I used this very device and "Cloned" a card of the head of security of a large (1200 reader) end user during his visit to our HQ with his integrator....We got the green light on the smart card reader and credential upgrade on the spot. Must have for any outside sales person that is interested in demonstrating the advantages of using secure readers and credentials..
Great test and I had to buy one! Has IPVM thought about cloning old iClass or MiFare 13.56mhz cards in a test? I have heard that you can download apps on smart phones to do the hack/clone.
In terms of 13.56 MHz types, I believe the 'go to' gear for commercial copying/cracking product is sold under the ProxMark name by an outfit named RyscCorp.
They've commercialized 'kits' described by several whitepapers usually based on an Arduino. Overall, the methods and kits they use require some technical skill to use right, while the card copier in this post essentially requires none.
Yes, I have seen these and even thought about building one but never had the time to. I was recently working on a project that used MiFare Classic 1k cards and found some videos of people using smart phone apps to brute force hack them. I believe they require a "jail broken" Android phone which I do not have. Here is one example:
The phone is using the onboard NFC and and an app to brute-force crack the card.
While that type of attack is bound to take a bunch of time and suck battery power down, someone could hide their complete hack toolbag into an Android phone! It would be extremely difficult to detect/ mitigate that risk.
(Yes, this is the widget I used for the card cloning demo at ISC West 2017.)
Some people use ISO 14443 cards ("13.56" in trunkslammer parlance) BUT ONLY USE THE CARD SERIAL NUMBER. The CSN number is not safe. You can buy blank cards, you can clone the card serial number. Yes, you have to buy the 100 dollar sketch widget on Amazon instead of the 30 dollar widget. CSN's are not safe (well, no safer than prox.) You need to use DESfire or Mifare Plus or something that really uses encrypted data on the card (encrypted with something an outdated android can't crack, like AES.) Or use PIV-like cards with full certificate-based crypto.
I believe that is correct. This gets into the subtleties of A vs. B in that one is essentially a floppy disk drive in a credit card (a memory device) and the other is an Apple II in a credit card (a computer running a protocol, with a secure key store.)
A static signal encrypted or not, is a static signal. I can clone anything that is static if you give me enough opportunities. And I don't mean a few days. Just a few moments.
The 125 kHz hack seems to be getting easier and easier. I think you'll be generating a few orders for this device .... for $30-40, it's worth having some fun with to show customers how easy it would be to clone a standard prox card.
Now, while the barn door is open, whatever happened after the magnetic exploit was exposed for thousands of Kaba Simplex pinpad locks a few years back?
Now, while the barn door is open, whatever happened after the magnetic exploit was exposed for thousands of Kaba Simplex pinpad locks a few years back?
As far as the question, Kaba came out with a fix. Tobias said it prevented an attack like the one to which the unfixed locks were vulnerable, but he didn't rule out a stronger or more-carefully-shaped magnetic field circumventing that fix.
As a side note, his book about cracking Medeco's high security locks is on Amazon.
DO check out the antique crypto in the control panel while you're looking at Kantech. (check out the marketing blur they give you when you ask if Hattix is safe - it touts a bunch of now-ancient crypto features in the Kantech panels. So sad, they coulda used an Ultra.
So I bought one of these cloning devices and tested it on some Kantech ioProx XSF cards hoping it would give me an edge on an upcoming job bid. It doesn't work. It just flashes the read light ever second or so. I'm not knowledgeable enough to know what makes it more secure over the other cards, but it appears that ioProx XSF can be cloned from online services so maybe it's just a matter of finding a different cloning device?
Our XSF test materials are still in transit, so I have not had the chance to examine this in detail yet, so this is good feedback.
In terms of cloning XSF, this particular $30 device may not be able to do it.
However, that does not mean that other devices cannot. For example, this particular unit (~$430) isn't limited by formats, it can parse the general frequency.)
XSF Format can 'only' be used/understood by Kantech. Kantech appears to use a non-standard bit format (that only XSF readers can read), at the expense of being proprietary for both readers and cards. They also leverage software side 'decoding' that reorders the card data before associating it with a record on the database. So even if the card can be read by a copier, the information might not be rewritten in a usable way - this is where more testing is needed.
In short, the effect of using this format protects it from hacks like this $30 reader, but at the expense of 'not playing nice' with the rest of the readers/card products on the market, which some customers may have a problem with. Interesting strategy for Kantech, who can sell XSF's 'security' by its 'obscurity'.
Good feedback, Brian! We look forward to checking into XSF ourselves.
I gather these various schemes are mostly different forms of radio being used to sqawk an unencrypted value. "my badass radio tech uses four capacitors different than the other vendor" does not count as encryption even though some vendors act like it is. Note that there are reader vendors out there who can read all sorts of stuff - it's because they reconfigure their radios among the various combinations. I assume these duplicating houses have a bunch of readers and then some card generation gear.
Google "software defined radio" if you want to see why I have no respect for fancy radio waveform being a form of security.
"my badass radio tech uses four capacitors different than the other vendor" does not count as encryption even though some vendors act like it is.
+1 agree
There is a big difference between being 'slightly weird' and being encrypted, but manufacturer marketing doesn't observe that.
I have come to be very skeptical/ suspicious of words like 'encrypted' in physical access products. In many cases, it is just a non-standard implementation (like you mention), but it is not using cryptography at all.
I use a hackRFone, modified software toolkit, rpi with Linux and an additional toolkit. Pen-testing and generating revenue on the daily. Access control is merely a deterant. If you have access to the data bus lines beyond the readers and there is no encryption and to end all the way back to the panel you can gleen information right off of the data bus lines and play it back. There are clip-on devices that can be used to do that with Wi-Fi and other tool kits. Many customers are even too cheap to pay for the door contacts (Or integrators are too cheap or lazy to put them in)so they have no idea whether the doors actually open or not. If it's built into the strike or unlocking device it's better. If I want to keep it really simple, a decent pry bar goes a long way or a good steel toe boot. The walls adjacent to many "secure" doors can be punched right through, unless brick, block or mesh screen are in play. Now if secure and unsecured sides both have drop ceiling and there's a RTE device available and you have a collapsible ladder in the backpack, in you go. Many commercial spaces are not fortified like military or other hardened facilities. None of the above really works in correctional facilities they are a different beast altogether. Generally speaking in the commercial world, It's all a big facade..
You are right on the money with "Software Defined Radio". Those systems are every hacker's dream!!! Combine that with a $30 logic analyzer and a $5 Raspberry Pi Zero and the word "Security" takes on a new meaning.
I tried to copy an XSF card with this device and it would not read for our example copier either.
We may delve into XSF more deeply in a future post. However, like Brian H notes, there are several online services (like this one) that claim 99% copy success in duplicating those credentials.
The shortcoming is likely just the $30 copier, more sophisticated scanners/ copiers apparently work.
From the above with this device it appears the only 125-kHz proximity cards proven to be clone-able make use of FSK digital modulation. Would be interesting to test with 125-kHz proximity cards that make use of other digital modulation schemes, such as ASK and PSK.
Note I've observed a trend of rising sales of keypad proximity reader products. Adding an additional security layer to the access process (i.e. PIN: What one knows) may indeed be a response to the threat of unauthorized credential duplication.
Additionally, judging from my experience at the recent ISC West, interest is growing for highly proprietary 13.56-MHz contactless smartcard technology, such as NXP's DESFire EV1 and Legic's advent based cards.
Some 13.56 is less proprietary than others. DESFire EV1/EV2 require vendor paperwork to have permission to learn how to encode them. Mifare, Mifare Plus (uses AES) are encodable with freely available information. PIV (NIST SP800-73-4 to be precise) is completely open. And there are other formats...
When the card is inserted in the shield, the shield essentially reflects the energizing field emitted by this copier or by any reader. The card remains unpowered, so the shield conceptually works.
You can test the shield yourself by trying it against any card reader. I have a cheap shield that I tested. My bare access card slowly approaching a reader reads at about 4" on this particular reader. Inside my cheap shield, the card reads at 1" (same reader). The cheap shield helps, but is not perfect. This 25% attenuation should be consistent with a long range reader.
I like the looks of this Patriot shield... it looks much better than my cheap foil type.
...however these shields are made for 14443 not prox. Prox is different radio tech than 14443
P.s. as a general matter if your physical security geeks are trying to talk to you about radio tech, they're talking about unencrypted cardholder data from a clonable device. FSK, PSK, AWID, all that stuff is low level radio tech. If your're not sending ciphertext over your radio then you're probably insecure.
