56 MHz formats. For more details, see our Hackable 125kHz Access Control Migration Guide.

Given current pricing, the higher frequency types are more expensive, but only a modest 15% - 25% more, and frequently offered at pricing the same or under the less secure 125 kHz types.

13 reports cite this report:

HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...
ADI Pushing Cracked 125 kHz Access Control on Oct 25, 2018
Security distribution giant ADI commonly promotes access bundles featuring vulnerable and cracked 125 kHz card formats.  Even worse, they promote...
Replacing / Switching Access Control Systems Guide on Jun 28, 2018
Ripping out and replacing access control systems is hard for important reasons. Because users typically hold on to access control systems for as...
'Secure Channel' OSDP Access Control Examined on Jun 21, 2018
Despite claiming to be better than Wiegand, OSDP's initial releases did not address the lack of encryption between reader and controller, leaving...
Favorite Access Control Credentials 2018 on Mar 22, 2018
In this 2018 access integrator statistics result, which credential type holds the favored spot to unlock access doors? More than 150 integrators...
New Whole Foods Installs Hackable Access Control (Upgraded) on Feb 21, 2018
Whole Foods has built a reputation for high quality. And their 2017 Amazon acquisition has increased that, plus added deep pockets for buying...
Nest Secure Alarm System Tested on Nov 16, 2017
Google's expansion continues, this time into home security with their Nest subsidiary's move into alarm systems. They paid more than a...
Selecting Access Control Readers Tutorial on Nov 09, 2017
Given the variety of types available, specifying access control readers can be a daunting process. However, focusing on a few key elements will...
Vulnerability Directory For Access Control Cards on Aug 14, 2017
Knowing which access credentials are insecure can be unclear, especially because most look and feel the same. Even the most insecure 125 kHz types...
Smartcard Copier Tested (13.56MHz) on Jul 05, 2017
Copying 125kHz cards is certainly easy, as our test results showed, but how about 13.56MHz smart cards? Are they more secure? IPVM focused on the...
Biometrics Pros and Cons For Electronic Access Control on Jun 26, 2017
Biometrics has been long sought as an alternative to the security risks of cards, pins and passwords. While biometrics has improved somewhat over...
Anti-Hack Access Card Shields Tested on May 26, 2017
Keeping your access control card information secure is becoming a big priority, especially since cheaper copiers can hack details easily. Multiple...
Cracked 125kHz Access Control Migration Guide on May 19, 2017
Despite being one of the most popular credentials, 125 kHz credentials are easily copied and insecure as we showed in our test results, video...
Comments (70) : PRO Members only. Login. or Join.

Related Reports

2019 Access Control Book Released on Dec 12, 2018
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
Startup Sunflower Labs' Autonomous Drone Security System on Dec 11, 2018
Startup Sunflower Labs is claiming a unique design on a home security system, combining autonomous drones and 'Sunflower' sensors. Imagine an...
Multi-Factor Access Control Authentication Guide on Dec 10, 2018
Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...
Top 2019 Trend - AI Video Analytics on Dec 10, 2018
160+ Integrators answered: What do you think the top industry trend will be in 2019? Why? AI / video analytics was the run-away winner with...
Cybersecurity Insurance For Security Integrators on Nov 29, 2018
Most security industry professionals carry insurance to cover themselves in the event of a general loss. However, most are not carrying cyber...
Startup Qumulex Aims For Unified Platform, Adds Infinias Access Founder on Nov 29, 2018
The startup founded by former Exacq executives, Qumulex has hired Wayne Jared, founder of access control manufacturer Infinias and most recently a...
HID Product Configurator Examined on Nov 26, 2018
HID is widely used. However, figuring out all the different configurations of features for a final credential or reader part number can be a real...
Ideal SecuriTest IP Vs Unbranded IP Camera Install Tool Tested on Nov 21, 2018
In our recent IP camera installation tool shootout, multiple members questioned the Ideal SecuriTest IP's features compared to low-cost unbranded...
Openpath Access Control Tested on Nov 20, 2018
Big investment in access startups is uncommon, but Openpath has recently attracted $20 million doing just that. The company has limited security...
No GDPR Penalties For UK Swann 'Spying Hack' on Nov 20, 2018
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no...

Most Recent Industry Reports

Imperial Capital Security Investor Conference 2018 Review - ADT, Resideo, Alarm.com, Arlo, Eagle Eye, ACRE, More on Dec 14, 2018
Imperial Capital Security Investor Conference is an event matching industry executives with financiers that frequently leads to future funding...
Cisco Meraki New Cameras and AI Analytics on Dec 14, 2018
Meraki has released their second generation of video surveillance with 3 new cameras, AI-based video analytics, and 2 cloud-based storage...
Foolish Strategy: OEMing Facial Recognition on Dec 13, 2018
Almost as 'hot' as face recognition marketing right now is OEMing facial recognition. Last year, they were a who's who of company's with...
DVR Examiner - Video Recovery from Recorder Hard Drives on Dec 13, 2018
Bypassing passwords and long download times on-site, DVR Examiner collects and organizes video evidence directly from a hard drive extracted from...
2019 Access Control Book Released on Dec 12, 2018
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
Huawei Hisilicon Quietly Powering Tens of Millions of Western IoT Devices on Dec 12, 2018
Huawei Hisilicon chips are powering, at least, tens of millions of Western IoT devices, such as IP cameras and surveillance recorders, a fact that...
FLIR Launches Body Cameras Unified With VMS (TruWitness) on Dec 11, 2018
While FLIR is best known for their thermal cameras, now they have expanded into body cameras, launching TruWITNESS, a public safety focused body...
Startup Sunflower Labs' Autonomous Drone Security System on Dec 11, 2018
Startup Sunflower Labs is claiming a unique design on a home security system, combining autonomous drones and 'Sunflower' sensors. Imagine an...
The 2019 Video Surveillance Industry Guide on Dec 10, 2018
The 300 page, 2019 Video Surveillance Industry Guide, covers the key events and the future of the video surveillance market, is now available,...
Multi-Factor Access Control Authentication Guide on Dec 10, 2018
Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact