Hack Your Access Control With This $30 HID 125kHz Card Copier
By Brian Rhodes, Published Apr 13, 2021, 09:00am EDTMany access control systems that allow 125kHz cards can be easily hacked by a cheap $30 card copier. We overview this risk in the video below:
And this technical video below shows the steps in greater detail:
In our tests, we copied multiple 125 kHz formats and tested them on multiple readers. While very inexpensive, the card copier did not malfunction or create corrupted copies in any of the 15+ cards we copied.
The Big Risk
Indeed, to access control systems, these copies look identical to legit cards.
The test screenshot below, shows that card copies are indistinguishable from the HID factory original:
The risk is that unauthorized copies can be made and used to gain access, with no outward sign or record of being a duplicate.
Formats Matter
One specific caveat to this test: not all card types and formats are at risk. This particular tool can be used to copy 125kHz card types, including popular HID Prox, ISOProx, and Prox II formats, and several others commonly used in access control such as EM4100 and AWID formats.
Specifically, this tool cannot copy any 13.56MHz 'Smartcard' formats like the latest HID iClass, or DESFire/MIFARE varieties. One of the major differences between those formats is 13.56MHz formats are encrypted and the data they hold must be first decoded by the companion reader with a specific 'key' value, otherwise, the information they transmit in the open air is heavily hashed and obscured.
However, most 125kHz formats are simply not encrypted at all. This means the process of copying them simply energizes the card, and stores the information it broadcasts. Card details are stored on the card exactly as the system uses them, so sensitive card numbers and facility codes are easy to pull from thin air.
Vulnerable 125 kHz Common
Despite the risks of unsecured 125 kHz cards and fobs, they are commonly used and even preferred by many installers and end-users.
In our Favorite Access Control Credentials 2020, those vulnerable types still command 14% of the favorite votes:
Indeed, these credentials vulnerable to copiers are still used in tens of thousands of systems, with millions of issued credentials circulating every day.
Cheap & Easy To Get
The copier we tested was purchased for $30 shipped. Overall, the price of the unit tested was slightly higher due to the configuration of copying HID formats, but units as low as $10 can be purchased to copy basic EM4100 formats alone.
The kit we purchased was shipped with several blank re-writable keyfobs but we also purchased a box of 50 blank cards, so the material cost for this exploit is less than $45.
The chilling lesson is these products are very inexpensive, readily available, and sold by multiple vendors eager to ship the next day with no questions asked for anyone, crook or honest.
How It Works
The device used to copy the cards works much the same way as normal card readers, with transceiver coil, power supply, IC chip, buzzer, and even LEDs components shared by both:
Given the principal operation of contactless card readers, the copier excites the coil and delivers power wirelessly to the card, which then momentarily stores energy and then uses it to broadcast card details back to the copier. The image below shows a transparent example of a card, revealing all these components:
The copier includes a small amount of memory to store those details, and then pushes them to a blank card, writing them permanently as a copy.
Near Contact Required
One particular factor of this unit is cards to be copied must be held close to the copying antenna to work, a distance of less than 1". This is somewhat a benefit to cardholders because someone bent on stealing and spoofing card details must be very close to accomplish it.
However, the time needed to steal the information is fast - less than 5 seconds, and it is conceivable that someone could have card details copied and stolen without realizing it, especially in crowded groups of people.
But the method used by this device is available in other forms functional at longer distances - some claiming 5 feet range or more and often using modified off-the-shelf long-range readers:
These longer-range copiers are much more expensive ($500+ vs. $30), physically larger, and require more power than 2 AA batteries. However, carrying the components covertly in a backpack or briefcase means that those stealing cards can just blend in better with crowds.
Mitigating This Risk
So what can be done to prevent this exploit? The most straightforward step is to discontinue using HID (or any) 125 kHz cards, fobs, and readers and switch to encrypted and hashed 13.56 MHz formats.
Breaking down the three options, the most secure and fastest but highest cost and system impact method is the immediate replacement of both 125 kHz readers and user cards, while the least expensive but potentially slow and most vulnerable method is simply mounting a 13.56 MHz reader aside existing units and begin rotating new cards to users as needed.