I have the cloner bought from Aliexpress and it can copy any cards (it doesn't matter 125KHz or 13.56MHz) except, HID iClass SE/Seos cards and NXP DESfire cards.
It can copy any of cards even the card has card numbers in certain sector in block. The cloner can decode the encoded card numbers in the block and copy.
So, if end users are using cards except HID iClass SE/Seos cards and NXP DESfire cards then you can show the demonstration and ask them to change the cards.
HID iClass SE/Seos cards and NXP DESfire cards have encrypted card data in the card only.
It looks to me that that device can only clone the UID of a 13.56mhz card though?
So if the access control system is using something other then the UID of the 13.56mhz card (a site code based card format perhaps) its not going to grant access via the cloned card...
Be careful, there are different versions of this copier that look 'exactly' the same but cannot read the 13.56 MHz signal even though they claim they can. I've tried five different variants; two of the five actually were able to perform as advertised.
Nerve? Do you see the posts IPVM publishes? It is not about nerve. We just did not think that there would be such interest. Happy to do more now. Rhodes just ordered another one of these devices to tests.
This makes me wish there was a "majorly agree" button. Certainly is scary. One step forward selling them a system, two steps back when a hack is released.
There are two models of the low cost unit. the other model is more expensive and it will copy HID Pro Card II security block and all this one is $20USD
Would you consider opening this article to non-members? This is such an important topic, and one I've bashed my head against the metaphorical wall of cheap customers who don't care far too many times. It'd be nice to just send them this link and say "please at least read this".
Cards are not typically re-writeable. Re-writeable cards are widely available and cheap, but the ones typically in access used are fixed and set at the factory with 'unique' details like factory codes and sequential numbers.
A sure way of knowing in your system is whether or not cards/fobs need to be programmed before they are issued. If not, they are not re-writeable/ blank cards to begin with.
Some types of cards cards are rewritable if you have the keys. In the physical security world there is an outdated notion nobody could generate the same card. This "set at the factory" deal is a scam used to lock you into a specific card vendor. The customer is supposed to be in charge of their own key material, it's not supposed to be held hostage by the card vendor.
Yesterday had an interesting chat with an international partner that involved this post. We both pondered how many access credentials are sold today on the basis of convenience, as opposed to security? And will the lessons learned in the shift from magnetic stripe to proximity to contactless smart card be reflected in the shift to mobile?
Also, we agreed this argument goes beyond integrators simply upgrading their end user customers to higher levels of security. He mentioned that he promotes to his integrators that more secure contactless smart cards also allow them to deliver additional services to their end users, such as biometrics, cashless vending, cafeteria plans and time and attendance, allowing these integrators to grow their businesses with their existing customer base.
You always read about and hear that Proximity card technology has been hacked. To that really meant nothing. Who cares right? Well the HID rep came in with this very device and cloned one of our cards and used it on a reader. Well the light bulb finally came on and that made sense. I bought one and 10 re-writable cards for less than $40. This is a game changer when talking to customers about why they need to get off of prox technology. I have disabled the beeper on mine so if the client has a card hanging from a lanyard or retractable cord I read the card without them knowing and then clone a card then read their door and they are blown away. I really should invest in the more expensive iclass cloner as well.
You mentioned that you read the card without them knowing then clone a card...
Forgive my ignorance here as I am still learning about access control. Are you able to determine the exact type of card based on visual inspection or do you have to ask which type it is? Then do you have to have stock of multiple different types of writeable cards in order to clone it or is there a one size fits all card?
I knew the card type before hand. This was an existing customer I did this with. I wouldn't do that to a potential customer without them knowing as could make me look a little shady.
Also, some of the more elegant copiers can scan through various card types and determine which type of card it is on their own, automatically, and then tell you what type of card it is. Some of the copiers can store the card credentials in memory indefinitely or until you erase them and you can actually play them back from The copier as opposed to from a card in the event you do not have the correct card with you at the time you perform your copy.
Awesome article. Been wanting to research which cloner to buy to demo the lack of security of these cards. This saved me a ton of time and money. Didn't imagine the cloners were this cheap!
