Hack Your Access Control With This $30 HID 125kHz Card Copier

By Brian Rhodes, Published Apr 13, 2021, 09:00am EDT

Many access control systems that allow 125kHz cards can be easily hacked by a cheap $30 card copier. We overview this risk in the video below:

And this technical video below shows the steps in greater detail:

In our tests, we copied multiple 125 kHz formats and tested them on multiple readers. While very inexpensive, the card copier did not malfunction or create corrupted copies in any of the 15+ cards we copied.

The Big Risk

Indeed, to access control systems, these copies look identical to legit cards.

The test screenshot below, shows that card copies are indistinguishable from the HID factory original:

IPVM Image

The risk is that unauthorized copies can be made and used to gain access, with no outward sign or record of being a duplicate.

Join IPVM Newsletter?

IPVM is the #1 authority in video surveillance news, in-depth tests, and training courses. Get emails, once a day, Monday to Friday.

Formats Matter

One specific caveat to this test: not all card types and formats are at risk. This particular tool can be used to copy 125kHz card types, including popular HID Prox, ISOProx, and Prox II formats, and several others commonly used in access control such as EM4100 and AWID formats.

Specifically, this tool cannot copy any 13.56MHz 'Smartcard' formats like the latest HID iClass, or DESFire/MIFARE varieties. One of the major differences between those formats is 13.56MHz formats are encrypted and the data they hold must be first decoded by the companion reader with a specific 'key' value, otherwise, the information they transmit in the open air is heavily hashed and obscured.

However, most 125kHz formats are simply not encrypted at all. This means the process of copying them simply energizes the card, and stores the information it broadcasts. Card details are stored on the card exactly as the system uses them, so sensitive card numbers and facility codes are easy to pull from thin air.

Vulnerable 125 kHz Common

Despite the risks of unsecured 125 kHz cards and fobs, they are commonly used and even preferred by many installers and end-users.

In our Favorite Access Control Credentials 2020, those vulnerable types still command 14% of the favorite votes:

IPVM Image

Indeed, these credentials vulnerable to copiers are still used in tens of thousands of systems, with millions of issued credentials circulating every day.

Cheap & Easy To Get

The copier we tested was purchased for $30 shipped. Overall, the price of the unit tested was slightly higher due to the configuration of copying HID formats, but units as low as $10 can be purchased to copy basic EM4100 formats alone.

The kit we purchased was shipped with several blank re-writable keyfobs but we also purchased a box of 50 blank cards, so the material cost for this exploit is less than $45.

The chilling lesson is these products are very inexpensive, readily available, and sold by multiple vendors eager to ship the next day with no questions asked for anyone, crook or honest.

How It Works

The device used to copy the cards works much the same way as normal card readers, with transceiver coil, power supply, IC chip, buzzer, and even LEDs components shared by both:

IPVM Image

Given the principal operation of contactless card readers, the copier excites the coil and delivers power wirelessly to the card, which then momentarily stores energy and then uses it to broadcast card details back to the copier. The image below shows a transparent example of a card, revealing all these components:

IPVM Image

The copier includes a small amount of memory to store those details, and then pushes them to a blank card, writing them permanently as a copy.

Near Contact Required

One particular factor of this unit is cards to be copied must be held close to the copying antenna to work, a distance of less than 1". This is somewhat a benefit to cardholders because someone bent on stealing and spoofing card details must be very close to accomplish it.

However, the time needed to steal the information is fast - less than 5 seconds, and it is conceivable that someone could have card details copied and stolen without realizing it, especially in crowded groups of people.

But the method used by this device is available in other forms functional at longer distances - some claiming 5 feet range or more and often using modified off-the-shelf long-range readers:

IPVM Image

These longer-range copiers are much more expensive ($500+ vs. $30), physically larger, and require more power than 2 AA batteries. However, carrying the components covertly in a backpack or briefcase means that those stealing cards can just blend in better with crowds.

Mitigating This Risk

So what can be done to prevent this exploit? The most straightforward step is to discontinue using HID (or any) 125 kHz cards, fobs, and readers and switch to encrypted and hashed 13.56 MHz formats.

Breaking down the three options, the most secure and fastest but highest cost and system impact method is the immediate replacement of both 125 kHz readers and user cards, while the least expensive but potentially slow and most vulnerable method is simply mounting a 13.56 MHz reader aside existing units and begin rotating new cards to users as needed.