The best mix of low cost, meaningful security improvement, and low system impact is to use a replacement reader that can scan multiple card frequencies and formats, often called 'multi-function' readers. This chart shows the trade-offs:
For more details, see our Hackable 125kHz Access Control Migration Guide.
[NOTE: This report was originally published in 2017 but was revised and a new video was added in 2021.]
19 reports cite this report:
Comments (91)
I used this very device and "Cloned" a card of the head of security of a large (1200 reader) end user during his visit to our HQ with his integrator....We got the green light on the smart card reader and credential upgrade on the spot. Must have for any outside sales person that is interested in demonstrating the advantages of using secure readers and credentials..
Great test and I had to buy one! Has IPVM thought about cloning old iClass or MiFare 13.56mhz cards in a test? I have heard that you can download apps on smart phones to do the hack/clone.
In terms of 13.56 MHz types, I believe the 'go to' gear for commercial copying/cracking product is sold under the ProxMark name by an outfit named RyscCorp.
They've commercialized 'kits' described by several whitepapers usually based on an Arduino. Overall, the methods and kits they use require some technical skill to use right, while the card copier in this post essentially requires none.
Yes, I have seen these and even thought about building one but never had the time to. I was recently working on a project that used MiFare Classic 1k cards and found some videos of people using smart phone apps to brute force hack them. I believe they require a "jail broken" Android phone which I do not have. Here is one example:
Wow, that's interesting and scary too.
The phone is using the onboard NFC and and an app to brute-force crack the card.
While that type of attack is bound to take a bunch of time and suck battery power down, someone could hide their complete hack toolbag into an Android phone! It would be extremely difficult to detect/ mitigate that risk.
(Yes, this is the widget I used for the card cloning demo at ISC West 2017.)
Some people use ISO 14443 cards ("13.56" in trunkslammer parlance) BUT ONLY USE THE CARD SERIAL NUMBER. The CSN number is not safe. You can buy blank cards, you can clone the card serial number. Yes, you have to buy the 100 dollar sketch widget on Amazon instead of the 30 dollar widget. CSN's are not safe (well, no safer than prox.) You need to use DESfire or Mifare Plus or something that really uses encrypted data on the card (encrypted with something an outdated android can't crack, like AES.) Or use PIV-like cards with full certificate-based crypto.
Hello Rodney:
The CSN is one of the only parts not impacted by which part type (A or B) of ISO 14443 is adopted. Does that sound right?
I believe that is correct. This gets into the subtleties of A vs. B in that one is essentially a floppy disk drive in a credit card (a memory device) and the other is an Apple II in a credit card (a computer running a protocol, with a secure key store.)
So sorry to hear that. In their elevators? Are they in the market for a security audit? Happy to bid on that.
Hacking the card reader in an elevator. What Could Go Wrong?
A static signal encrypted or not, is a static signal. I can clone anything that is static if you give me enough opportunities. And I don't mean a few days. Just a few moments.
The 125 kHz hack seems to be getting easier and easier. I think you'll be generating a few orders for this device .... for $30-40, it's worth having some fun with to show customers how easy it would be to clone a standard prox card.
Now, while the barn door is open, whatever happened after the magnetic exploit was exposed for thousands of Kaba Simplex pinpad locks a few years back?
Now, while the barn door is open, whatever happened after the magnetic exploit was exposed for thousands of Kaba Simplex pinpad locks a few years back?
I looked up this subject and found much information, specifically from Marc Weber Tobias on his site, http://www.security.org/ . An interesting general article about him is at https://www.wired.com/2009/05/ff-keymaster/?currentPage=all.
As far as the question, Kaba came out with a fix. Tobias said it prevented an attack like the one to which the unfixed locks were vulnerable, but he didn't rule out a stronger or more-carefully-shaped magnetic field circumventing that fix.
As a side note, his book about cracking Medeco's high security locks is on Amazon.
Do you know if Kantech ioprox XSF is hackable using the same method ml
We will purchase an ioprox XSF card and try it out. I'll report back here.