As help to me and others with limited knowledge in this area. Could there be a IPVM table with access technology - wether it's secure or insecure based on what we know now. And how it's compromised - Chinese cloners, smartphones etc :)
We've got a second round of 'copier' tests upcoming that will focus on 13.56 MHz types, but in general unless you're using DESFIRE EV2 or iClass SE Rev 2, exploits are easy to find. Most use phones or Arduino-based apparatus, not copier devices like this handheld.
I have not found a source claiming to have cracked DESFIRE EV2 or iClass SE. (EV1 is getting close to be an app-based, brute force copied format, but not quite yet. There are also claims from unrelated groups that SE has been broken, but the 'proof' hasn't been shared yet.) If anyone knows/ has seen these I am interested to learn more.
But make no mistake it will happen given enough time in the market, interest from hackers, and processing power as phone tech/ cheap CPU tech advances.
Some of the newest formats don't have widespread, convenient, $30 copiers that this post tests, but 'secure' technology is fleeting, just like 'unpickable' mechanical locks.
This may be an entirely different discussion or a tutorial, but I'm wondering about the differences between access cards. You mentioned iClass SE. We use iClass DP cards. What's the difference? And how do they differ from other iClass cards, Mifare, Prox, ProxII, Desfire. How about chip, vs no chip and the difference between chips.
Manufacturers? HID, Gemalto, etc.?
I'd also love to know more about readers. We use iclass at some sites, multiclass at several sites (multiclass is our global standard, so most installs after that standard was established have multiclass readers), Prox readers, etc.
We have a Siemens SiPass system at one site. Prior to install, they confirmed for us that it was compatible with iClass readers. It turns out that it is but Siemens modifies the readers to make them proprietary.
So, there are many nuances between cards and readers. It would be great to have more info on this.
This article was brought up by one of my sales guys yesterday when we were discussing a large client on Prox.
I'd love to move that customer away from Prox to Iclass, but they have a very old, very large system, including lots of R90 garage entrance long range readers. I'm afraid that even if they were willing to re issue thousands of Iclass cards to their employees, they would be constantly chasing the rabbit of 'older' card readers that are Prox only and it would be months of hell on their security people, plus tons of reader upgrades along the way. The R90 garage readers are the biggest PITA though, since HID doesn't make a multiclass version, you would have to change the reader first, then figure out how to let people into the garage while you're migrating them to Iclass cards.
So, long version, if you're considering using this article to migrate customers from Prox to Iclass, really spend some time thinking through the repercussions. If anyone has any suggestions about how better to do this sort of roll out, I'd love to hear about it..
One question on this: do they have R90 or MaxiProx 5375 long range readers?
The reason I'm asking is because I think R90 is 13.56 MHz/ iClass conformant, while the MaxiProx 5375 is the 125 khz model.
The 'migration' solution might be two use both long range readers in the same spot. There's a fair amount of work to go into that for certain, including adapting the controller for two readers which may not even be possible.
We're putting together a post on this topic for next week. Thanks for sharing this!
Look at the new BlueDiamond Bluetooth readers. They give you the range and they have a piggyback reader that you can put on an existing reader to enable dual use during transition. I'm hoping to test one soon. I'm not sold on Bluetooth yet, but the features make them something to look at seriously.
"I'd love to move that customer away from Prox to Iclass, but they have a very old, very large system, including lots of R90 garage entrance long range readers. I'm afraid that even if they were willing to re issue thousands of Iclass cards to their employees, they would be constantly chasing the rabbit of 'older' card readers that are Prox only and it would be months of hell on their security people, plus tons of reader upgrades along the way. The R90 garage readers are the biggest PITA though, since HID doesn't make a multiclass version, you would have to change the reader first, then figure out how to let people into the garage while you're migrating them to Iclass cards."
This probably depends on the customer's security budget, what they are securing, and whether or not they still feel adequately protected once you explain the situation to them. Almost always comes down to cost in the end. "Is it good enough on most days?"....
What you do is to inquire if that garage entrance is otherwise fully compliant with the organizations current requirements. 'Cause if it's not they already owe themselves a hardware refresh. (and that gets even less pretty if we're having this conversation during an audit and I was about to submit this conversation in a report.)
And no I'm not trying to complain about the garage door opener the Queen uses to park the Rover in the garage sixteen layers inside the castle grounds. I realize the device features trump all but the most important security comments.