The best mix of low cost, meaningful security improvement, and low system impact is to use a replacement reader that can scan multiple card frequencies and formats, often called 'multi-function' readers. This chart shows the trade-offs:

IPVM Image

For more details, see our Hackable 125kHz Access Control Migration Guide.

[NOTE: This report was originally published in 2017 but was revised and a new video was added in 2021.]

21 reports cite this report:

Contactless Access Credentials Guide on Aug 23, 2021
Contactless credentials are the most commonly used for access control...
HID: 91% Of Access Cards Potentially Insecure on Aug 05, 2021
HID, one of the world's largest access companies, said at the IPVM Access...
Selecting Access Control Readers Tutorial on May 11, 2021
Given the variety of types available, specifying access control readers can...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems...
ProdataKey (PDK) Access Company Profile on Aug 09, 2019
Utah based ProdataKey touts low cost cloud access, wireless controllers, and...
How To Troubleshoot Wiegand Reader Problems - Inverted Wiring on Jul 16, 2019
Wiegand is the dominant method of connecting access readers, but problems can...
Nortek Blue Pass Mobile Access Reader Tested on Jul 11, 2019
Nortek claims BluePass mobile readers are a 'more secure and easy to use...
OSDP Access Control Guide on Jun 04, 2019
Access control readers and controllers need to communicate. While Wiegand has...
Nortek Mobile Access Reader BluePass Examined on Feb 12, 2019
Nortek's Linear access control division claims to make mobile credentials...
Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have...
ADI Pushing Cracked 125 kHz Access Control on Oct 25, 2018
Security distribution giant ADI commonly promotes access bundles featuring...
Favorite Access Control Credentials 2018 on Mar 22, 2018
In this 2018 access integrator statistics result, which credential type holds...
New Whole Foods Installs Hackable Access Control (Upgraded) on Feb 21, 2018
Whole Foods has built a reputation for high quality. And their 2017 Amazon...
Nest Secure Alarm System Tested on Nov 16, 2017
Google's expansion continues, this time into home security with their Nest...
Smartcard Copier Tested (13.56MHz) on Jul 05, 2017
Copying 125kHz cards is certainly easy, as our test results showed, but how...
Biometrics Pros and Cons For Electronic Access Control on Jun 26, 2017
Biometrics has been long sought as an alternative to the security risks of...
Anti-Hack Access Card Shields Tested on May 26, 2017
Keeping your access control card information secure is becoming a big...
Cracked 125kHz Access Control Migration Guide on May 19, 2017
Despite being one of the most popular credentials, 125 kHz credentials are...

Comments (91)

Only IPVM Subscribers may comment. Login or Join.

I used this very device and "Cloned" a card of the head of security of a large (1200 reader) end user during his visit to our HQ with his integrator....We got the green light on the smart card reader and credential upgrade on the spot. Must have for any outside sales person that is interested in demonstrating the advantages of using secure readers and credentials.. 

Agree: 9
Disagree
Informative: 17
Unhelpful: 1
Funny

Great test and I had to buy one! Has IPVM thought about cloning old iClass or MiFare 13.56mhz cards in a test? I have heard that you can download apps on smart phones to do the hack/clone.

Agree
Disagree
Informative: 1
Unhelpful
Funny

In terms of 13.56 MHz types, I believe the 'go to' gear for commercial copying/cracking product is sold under the ProxMark name by an outfit named RyscCorp.

They've commercialized 'kits' described by several whitepapers usually based on an Arduino.  Overall, the methods and kits they use require some technical skill to use right, while the card copier in this post essentially requires none.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Yes, I have seen these and even thought about building one but never had the time to.  I was recently working on a project that used MiFare Classic 1k cards and found some videos of people using smart phone apps to brute force hack them.  I believe they require a "jail broken" Android phone which I do not have.  Here is one example: 

Agree
Disagree
Informative: 4
Unhelpful
Funny

Wow, that's interesting and scary too.

The phone is using the onboard NFC and and an app to brute-force crack the card.

While that type of attack is bound to take a bunch of time and suck battery power down, someone could hide their complete hack toolbag into an Android phone!  It would be extremely difficult to detect/ mitigate that risk.

Agree
Disagree
Informative: 1
Unhelpful: 1
Funny

 (Yes, this is the widget I used for the card cloning demo at ISC West 2017.)

