Hack Your Access Control With This $30 HID 125kHz Card Copier

By Brian Rhodes, Published on May 01, 2017

You might have heard the stories or seen the YouTube videos of random people hacking electronic access control systems.

The tools that claim to do this are available widely, including at eBay for just $30 [link no longer available].

We bought one of these cheap gadgets, shown below:

Inside, find our full test results, including a demo video of how easy it is to do, how widely these cards are deployed, and what steps you can take to cut the risk.

Easy HID Card Copies

Our demo video below shows how the $30 copier can be used in seconds to spoof HID 125kHz formatted access cards:

In our test, we copied multiple 125 kHz formats and tested them on multiple readers. While very cheap, the card copier did not malfunction or create corrupted copies in any of the 15+ cards we copied.

The Big Risk

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Indeed, to access control systems, these copies look identical to legit cards. The screenshot below, for our test shows that multiple copies are indistinguishable from the HID factory original:

The risk is that unauthorized copies can be made and used to gain access, with no outward sign or record of being a duplicate.

Formats Matter

One specific caveat to this test: not all card types and formats are at risk. This particular tool can be used to copy 125kHz card types, including popular HID Prox, ISOProx, and Prox II formats, and several others commonly used in access control such as EM4100 and AWID formats.

Specifically this tool cannot copy any 13.56MHz 'Smartcard' formats like HID iClass, or DESFire/MIFARE varieties. One of the major differences between those formats is 13.56MHz formats are encrypted and the data they hold must be first decoded by the companion reader with a specific 'key' value, otherwise the information they transmit in open air is heavily hashed and obscured.

However, most 125kHz formats are simply not encrypted at all. This means the process of copying them simply energizes the card, and stores the information it broadcasts. Card details are stored on the card exactly as the system uses them, so sensitive card numbers and facility codes are easy to pull from thin air.

Vulnerable 125 kHz Common

Despite the risks of unsecured 125 kHz cards and fobs, they are commonly used and even preferred by many installers and end users. In our Favorite Access Control Credentials 2016, those vulnerable types command 32% of the favorite votes:

Indeed, these credentials vulnerable to copiers are still used in tens of thousands of systems, with millions of issued credentials circulating every day.

Cheap & Easy To Get

The copier we tested was purchased for $30 shipped [link no longer available]. Overall, the price of the unit tested was slightly higher due to the configuration of copying HID formats, but units as low as $10 [link no longer available] can be purchased to copy basic EM4100 formats alone.

The kit we purchased was shipped with several blank re-writable keyfobs, but were not a suitable blank format needed to copy HID cards. So we bought a box of HID compatible card formats (T5557) for $0.35 cents each, for a total test package costing less than $45.

The chilling lesson is these products are very inexpensive, readily available, and sold by multiple vendors eager to ship next day with no questions asked to anyone, crook or honest.

How It Works

The device used to copy the cards works much the same way as normal card readers, with transceiver coil, power supply, IC chip, buzzer and even LEDs components shared by both:

Given the principal operation of contactless card readers, the copier excites the coil and delivers power wirelessly to the card, which then momentarily stores energy and then uses it to broadcast card details back to the copier. The image below shows a transparent example of a card, revealing all these components:

The copier includes a small amount of memory to store those details, and then pushes them to a blank card, writing them permanently as a copy.

Near Contact Required

One particular factor of this unit are cards to be copied must be held close to the copying antenna to work, a distance of less than 1". This is somewhat a benefit to cardholders, because someone bent on stealing and spoofing card details must be very close to do it.

However, the time needed to steal the information is fast - less than 5 seconds, and it is conceivable that someone could have card details copied and stolen without realizing it, especially in crowded groups of people.

But the method used by this device is available in other forms functional at longer distances - some claiming 5 feet range or more and often using modified off-the-shelf long range readers:

These longer range copiers are much more expensive ($500+ vs. $30), physically larger, and require more power than 2 AA batteries. However, carrying the components covertly in a backpack or briefcase means that those stealing cards can just blend in better with crowds.

Mitigating This Risk

So what can be done to prevent this exploit? The most straightforward step is to discontinue using HID (or any) 125 kHz cards, fobs, and readers and switch to encrypted and hashed 13.56 MHz formats. For more details, see our Hackable 125kHz Access Control Migration Guide.

Given current pricing, the higher frequency types are more expensive, but only a modest 15% - 25% more, and frequently offered at pricing the same or under the less secure 125 kHz types.

20 reports cite this report:

Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems...
ProdataKey (PDK) Access Company Profile on Aug 09, 2019
Utah based ProdataKey touts low cost cloud access, wireless controllers, and...
How To Troubleshoot Wiegand Reader Problems - Inverted Wiring on Jul 16, 2019
Wiegand is the dominant method of connecting access readers, but problems can...
Nortek Blue Pass Mobile Access Reader Tested on Jul 11, 2019
Nortek claims BluePass mobile readers are a 'more secure and easy to use...
OSDP Access Control Guide on Jun 04, 2019
Access control readers and controllers need to communicate. While Wiegand has...
Nortek Mobile Access Reader BluePass Examined on Feb 12, 2019
Nortek's Linear access control division claims to make mobile credentials...
Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have...
ADI Pushing Cracked 125 kHz Access Control on Oct 25, 2018
Security distribution giant ADI commonly promotes access bundles featuring...
Replacing / Switching Access Control Systems Guide on Jun 28, 2018
Ripping out and replacing access control systems is hard for important...
Favorite Access Control Credentials 2018 on Mar 22, 2018
In this 2018 access integrator statistics result, which credential type holds...
New Whole Foods Installs Hackable Access Control (Upgraded) on Feb 21, 2018
Whole Foods has built a reputation for high quality. And their 2017 Amazon...
Nest Secure Alarm System Tested on Nov 16, 2017
Google's expansion continues, this time into home security with their Nest...
Selecting Access Control Readers Tutorial on Nov 09, 2017
Given the variety of types available, specifying access control readers can...
Smartcard Copier Tested (13.56MHz) on Jul 05, 2017
Copying 125kHz cards is certainly easy, as our test results showed, but how...
Biometrics Pros and Cons For Electronic Access Control on Jun 26, 2017
Biometrics has been long sought as an alternative to the security risks of...
Anti-Hack Access Card Shields Tested on May 26, 2017
Keeping your access control card information secure is becoming a big...
Cracked 125kHz Access Control Migration Guide on May 19, 2017
Despite being one of the most popular credentials, 125 kHz credentials are...
Comments (74) : Members only. Login. or Join.

Related Reports

This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020
An enterprising 20-year old is mass marketing medical devices on Facebook and...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Access Control and Video Integration Statistics 2020 on Oct 08, 2020
Video Surveillance and Access Control are two of the most common security...
Hikvision Impossible 30 People Simultaneously Fever Claim Dupes Baldwin Alabama on Sep 01, 2020
The Alabama school district which spent $1 million on Hikvision fever cameras...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
UN Agency Buys 'Swiss' Fever Cams From Firm That Faked Accreditation, Sales, Marketing on Oct 06, 2020
A Swiss company claims to have "fully designed and manufactured" the world's...
Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Verkada Faces Sexism, Discrimination, And Cultural Challenges on Oct 13, 2020
Photos of female employees taken from Verkada's own video surveillance system...

Recent Reports

VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...