DO check out the antique crypto in the control panel while you're looking at Kantech. (check out the marketing blur they give you when you ask if Hattix is safe - it touts a bunch of now-ancient crypto features in the Kantech panels. So sad, they coulda used an Ultra.
So I bought one of these cloning devices and tested it on some Kantech ioProx XSF cards hoping it would give me an edge on an upcoming job bid. It doesn't work. It just flashes the read light ever second or so. I'm not knowledgeable enough to know what makes it more secure over the other cards, but it appears that ioProx XSF can be cloned from online services so maybe it's just a matter of finding a different cloning device?
Our XSF test materials are still in transit, so I have not had the chance to examine this in detail yet, so this is good feedback.
In terms of cloning XSF, this particular $30 device may not be able to do it.
However, that does not mean that other devices cannot. For example, this particular unit (~$430) isn't limited by formats, it can parse the general frequency.)
XSF Format can 'only' be used/understood by Kantech. Kantech appears to use a non-standard bit format (that only XSF readers can read), at the expense of being proprietary for both readers and cards. They also leverage software side 'decoding' that reorders the card data before associating it with a record on the database. So even if the card can be read by a copier, the information might not be rewritten in a usable way - this is where more testing is needed.
In short, the effect of using this format protects it from hacks like this $30 reader, but at the expense of 'not playing nice' with the rest of the readers/card products on the market, which some customers may have a problem with. Interesting strategy for Kantech, who can sell XSF's 'security' by its 'obscurity'.
Good feedback, Brian! We look forward to checking into XSF ourselves.
I gather these various schemes are mostly different forms of radio being used to sqawk an unencrypted value. "my badass radio tech uses four capacitors different than the other vendor" does not count as encryption even though some vendors act like it is. Note that there are reader vendors out there who can read all sorts of stuff - it's because they reconfigure their radios among the various combinations. I assume these duplicating houses have a bunch of readers and then some card generation gear.
Google "software defined radio" if you want to see why I have no respect for fancy radio waveform being a form of security.
"my badass radio tech uses four capacitors different than the other vendor" does not count as encryption even though some vendors act like it is.
+1 agree
There is a big difference between being 'slightly weird' and being encrypted, but manufacturer marketing doesn't observe that.
I have come to be very skeptical/ suspicious of words like 'encrypted' in physical access products. In many cases, it is just a non-standard implementation (like you mention), but it is not using cryptography at all.
You are right on the money with "Software Defined Radio". Those systems are every hacker's dream!!! Combine that with a $30 logic analyzer and a $5 Raspberry Pi Zero and the word "Security" takes on a new meaning.
I tried to copy an XSF card with this device and it would not read for our example copier either.
We may delve into XSF more deeply in a future post. However, like Brian H notes, there are several online services (like this one) that claim 99% copy success in duplicating those credentials.
The shortcoming is likely just the $30 copier, more sophisticated scanners/ copiers apparently work.
From the above with this device it appears the only 125-kHz proximity cards proven to be clone-able make use of FSK digital modulation. Would be interesting to test with 125-kHz proximity cards that make use of other digital modulation schemes, such as ASK and PSK.
Note I've observed a trend of rising sales of keypad proximity reader products. Adding an additional security layer to the access process (i.e. PIN: What one knows) may indeed be a response to the threat of unauthorized credential duplication.
Additionally, judging from my experience at the recent ISC West, interest is growing for highly proprietary 13.56-MHz contactless smartcard technology, such as NXP's DESFire EV1 and Legic's advent based cards.
Legic? Only seen it in a museum.
Some 13.56 is less proprietary than others. DESFire EV1/EV2 require vendor paperwork to have permission to learn how to encode them. Mifare, Mifare Plus (uses AES) are encodable with freely available information. PIV (NIST SP800-73-4 to be precise) is completely open. And there are other formats...
Does having an RF shielded card holder guard against this exploit? An example would be the Patriot TWIC/CAC card holder.
When the card is inserted in the shield, the shield essentially reflects the energizing field emitted by this copier or by any reader. The card remains unpowered, so the shield conceptually works.