 

Some people use ISO 14443 cards ("13.56" in trunkslammer parlance) BUT ONLY USE THE CARD SERIAL NUMBER.  The CSN number is not safe.  You can buy blank cards, you can clone the card serial number.  Yes, you have to buy the 100 dollar sketch widget on Amazon instead of the 30 dollar widget.  CSN's are not safe (well, no safer than prox.)  You need to use DESfire or Mifare Plus or something that really uses encrypted data on the card (encrypted with something an outdated android can't crack, like AES.)  Or use PIV-like cards with full certificate-based crypto.

Agree: 1
Disagree
Informative: 3
Unhelpful
Funny

Hello Rodney:

The CSN is one of the only parts not impacted by which part type (A or B) of ISO 14443 is adopted. Does that sound right?

Agree
Disagree
Informative
Unhelpful
Funny

I believe that is correct.  This gets into the subtleties of A vs. B in that one is essentially a floppy disk drive in a credit card (a memory device) and the other is an Apple II in a credit card (a computer running a protocol, with a secure key store.)

Agree
Disagree
Informative
Unhelpful
Funny

FYI, Thyssen uses CSN.

Agree
Disagree
Informative
Unhelpful
Funny

So sorry to hear that. In their elevators?  Are they in the market for a security audit?  Happy to bid on that.

Hacking the card reader in an elevator.  What Could Go Wrong?

Agree
Disagree
Informative
Unhelpful
Funny: 2

A static signal encrypted or not, is a static signal. I can clone anything that is static if you give me enough opportunities. And I don't mean a few days. Just a few moments.

Agree
Disagree
Informative
Unhelpful
Funny

The 125 kHz hack seems to be getting easier and easier.  I think you'll be generating a few orders for this device .... for $30-40, it's worth having some fun with to show customers how easy it would be to clone a standard prox card.

Now, while the barn door is open, whatever happened after the magnetic exploit was exposed for thousands of Kaba Simplex pinpad locks a few years back?  

Agree
Disagree
Informative
Unhelpful
Funny

Now, while the barn door is open, whatever happened after the magnetic exploit was exposed for thousands of Kaba Simplex pinpad locks a few years back?

I looked up this subject and found much information, specifically from Marc Weber Tobias on his site, http://www.security.org/ . An interesting general article about him is at https://www.wired.com/2009/05/ff-keymaster/?currentPage=all.

As far as the question, Kaba came out with a fix. Tobias said it prevented an attack like the one to which the unfixed locks were vulnerable, but he didn't rule out a stronger or more-carefully-shaped magnetic field circumventing that fix.

As a side note, his book about cracking Medeco's high security locks is on Amazon.

Agree
Disagree
Informative
Unhelpful
Funny

Do you know if Kantech ioprox XSF is hackable using the same method ml

Agree
Disagree
Informative
Unhelpful
Funny

We will purchase an ioprox XSF card and try it out.  I'll report back here.

Agree
Disagree
Informative
Unhelpful
Funny

DO check out the antique crypto in the control panel while you're looking at Kantech.  (check out the marketing blur they give you when you ask if Hattix is safe - it touts a bunch of now-ancient crypto features in the Kantech panels.  So sad, they coulda used an Ultra.

Agree
Disagree
Informative
Unhelpful
Funny

So I bought one of these cloning devices and tested it on some Kantech ioProx XSF cards hoping it would give me an edge on an upcoming job bid. It doesn't work. It just flashes the read light ever second or so. I'm not knowledgeable enough to know what makes it more secure over the other cards, but it appears that ioProx XSF can be cloned from online services so maybe it's just a matter of finding a different cloning device?

Agree
Disagree
Informative: 1
Unhelpful
Funny

Our XSF test materials are still in transit, so I have not had the chance to examine this in detail yet, so this is good feedback.

In terms of cloning XSF, this particular $30 device may not be able to do it.

However, that does not mean that other devices cannot.  For example, this particular unit (~$430) isn't limited by formats, it can parse the general frequency.)

XSF Format can 'only' be used/understood by Kantech.  Kantech appears to use a non-standard bit format (that only XSF readers can read), at the expense of being proprietary for both readers and cards.  They also leverage software side 'decoding' that reorders the card data before associating it with a record on the database.  So even if the card can be read by a copier, the information might not be rewritten in a usable way - this is where more testing is needed.

In short, the effect of using this format protects it from hacks like this $30 reader, but at the expense of 'not playing nice' with the rest of the readers/card products on the market, which some customers may have a problem with.  Interesting strategy for Kantech, who can sell XSF's 'security' by its 'obscurity'.