What is appalling, is the fact that there are so many industry "professionals" that are unaware of the technologies that exist to defeat a number of these access control systems and card credential-only (no biometrics or multi-factor) based systems.
"What is appalling, is the fact that there are so many industry "professionals" that are unaware of the technologies that exist to defeat a number of these access control systems..."
What's even more disturbing is the fact that so many industry professionals ARE aware and continue to sell this older technology.
"What's even more disturbing is the fact that so many industry professionals ARE aware and continue to sell this older technology."
I think some integrators (or end users themselves) are applying a "cost/risk" assessment to the decision making process and determining an acceptable risk to take in order to have some baseline electronic security in place. As others have mentioned; if you use a 2FA method (i.e. PIN+card), even with the less secure 125khz prox readers, you can still be "secure enough" in some environments. Many lower cost or older systems will give you at least that capability....
Does adding an additional layer of security, like an employee unique PIN, help the situation? Is the PIN encoded on the cards or inside the access control database?
Does adding an additional layer of security, like an employee unique PIN, help the situation? Is the PIN encoded on the cards or inside the access control database?
Structurally, a weakness are PINs are often insecure themselves, but if kept secure and used wisely, the PIN can overcome the weakness of a copied card because an additional detail is needed to be entered before the door unlocks.
In general, PINs are kept/stored/managed totally separate from the card itself (by the access database) and so the information cannot be copied.
I've successfully cloned 13.56 mhZ cards using a handheld device. This device can do iClass and standard Seos even (tried it on my gym last week). While they device is way more expensive than the ones discussed in this article, just a simple transition to standard 13.56 still prevents vulnerabilities.
We are working with HID on multi-credential card which will have several elite key Seos credentials. From my research, that's one of the highest forms of encryption available at the moment...would love to hear what others are doing.
I tried it on my gym pass which is a Seos only card and it worked. When it worked I contacted my HID POCs to talk through the vulnerability. Per HID after I spoke with them: The icopy devices can take a Seos standard credential, and clone it to an iClass 13.56 smart card...you can't copy Seos and clone to Seos, but you can copy Seos and clone to an iClass card. So, the multiclass reader that was at my gym simply needed to turn off all other credentials other than Seos and it would not have been able to read my cloned badge because it was utilizing an iClass card.
Keep in mind, this is just for Seos STD, if you have an ICE key applied to your card/Signo reader...that has proven to the most secure and my device can't clone those formats.
Agree
Disagree
Informative: 5
Unhelpful
Funny
Create New Topic
Subscribe to IPVM Research to read the full report.
Why do I need to subscribe?
The IPVM Research Service includes products tests and shootouts plus competitive and financial analysis, helping decision-makers better evaluate purchasing, partnering, developing, and/or competing against companies in physical security.
Comments (94)
Rick Caruthers
05/01/17 02:05pm
I used this very device and "Cloned" a card of the head of security of a large (1200 reader) end user during his visit to our HQ with his integrator....We got the green light on the smart card reader and credential upgrade on the spot. Must have for any outside sales person that is interested in demonstrating the advantages of using secure readers and credentials..
Create New Topic
Undisclosed #1
Great test and I had to buy one! Has IPVM thought about cloning old iClass or MiFare 13.56mhz cards in a test? I have heard that you can download apps on smart phones to do the hack/clone.
Create New Topic
Undisclosed Integrator #2
The 125 kHz hack seems to be getting easier and easier. I think you'll be generating a few orders for this device .... for $30-40, it's worth having some fun with to show customers how easy it would be to clone a standard prox card.
Now, while the barn door is open, whatever happened after the magnetic exploit was exposed for thousands of Kaba Simplex pinpad locks a few years back?
Create New Topic
Scott Sheldrake
Do you know if Kantech ioprox XSF is hackable using the same method ml
Create New Topic
Scott Lindley
05/01/17 05:06pm
From the above with this device it appears the only 125-kHz proximity cards proven to be clone-able make use of FSK digital modulation. Would be interesting to test with 125-kHz proximity cards that make use of other digital modulation schemes, such as ASK and PSK.
Note I've observed a trend of rising sales of keypad proximity reader products. Adding an additional security layer to the access process (i.e. PIN: What one knows) may indeed be a response to the threat of unauthorized credential duplication.