You can test the shield yourself by trying it against any card reader. I have a cheap shield that I tested. My bare access card slowly approaching a reader reads at about 4" on this particular reader. Inside my cheap shield, the card reads at 1" (same reader). The cheap shield helps, but is not perfect. This 25% attenuation should be consistent with a long range reader.
I like the looks of this Patriot shield... it looks much better than my cheap foil type.
Regards,
Josh Bensadon
...however these shields are made for 14443 not prox. Prox is different radio tech than 14443
P.s. as a general matter if your physical security geeks are trying to talk to you about radio tech, they're talking about unencrypted cardholder data from a clonable device. FSK, PSK, AWID, all that stuff is low level radio tech. If your're not sending ciphertext over your radio then you're probably insecure.
Brian,
May I send this to the president of a non-profit with which I am affiliated?
I know they use card/token access, but I don't know what kind.
Thanks,
Craig
I have the cloner bought from Aliexpress and it can copy any cards (it doesn't matter 125KHz or 13.56MHz) except, HID iClass SE/Seos cards and NXP DESfire cards.
It can copy any of cards even the card has card numbers in certain sector in block. The cloner can decode the encoded card numbers in the block and copy.
So, if end users are using cards except HID iClass SE/Seos cards and NXP DESfire cards then you can show the demonstration and ask them to change the cards.
HID iClass SE/Seos cards and NXP DESfire cards have encrypted card data in the card only.
Can you provide a link to the product?
Note: this is the most read access control technical post we have ever done. I am happy to see the interest.
nice to see you had the nerve to do the post. Keep up the good work.
Thank you for sharing this Brian! This was a real eye opener.
Scary!! Food for thought when recommending a system!
It's scarier when your customer figures it out first and asks you why you sold them prox.
This makes me wish there was a "majorly agree" button. Certainly is scary. One step forward selling them a system, two steps back when a hack is released.
With a little research, this items sell for $8USD in Alibaba. (I don't know why, but when I read Alibaba, I always think of the 40 thieves!)
https://www.alibaba.com/product-detail/ID-Card-Copy-Machine-ID-card_60397692772.html
You can find some on Amazon for $22-24USD
There are two models of the low cost unit. the other model is more expensive and it will copy HID Pro Card II security block and all this one is $20USD
The factory is just 20minutes walk from me.
Would you consider opening this article to non-members? This is such an important topic, and one I've bashed my head against the metaphorical wall of cheap customers who don't care far too many times. It'd be nice to just send them this link and say "please at least read this".
Is it possible to blank out an enrolled card and re-write it using this device?
Yes, it is possible to over-write re-writable enrolled cards with copied information from this device.
Edit: To be clear, this device only writes to re-writable cards, not those fixed at the factory.
Is there a standard? Are cards generally manufactured as re-writable or fixed if not specified by the customer?
Cards are not typically re-writeable. Re-writeable cards are widely available and cheap, but the ones typically in access used are fixed and set at the factory with 'unique' details like factory codes and sequential numbers.
A sure way of knowing in your system is whether or not cards/fobs need to be programmed before they are issued. If not, they are not re-writeable/ blank cards to begin with.
Some types of cards cards are rewritable if you have the keys. In the physical security world there is an outdated notion nobody could generate the same card. This "set at the factory" deal is a scam used to lock you into a specific card vendor. The customer is supposed to be in charge of their own key material, it's not supposed to be held hostage by the card vendor.
This post is making a global impact.
Yesterday had an interesting chat with an international partner that involved this post. We both pondered how many access credentials are sold today on the basis of convenience, as opposed to security? And will the lessons learned in the shift from magnetic stripe to proximity to contactless smart card be reflected in the shift to mobile?
Also, we agreed this argument goes beyond integrators simply upgrading their end user customers to higher levels of security. He mentioned that he promotes to his integrators that more secure contactless smart cards also allow them to deliver additional services to their end users, such as biometrics, cashless vending, cafeteria plans and time and attendance, allowing these integrators to grow their businesses with their existing customer base.