Good feedback, Brian!  We look forward to checking into XSF ourselves.

 

Agree
Disagree
Informative
Unhelpful
Funny

 

I gather these various schemes are mostly different forms of radio being used to sqawk an unencrypted value.  "my badass radio tech uses four capacitors different than the other vendor" does not count as encryption even though some vendors act like it is.  Note that there are reader vendors out there who can read all sorts of stuff - it's because they reconfigure their radios among the various combinations.  I assume these duplicating houses have a bunch of readers and then some card generation gear.

Google "software defined radio" if you want to see why I have no respect for fancy radio waveform being a form of security.

Agree: 3
Disagree
Informative
Unhelpful
Funny

"my badass radio tech uses four capacitors different than the other vendor" does not count as encryption even though some vendors act like it is.

+1 agree

There is a big difference between being 'slightly weird' and being encrypted, but manufacturer marketing doesn't observe that.

I have come to be very skeptical/ suspicious of words like 'encrypted' in physical access products.  In many cases, it is just a non-standard implementation (like you mention), but it is not using cryptography at all.

 

Agree
Disagree
Informative
Unhelpful
Funny

I use a hackRFone, modified software toolkit, rpi with Linux and an additional toolkit. Pen-testing and generating revenue on the daily. Access control is merely a deterant. If you have access to the data bus lines beyond the readers and there is no encryption and to end all the way back to the panel you can gleen information right off of the data bus lines and play it back. There are clip-on devices that can be used to do that with Wi-Fi and other tool kits. Many customers are even too cheap to pay for the door contacts (Or integrators are too cheap or lazy to put them in)so they have no idea whether the doors actually open or not. If it's built into the strike or unlocking device it's better. If I want to keep it really simple, a decent pry bar goes a long way or a good steel toe boot. The walls adjacent to many "secure" doors can be punched right through, unless brick, block or mesh screen are in play. Now if secure and unsecured sides both have drop ceiling and there's a RTE device available and you have a collapsible ladder in the backpack, in you go. Many commercial spaces are not fortified like military or other hardened facilities. None of the above really works in correctional facilities they are a different beast altogether. Generally speaking in the commercial world, It's all a big facade..

Agree
Disagree
Informative
Unhelpful
Funny

You are right on the money with "Software Defined Radio".  Those systems are every hacker's dream!!!  Combine that with a $30 logic analyzer and a $5 Raspberry Pi Zero and the word "Security" takes on a new meaning.

 

 

Agree
Disagree
Informative
Unhelpful
Funny

I tried to copy an XSF card with this device and it would not read for our example copier either.

We may delve into XSF more deeply in a future post. However, like Brian H notes, there are several online services (like this one) that claim 99% copy success in duplicating those credentials. 

The shortcoming is likely just the $30 copier, more sophisticated scanners/ copiers apparently work.

Agree: 1
Disagree
Informative
Unhelpful
Funny

From the above with this device it appears the only 125-kHz proximity cards proven to be clone-able make use of FSK digital modulation.  Would be interesting to test with 125-kHz proximity cards that make use of other digital modulation schemes, such as ASK and PSK.

Note I've observed a trend of rising sales of keypad proximity reader products.  Adding an additional security layer to the access process (i.e. PIN: What one knows) may indeed be a response to the threat of unauthorized credential duplication.

Additionally, judging from my experience at the recent ISC West, interest is growing for highly proprietary 13.56-MHz contactless smartcard technology, such as NXP's DESFire EV1 and Legic's advent based cards. 

Agree
Disagree
Informative
Unhelpful
Funny

Legic? Only seen it in a museum.

Some 13.56 is less proprietary than others.  DESFire EV1/EV2 require vendor paperwork to have permission to learn how to encode them.  Mifare, Mifare Plus (uses AES) are encodable with freely available information.  PIV (NIST SP800-73-4 to be precise) is completely open.  And there are other formats...

 

 

 

Agree
Disagree
Informative
Unhelpful
Funny: 2

Ha!  Ok, in a museum, or Switzerland, Germany and Austria.

Agree
Disagree
Informative
Unhelpful
Funny: 1

Does having an RF shielded card holder guard against this exploit?  An example would be the Patriot TWIC/CAC card holder.  

Agree
Disagree
Informative
Unhelpful
Funny

When the card is inserted in the shield, the shield essentially reflects the energizing field emitted by this copier or by any reader.  The card remains unpowered, so the shield conceptually works.