Additionally, judging from my experience at the recent ISC West, interest is growing for highly proprietary 13.56-MHz contactless smartcard technology, such as NXP's DESFire EV1 and Legic's advent based cards.
Create New Topic
Tim Lawson
Does having an RF shielded card holder guard against this exploit? An example would be the Patriot TWIC/CAC card holder.
Create New Topic
Undisclosed
...however these shields are made for 14443 not prox. Prox is different radio tech than 14443
P.s. as a general matter if your physical security geeks are trying to talk to you about radio tech, they're talking about unencrypted cardholder data from a clonable device. FSK, PSK, AWID, all that stuff is low level radio tech. If your're not sending ciphertext over your radio then you're probably insecure.
Create New Topic
Craig Mc Cluskey
Brian,
May I send this to the president of a non-profit with which I am affiliated?
I know they use card/token access, but I don't know what kind.
Thanks,
Craig
Create New Topic
Taewoong Kim
I have the cloner bought from Aliexpress and it can copy any cards (it doesn't matter 125KHz or 13.56MHz) except, HID iClass SE/Seos cards and NXP DESfire cards.
It can copy any of cards even the card has card numbers in certain sector in block. The cloner can decode the encoded card numbers in the block and copy.
So, if end users are using cards except HID iClass SE/Seos cards and NXP DESfire cards then you can show the demonstration and ask them to change the cards.
HID iClass SE/Seos cards and NXP DESfire cards have encrypted card data in the card only.
Create New Topic
John Honovich
Note: this is the most read access control technical post we have ever done. I am happy to see the interest.
Create New Topic
Richard Hyde
Thank you for sharing this Brian! This was a real eye opener.
Create New Topic
Guillaume Poirier
Scary!! Food for thought when recommending a system!
Create New Topic
Undisclosed
It's scarier when your customer figures it out first and asks you why you sold them prox.
Create New Topic
Undisclosed Manufacturer #4
With a little research, this items sell for $8USD in Alibaba. (I don't know why, but when I read Alibaba, I always think of the 40 thieves!)
https://www.alibaba.com/product-detail/ID-Card-Copy-Machine-ID-card_60397692772.html
You can find some on Amazon for $22-24USD
There are two models of the low cost unit. the other model is more expensive and it will copy HID Pro Card II security block and all this one is $20USD
The factory is just 20minutes walk from me.
Create New Topic
Undisclosed Integrator #6
Would you consider opening this article to non-members? This is such an important topic, and one I've bashed my head against the metaphorical wall of cheap customers who don't care far too many times. It'd be nice to just send them this link and say "please at least read this".
Create New Topic
David Lieberman
Is it possible to blank out an enrolled card and re-write it using this device?
Create New Topic
Undisclosed
Some types of cards cards are rewritable if you have the keys. In the physical security world there is an outdated notion nobody could generate the same card. This "set at the factory" deal is a scam used to lock you into a specific card vendor. The customer is supposed to be in charge of their own key material, it's not supposed to be held hostage by the card vendor.
Create New Topic
Scott Lindley
05/04/17 03:59pm
This post is making a global impact.
Yesterday had an interesting chat with an international partner that involved this post. We both pondered how many access credentials are sold today on the basis of convenience, as opposed to security? And will the lessons learned in the shift from magnetic stripe to proximity to contactless smart card be reflected in the shift to mobile?
Also, we agreed this argument goes beyond integrators simply upgrading their end user customers to higher levels of security. He mentioned that he promotes to his integrators that more secure contactless smart cards also allow them to deliver additional services to their end users, such as biometrics, cashless vending, cafeteria plans and time and attendance, allowing these integrators to grow their businesses with their existing customer base.
Create New Topic
Shannon Davis
You always read about and hear that Proximity card technology has been hacked. To that really meant nothing. Who cares right? Well the HID rep came in with this very device and cloned one of our cards and used it on a reader. Well the light bulb finally came on and that made sense. I bought one and 10 re-writable cards for less than $40. This is a game changer when talking to customers about why they need to get off of prox technology. I have disabled the beeper on mine so if the client has a card hanging from a lanyard or retractable cord I read the card without them knowing and then clone a card then read their door and they are blown away. I really should invest in the more expensive iclass cloner as well.