You always read about and hear that Proximity card technology has been hacked. To that really meant nothing. Who cares right? Well the HID rep came in with this very device and cloned one of our cards and used it on a reader. Well the light bulb finally came on and that made sense. I bought one and 10 re-writable cards for less than $40. This is a game changer when talking to customers about why they need to get off of prox technology. I have disabled the beeper on mine so if the client has a card hanging from a lanyard or retractable cord I read the card without them knowing and then clone a card then read their door and they are blown away. I really should invest in the more expensive iclass cloner as well.
You mentioned that you read the card without them knowing then clone a card...
Forgive my ignorance here as I am still learning about access control. Are you able to determine the exact type of card based on visual inspection or do you have to ask which type it is? Then do you have to have stock of multiple different types of writeable cards in order to clone it or is there a one size fits all card?
I knew the card type before hand. This was an existing customer I did this with. I wouldn't do that to a potential customer without them knowing as could make me look a little shady.
Ah. I could see that being shady (for a potential new customer) without first announcing how easy it would be to clone a card.
Thanks!
Also, some of the more elegant copiers can scan through various card types and determine which type of card it is on their own, automatically, and then tell you what type of card it is. Some of the copiers can store the card credentials in memory indefinitely or until you erase them and you can actually play them back from The copier as opposed to from a card in the event you do not have the correct card with you at the time you perform your copy.
So, in summary which type of card is not easily duplicated?
of the standards based cards that would be Mifare Plus, DESFire, PIV.
HID iclassSE has not been hacked or able to be cloned yet due to the several layers of security.
Awesome article. Been wanting to research which cloner to buy to demo the lack of security of these cards. This saved me a ton of time and money. Didn't imagine the cloners were this cheap!
As help to me and others with limited knowledge in this area. Could there be a IPVM table with access technology - wether it's secure or insecure based on what we know now. And how it's compromised - Chinese cloners, smartphones etc :)
We've got a second round of 'copier' tests upcoming that will focus on 13.56 MHz types, but in general unless you're using DESFIRE EV2 or iClass SE Rev 2, exploits are easy to find. Most use phones or Arduino-based apparatus, not copier devices like this handheld.
I have not found a source claiming to have cracked DESFIRE EV2 or iClass SE. (EV1 is getting close to be an app-based, brute force copied format, but not quite yet. There are also claims from unrelated groups that SE has been broken, but the 'proof' hasn't been shared yet.) If anyone knows/ has seen these I am interested to learn more.
But make no mistake it will happen given enough time in the market, interest from hackers, and processing power as phone tech/ cheap CPU tech advances.
Some of the newest formats don't have widespread, convenient, $30 copiers that this post tests, but 'secure' technology is fleeting, just like 'unpickable' mechanical locks.
This may be an entirely different discussion or a tutorial, but I'm wondering about the differences between access cards. You mentioned iClass SE. We use iClass DP cards. What's the difference? And how do they differ from other iClass cards, Mifare, Prox, ProxII, Desfire. How about chip, vs no chip and the difference between chips.
Manufacturers? HID, Gemalto, etc.?
I'd also love to know more about readers. We use iclass at some sites, multiclass at several sites (multiclass is our global standard, so most installs after that standard was established have multiclass readers), Prox readers, etc.
We have a Siemens SiPass system at one site. Prior to install, they confirmed for us that it was compatible with iClass readers. It turns out that it is but Siemens modifies the readers to make them proprietary.
So, there are many nuances between cards and readers. It would be great to have more info on this.
This article was brought up by one of my sales guys yesterday when we were discussing a large client on Prox.
I'd love to move that customer away from Prox to Iclass, but they have a very old, very large system, including lots of R90 garage entrance long range readers. I'm afraid that even if they were willing to re issue thousands of Iclass cards to their employees, they would be constantly chasing the rabbit of 'older' card readers that are Prox only and it would be months of hell on their security people, plus tons of reader upgrades along the way. The R90 garage readers are the biggest PITA though, since HID doesn't make a multiclass version, you would have to change the reader first, then figure out how to let people into the garage while you're migrating them to Iclass cards.