Agree
Disagree
Informative: 2
Unhelpful
Funny

You can test the shield yourself by trying it against any card reader.  I have a cheap shield that I tested.  My bare access card slowly approaching a reader reads at about 4" on this particular reader.  Inside my cheap shield, the card reads at 1" (same reader).  The cheap shield helps, but is not perfect.  This 25% attenuation should be consistent with a long range reader.  

I like the looks of this Patriot shield... it looks much better than my cheap foil type.

Regards,
Josh Bensadon

 

Agree
Disagree
Informative
Unhelpful
Funny

My experience with some of the cheaper shields is that they do not do well with the 125kHz cards, but work better with the 13.56 MHz cards.

 

Mark...

Agree
Disagree
Informative
Unhelpful
Funny

...however these shields are made for 14443 not prox.    Prox is different radio tech than 14443

P.s. as a general matter if your physical security geeks are trying to talk to you about radio tech, they're talking about unencrypted cardholder data from a clonable device.  FSK, PSK, AWID, all that stuff is low level radio tech.  If your're not sending ciphertext over your radio then you're probably insecure.

Agree
Disagree
Informative
Unhelpful
Funny

Brian,

May I send this to the president of a non-profit with which I am affiliated?

I know they use card/token access, but I don't know what kind.

Thanks,

Craig

Agree
Disagree
Informative
Unhelpful
Funny

Hello Craig:

Yes, that is fine.  Thank you for asking.

Agree
Disagree
Informative: 1
Unhelpful
Funny

I have the cloner bought from Aliexpress and it can copy any cards (it doesn't matter 125KHz or 13.56MHz) except, HID iClass SE/Seos cards and NXP DESfire cards.

It can copy any of cards even the card has card numbers in certain sector in block. The cloner can decode the encoded card numbers in the block and copy.

So, if end users are using cards except HID iClass SE/Seos cards and NXP DESfire cards then you can show the demonstration and ask them to change the cards.

 

HID iClass SE/Seos cards and NXP DESfire cards have encrypted card data in the card only.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Can you provide a link to the product?

Agree
Disagree
Informative
Unhelpful
Funny

Of course I can.  Aliexpress.com Link

Agree
Disagree
Informative: 4
Unhelpful
Funny

It looks to me that that device can only clone the UID of a 13.56mhz card though? 

So if the access control system is using something other then the UID of the 13.56mhz card (a site code based card format perhaps) its not going to grant access via the cloned card... 

Or am I understanding the technology wrong?

Agree
Disagree
Informative
Unhelpful
Funny

Be careful, there are different versions of this copier that look 'exactly' the same but cannot read the 13.56 MHz signal even though they claim they can. I've tried five different variants; two of the five actually were able to perform as advertised.

Agree
Disagree
Informative
Unhelpful
Funny

Note: this is the most read access control technical post we have ever done. I am happy to see the interest.

Agree
Disagree
Informative: 2
Unhelpful
Funny

nice to see you had the nerve to do the post.  Keep up the good work. 

 

Agree: 1
Disagree
Informative
Unhelpful
Funny

you had the nerve to do the post

Nerve? Do you see the posts IPVM publishes? It is not about nerve. We just did not think that there would be such interest. Happy to do more now. Rhodes just ordered another one of these devices to tests.

Agree: 1
Disagree: 1
Informative
Unhelpful
Funny

Thank you for sharing this Brian! This was a real eye opener. 

Agree
Disagree
Informative
Unhelpful: 1
Funny

Scary!! Food for thought when recommending a system!

Agree: 3
Disagree
Informative
Unhelpful
Funny

It's scarier when your customer figures it out first and asks you why you sold them prox. 

Agree: 10
Disagree
Informative
Unhelpful
Funny: 3

This makes me wish there was a "majorly agree" button. Certainly is scary. One step forward selling them a system, two steps back when a hack is released.

Agree: 1
Disagree
Informative
Unhelpful
Funny

With a little research, this items sell for $8USD in Alibaba. (I don't know why, but when I read Alibaba, I always think of the 40 thieves!)

https://www.alibaba.com/product-detail/ID-Card-Copy-Machine-ID-card_60397692772.html

You can find some on Amazon for $22-24USD

There are two models of the low cost unit. the other model is more expensive and it will copy HID Pro Card II security block and all this one is $20USD

The factory is just 20minutes walk from me.