Create New Topic
Undisclosed Integrator #7
So, in summary which type of card is not easily duplicated?
Create New Topic
Shannon Davis
HID iclassSE has not been hacked or able to be cloned yet due to the several layers of security.
Create New Topic
Geoffrey Granger
Awesome article. Been wanting to research which cloner to buy to demo the lack of security of these cards. This saved me a ton of time and money. Didn't imagine the cloners were this cheap!
Create New Topic
Undisclosed Integrator #8
As help to me and others with limited knowledge in this area. Could there be a IPVM table with access technology - wether it's secure or insecure based on what we know now. And how it's compromised - Chinese cloners, smartphones etc :)
Create New Topic
Undisclosed End User #9
This article was brought up by one of my sales guys yesterday when we were discussing a large client on Prox.
I'd love to move that customer away from Prox to Iclass, but they have a very old, very large system, including lots of R90 garage entrance long range readers. I'm afraid that even if they were willing to re issue thousands of Iclass cards to their employees, they would be constantly chasing the rabbit of 'older' card readers that are Prox only and it would be months of hell on their security people, plus tons of reader upgrades along the way. The R90 garage readers are the biggest PITA though, since HID doesn't make a multiclass version, you would have to change the reader first, then figure out how to let people into the garage while you're migrating them to Iclass cards.
So, long version, if you're considering using this article to migrate customers from Prox to Iclass, really spend some time thinking through the repercussions. If anyone has any suggestions about how better to do this sort of roll out, I'd love to hear about it..
Create New Topic
Undisclosed
What you do is to inquire if that garage entrance is otherwise fully compliant with the organizations current requirements. 'Cause if it's not they already owe themselves a hardware refresh. (and that gets even less pretty if we're having this conversation during an audit and I was about to submit this conversation in a report.)
And no I'm not trying to complain about the garage door opener the Queen uses to park the Rover in the garage sixteen layers inside the castle grounds. I realize the device features trump all but the most important security comments.
Create New Topic
Undisclosed End User #9
Regarding Prox cards 125khz... is there any difference in the ease of cloning between a 26 bit, 37 bit or 48bit card?
Create New Topic
Undisclosed
no. the length of the unencrypted number on the prox card makes no difference. none of those numbers are at all special
Create New Topic
Undisclosed End User #10
Thanks for the article! I'm going to order one for experimentation.
Create New Topic
Abdulwahab Al-Ibrahim
Amazing article.
thanks alot
Create New Topic
Ng Choy Mei
Great info
Create New Topic
Charng Haw Guo
Simple yet in depth!!
Create New Topic
Shannon Davis
Still to this day I will show a customer this "trick" and they still don't care! This is going to be a never ending process in my opinion.
Create New Topic
Undisclosed Integrator #11
What is appalling, is the fact that there are so many industry "professionals" that are unaware of the technologies that exist to defeat a number of these access control systems and card credential-only (no biometrics or multi-factor) based systems.
Create New Topic
Tim Reinarts
"What is appalling, is the fact that there are so many industry "professionals" that are unaware of the technologies that exist to defeat a number of these access control systems..."
What's even more disturbing is the fact that so many industry professionals ARE aware and continue to sell this older technology.
Create New Topic
Glenn-Erik Mathisen
04/19/21 02:25pm
For those of you interested in penetration testing there is a great resource over at Smart lockpicking.
Smart lockpicking
https://smartlockpicking.com/slides/HiP19_Cracking_Mifare_Classic_on_the_cheap_workshop.pdf
There are still many, lets say unsecure or outdated installations out there and I believe It's important to build some awareness.
In the Nordics we almost always pair the card with a personal PIN code, which adds a much needed layer of security when dealing with outdated formats.
Create New Topic
Tim Lawson
Does adding an additional layer of security, like an employee unique PIN, help the situation? Is the PIN encoded on the cards or inside the access control database?
Create New Topic
David Holt
I've successfully cloned 13.56 mhZ cards using a handheld device. This device can do iClass and standard Seos even (tried it on my gym last week). While they device is way more expensive than the ones discussed in this article, just a simple transition to standard 13.56 still prevents vulnerabilities.
We are working with HID on multi-credential card which will have several elite key Seos credentials. From my research, that's one of the highest forms of encryption available at the moment...would love to hear what others are doing.
Create New Topic