So, long version, if you're considering using this article to migrate customers from Prox to Iclass, really spend some time thinking through the repercussions. If anyone has any suggestions about how better to do this sort of roll out, I'd love to hear about it..
One question on this: do they have R90 or MaxiProx 5375 long range readers?
The reason I'm asking is because I think R90 is 13.56 MHz/ iClass conformant, while the MaxiProx 5375 is the 125 khz model.
The 'migration' solution might be two use both long range readers in the same spot. There's a fair amount of work to go into that for certain, including adapting the controller for two readers which may not even be possible.
We're putting together a post on this topic for next week. Thanks for sharing this!
Look at the new BlueDiamond Bluetooth readers. They give you the range and they have a piggyback reader that you can put on an existing reader to enable dual use during transition. I'm hoping to test one soon. I'm not sold on Bluetooth yet, but the features make them something to look at seriously.
"I'd love to move that customer away from Prox to Iclass, but they have a very old, very large system, including lots of R90 garage entrance long range readers. I'm afraid that even if they were willing to re issue thousands of Iclass cards to their employees, they would be constantly chasing the rabbit of 'older' card readers that are Prox only and it would be months of hell on their security people, plus tons of reader upgrades along the way. The R90 garage readers are the biggest PITA though, since HID doesn't make a multiclass version, you would have to change the reader first, then figure out how to let people into the garage while you're migrating them to Iclass cards."
This probably depends on the customer's security budget, what they are securing, and whether or not they still feel adequately protected once you explain the situation to them. Almost always comes down to cost in the end. "Is it good enough on most days?"....
What you do is to inquire if that garage entrance is otherwise fully compliant with the organizations current requirements. 'Cause if it's not they already owe themselves a hardware refresh. (and that gets even less pretty if we're having this conversation during an audit and I was about to submit this conversation in a report.)
And no I'm not trying to complain about the garage door opener the Queen uses to park the Rover in the garage sixteen layers inside the castle grounds. I realize the device features trump all but the most important security comments.
Regarding Prox cards 125khz... is there any difference in the ease of cloning between a 26 bit, 37 bit or 48bit card?
no. the length of the unencrypted number on the prox card makes no difference. none of those numbers are at all special
Thanks for the article! I'm going to order one for experimentation.
Amazing article.
thanks alot
Still to this day I will show a customer this "trick" and they still don't care! This is going to be a never ending process in my opinion.
Seems like your customer is willing to accept the risk. In my experience there is always some elements of risk that the customer is willing to accept.
What is appalling, is the fact that there are so many industry "professionals" that are unaware of the technologies that exist to defeat a number of these access control systems and card credential-only (no biometrics or multi-factor) based systems.
"What is appalling, is the fact that there are so many industry "professionals" that are unaware of the technologies that exist to defeat a number of these access control systems..."
What's even more disturbing is the fact that so many industry professionals ARE aware and continue to sell this older technology.
For those of you interested in penetration testing there is a great resource over at Smart lockpicking.
https://smartlockpicking.com/slides/HiP19_Cracking_Mifare_Classic_on_the_cheap_workshop.pdf
There are still many, lets say unsecure or outdated installations out there and I believe It's important to build some awareness.
In the Nordics we almost always pair the card with a personal PIN code, which adds a much needed layer of security when dealing with outdated formats.
In the Nordics we almost always pair the card with a personal PIN code, which adds a much needed layer of security when dealing with outdated formats.
That's an interesting MFA approach - how often are those PINs changed?
Does adding an additional layer of security, like an employee unique PIN, help the situation? Is the PIN encoded on the cards or inside the access control database?
The pin would be in the database of the ACS on a low frequency card.
Does adding an additional layer of security, like an employee unique PIN, help the situation? Is the PIN encoded on the cards or inside the access control database?
It can add security, and is one of the methods used in Multi-Factor Access Control.
Structurally, a weakness are PINs are often insecure themselves, but if kept secure and used wisely, the PIN can overcome the weakness of a copied card because an additional detail is needed to be entered before the door unlocks.
In general, PINs are kept/stored/managed totally separate from the card itself (by the access database) and so the information cannot be copied.