Agree
Disagree
Informative
Unhelpful
Funny

Would you consider opening this article to non-members? This is such an important topic, and one I've bashed my head against the metaphorical wall of cheap customers who don't care far too many times. It'd be nice to just send them this link and say "please at least read this".

Agree
Disagree
Informative
Unhelpful
Funny

#6, I've made the post body public.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Much appreciated!

Agree: 1
Disagree
Informative
Unhelpful
Funny

Is it possible to blank out an enrolled card and re-write it using this device?

Agree
Disagree
Informative
Unhelpful
Funny

Yes, it is possible to over-write re-writable enrolled cards with copied information from this device. 

Edit: To be clear, this device only writes to re-writable cards, not those fixed at the factory.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Is there a standard? Are cards generally manufactured as re-writable or fixed if not specified by the customer?

Agree
Disagree
Informative
Unhelpful
Funny

Cards are not typically re-writeable.  Re-writeable cards are widely available and cheap, but the ones typically in access used are fixed and set at the factory with 'unique' details like factory codes and sequential numbers.

A sure way of knowing in your system is whether or not cards/fobs need to be programmed before they are issued.  If not, they are not re-writeable/ blank cards to begin with.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Some types of cards cards are rewritable if you have the keys.  In the physical security world there is an outdated notion nobody could generate the same card.  This "set at the factory" deal is a scam used to lock you into a specific card vendor.  The customer is supposed to be in charge of their own key material, it's not supposed to be held hostage by the card vendor.

Agree: 1
Disagree: 1
Informative: 1
Unhelpful
Funny

Some of the copiers lock the rewritable cards after writing to them so that only that copier can rewrite to the card in the future.

Agree
Disagree
Informative
Unhelpful
Funny

This post is making a global impact.

Yesterday had an interesting chat with an international partner that involved this post.  We both pondered how many access credentials are sold today on the basis of convenience, as opposed to security?  And will the lessons learned in the shift from magnetic stripe to proximity to contactless smart card be reflected in the shift to mobile?

Also, we agreed this argument goes beyond integrators simply upgrading their end user customers to higher levels of security.  He mentioned that he promotes to his integrators that more secure contactless smart cards also allow them to deliver additional services to their end users, such as biometrics, cashless vending, cafeteria plans and time and attendance, allowing these integrators to grow their businesses with their existing customer base.

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny

You always read about and hear that Proximity card technology has been hacked. To that really meant nothing. Who cares right? Well the HID rep came in with this very device and cloned one of our cards and used it on a reader. Well the light bulb finally came on and that made sense. I bought one and 10 re-writable cards for less than $40. This is a game changer when talking to customers about why they need to get off of prox technology. I have disabled the beeper on mine so if the client has a card hanging from a lanyard or retractable cord I read the card without them knowing and then clone a card then read their door and they are blown away. I really should invest in the more expensive iclass cloner as well. 

Agree
Disagree
Informative: 1
Unhelpful
Funny

You mentioned that you read the card without them knowing then clone a card...

Forgive my ignorance here as I am still learning about access control. Are you able to determine the exact type of card based on visual inspection or do you have to ask which type it is? Then do you have to have stock of multiple different types of writeable cards in order to clone it or is there a one size fits all card?

Agree
Disagree
Informative
Unhelpful
Funny

I knew the card type before hand. This was an existing customer I did this with. I wouldn't do that to a potential customer without them knowing as could make me look a little shady. 

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

Ah. I could see that being shady (for a potential new customer) without first announcing how easy it would be to clone a card.

 

Thanks!

Agree
Disagree
Informative
Unhelpful
Funny

Also, some of the more elegant copiers can scan through various card types and determine which type of card it is on their own, automatically, and then tell you what type of card it is. Some of the copiers can store the card credentials in memory indefinitely or until you erase them and you can actually play them back from The copier as opposed to from a card in the event you do not have the correct card with you at the time you perform your copy.

Agree
Disagree
Informative
Unhelpful
Funny

So, in summary which type of card is not easily duplicated?

Agree
Disagree
Informative
Unhelpful
Funny

of the standards based cards that would be Mifare Plus, DESFire, PIV.

Agree: 2
Disagree
Informative
Unhelpful
Funny

HID iclassSE has not been hacked or able to be cloned yet due to the several layers of security. 

Agree: 1
Disagree
Informative
Unhelpful
Funny

Awesome article. Been wanting to research which cloner to buy to demo the lack of security of these cards. This saved me a ton of time and money. Didn't imagine the cloners were this cheap! 

Agree
Disagree
Informative: 1
Unhelpful
Funny

As help to me and others with limited knowledge in this area. Could there be a IPVM table with access technology - wether it's secure or insecure based on what we know now. And how it's compromised - Chinese cloners, smartphones etc :)

Agree
Disagree
Informative
Unhelpful
Funny

We've got a second round of 'copier' tests upcoming that will focus on 13.56 MHz types, but in general unless you're using DESFIRE EV2 or iClass SE Rev 2, exploits are easy to find.  Most use phones or Arduino-based apparatus, not copier devices like this handheld.

I have not found a source claiming to have cracked DESFIRE EV2 or iClass SE. (EV1 is getting close to be an app-based, brute force copied format, but not quite yet. There are also claims from unrelated groups that SE has been broken, but the 'proof' hasn't been shared yet.) If anyone knows/ has seen these I am interested to learn more.

But make no mistake it will happen given enough time in the market, interest from hackers, and processing power as phone tech/ cheap CPU tech advances.

Some of the newest formats don't have widespread, convenient, $30 copiers that this post tests, but 'secure' technology is fleeting, just like 'unpickable' mechanical locks.

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny

This may be an entirely different discussion or a tutorial, but I'm wondering about the differences between access cards. You mentioned iClass SE. We use iClass DP cards. What's the difference? And how do they differ from other iClass cards, Mifare, Prox, ProxII, Desfire. How about chip, vs no chip and the difference between chips.

Manufacturers? HID, Gemalto, etc.?

I'd also love to know more about readers. We use iclass at some sites, multiclass at several sites (multiclass is our global standard, so most installs after that standard was established have multiclass readers), Prox readers, etc.

We have a Siemens SiPass system at one site. Prior to install, they confirmed for us that it was compatible with iClass readers. It turns out that it is but Siemens modifies the readers to make them proprietary.

So, there are many nuances between cards and readers. It would be great to have more info on this.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

This article was brought up by one of my sales guys yesterday when we were discussing a large client on Prox.

 

I'd love to move that customer away from Prox to Iclass, but they have a very old, very large system, including lots of R90 garage entrance long range readers.  I'm afraid that even if they were willing to re issue thousands of Iclass cards to their employees, they would be constantly chasing the rabbit of 'older' card readers that are Prox only and it would be months of hell on their security people, plus tons of reader upgrades along the way.   The R90 garage readers are the biggest PITA though, since HID doesn't make a multiclass version, you would have to change the reader first, then figure out how to let people into the garage while you're migrating them to Iclass cards.

 

 

So, long version, if you're considering using this article to migrate customers from Prox to Iclass, really spend some time thinking through the repercussions.   If anyone has any suggestions about how better to do this sort of roll out, I'd love to hear about it..

 

 

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny

One question on this: do they have R90 or MaxiProx 5375 long range readers?

The reason I'm asking is because I think R90 is 13.56 MHz/ iClass conformant, while the MaxiProx 5375 is the 125 khz model.

The 'migration' solution might be two use both long range readers in the same spot. There's a fair amount of work to go into that for certain, including adapting the controller for two readers which may not even be possible.

We're putting together a post on this topic for next week.  Thanks for sharing this!

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

Maxi Prox. Sorry, I used the wrong part.   Old big grey units,  Prox only. 

 

 

 

Agree
Disagree
Informative
Unhelpful
Funny

Look at the new BlueDiamond Bluetooth readers.  They give you the range and they have a piggyback reader that you can put on an existing reader to enable dual use during transition.  I'm hoping to test one soon.  I'm not sold on Bluetooth yet, but the features make them something to look at seriously.

Agree
Disagree
Informative: 1
Unhelpful
Funny

"I'd love to move that customer away from Prox to Iclass, but they have a very old, very large system, including lots of R90 garage entrance long range readers. I'm afraid that even if they were willing to re issue thousands of Iclass cards to their employees, they would be constantly chasing the rabbit of 'older' card readers that are Prox only and it would be months of hell on their security people, plus tons of reader upgrades along the way. The R90 garage readers are the biggest PITA though, since HID doesn't make a multiclass version, you would have to change the reader first, then figure out how to let people into the garage while you're migrating them to Iclass cards."

This probably depends on the customer's security budget, what they are securing, and whether or not they still feel adequately protected once you explain the situation to them. Almost always comes down to cost in the end. "Is it good enough on most days?"....

Agree
Disagree
Informative
Unhelpful
Funny

What you do is to inquire if that garage entrance is otherwise fully compliant with the organizations current requirements.  'Cause if it's not they already owe themselves a hardware refresh.  (and that gets even less pretty if we're having this conversation during an audit and I was about to submit this conversation in a report.)

And no I'm not trying to complain about the garage door opener the Queen uses to park the Rover in the garage sixteen layers inside the castle grounds. I realize the device features trump all but the most important security comments.

Agree
Disagree
Informative
Unhelpful
Funny

Regarding Prox cards 125khz... is there any difference in the ease of cloning between a 26 bit,  37 bit or 48bit card?

Agree
Disagree
Informative
Unhelpful
Funny

no.  the length of the unencrypted number on the prox card makes no difference.  none of those numbers are at all special

Agree
Disagree
Informative
Unhelpful
Funny

Thanks for the article! I'm going to order one for experimentation. 

Agree
Disagree
Informative
Unhelpful
Funny

Amazing article.

thanks alot

Agree
Disagree
Informative
Unhelpful
Funny

Great info

Agree
Disagree
Informative
Unhelpful
Funny

Simple yet in depth!!

Agree
Disagree
Informative
Unhelpful
Funny

Still to this day I will show a customer this "trick" and they still don't care! This is going to be a never ending process in my opinion.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Seems like your customer is willing to accept the risk. In my experience there is always some elements of risk that the customer is willing to accept.

Agree
Disagree
Informative
Unhelpful
Funny

What is appalling, is the fact that there are so many industry "professionals" that are unaware of the technologies that exist to defeat a number of these access control systems and card credential-only (no biometrics or multi-factor) based systems.

Agree: 1
Disagree
Informative
Unhelpful
Funny

"What is appalling, is the fact that there are so many industry "professionals" that are unaware of the technologies that exist to defeat a number of these access control systems..."

What's even more disturbing is the fact that so many industry professionals ARE aware and continue to sell this older technology.

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny

"What's even more disturbing is the fact that so many industry professionals ARE aware and continue to sell this older technology."

I think some integrators (or end users themselves) are applying a "cost/risk" assessment to the decision making process and determining an acceptable risk to take in order to have some baseline electronic security in place. As others have mentioned; if you use a 2FA method (i.e. PIN+card), even with the less secure 125khz prox readers, you can still be "secure enough" in some environments. Many lower cost or older systems will give you at least that capability....

Agree: 1
Disagree
Informative
Unhelpful
Funny

For those of you interested in penetration testing there is a great resource over at Smart lockpicking.

Smart lockpicking

https://smartlockpicking.com/slides/HiP19_Cracking_Mifare_Classic_on_the_cheap_workshop.pdf

There are still many, lets say unsecure or outdated installations out there and I believe It's important to build some awareness.

In the Nordics we almost always pair the card with a personal PIN code, which adds a much needed layer of security when dealing with outdated formats.

Agree
Disagree
Informative: 1
Unhelpful
Funny

In the Nordics we almost always pair the card with a personal PIN code, which adds a much needed layer of security when dealing with outdated formats.

That's an interesting MFA approach - how often are those PINs changed?

Agree
Disagree
Informative
Unhelpful
Funny

Whenever a catastrophic event such as a database corruption occurs I would wager.

Jest aside, I'm guessing the vast majority change them extremely rarely.

Agree
Disagree
Informative
Unhelpful
Funny

Does adding an additional layer of security, like an employee unique PIN, help the situation? Is the PIN encoded on the cards or inside the access control database?

Agree
Disagree
Informative
Unhelpful
Funny

The pin would be in the database of the ACS on a low frequency card.

Agree
Disagree
Informative
Unhelpful
Funny

Does adding an additional layer of security, like an employee unique PIN, help the situation? Is the PIN encoded on the cards or inside the access control database?

It can add security, and is one of the methods used in Multi-Factor Access Control.

Structurally, a weakness are PINs are often insecure themselves, but if kept secure and used wisely, the PIN can overcome the weakness of a copied card because an additional detail is needed to be entered before the door unlocks.

In general, PINs are kept/stored/managed totally separate from the card itself (by the access database) and so the information cannot be copied.

Agree
Disagree
Informative
Unhelpful
Funny
Loading Related Reports