Smartcard Copier Tested (13.56MHz)

By: Brian Rhodes, Published on Jul 05, 2017

Copying 125kHz cards is certainly easy, as our test results showed, but how about 13.56MHz smart cards? Are they more secure?

IPVM focused on the risk of Hacking Your Access Control With This $30 HID 125kHz Card Copier, but are more advanced 13.56 MHz 'smartcard' formats more secure?

We bought a smart card cloner, the unit shipped to us shown below:

The seller is undoubtedly polite, but would it work?

We tested the following card formats:

  • HID iClass Legacy and iClass SE (13.56 MHz)
  • MIFARE Classic 1K (13.56 MHz)
  • MIFARE DESFire EV1 (13.56 MHz)
  • HID ProxII and ISOProx (125 kHz)
  • Kantech XSF (125 kHz)
  • EM 4100 Generic Format (125 kHz)

Full results, videos and analysis inside.

******* ****** ***** ** certainly ****, ** *** test ******* ******, *** *** ***** 13.56MHz ***** *****? *** they **** ******?

**** ******* ** *** risk ********* **** ****** ******* With **** $** *** 125kHz **** ******, *** *** **** advanced **.** *** '*********' formats **** ******?

** ****** * ***** card ******, *** **** shipped ** ** ***** below:

*** ****** ** *********** polite, *** ***** ** work?

** ****** *** ********* card *******:

  • *** ****** ****** *** iClass ** (**.** ***)
  • ****** ******* ** (**.** MHz)
  • ****** ******* *** (**.** MHz)
  • *** ****** *** ******* (125 ***)
  • ******* *** (*** ***)
  • ** **** ******* ****** (125 ***)

**** *******, ****** *** analysis ******.

[***************]

Box *******

*** *** *** **** was ******* ** ** shown *****:

Fails ** **** **********

** *** **** ***** below, ** ***** *** this '**** ********' **.** MHz *** ****** ** clone ** **** ******* credential ******* **** ** modern ****** *******:

** *** ****, ** tried ******** **.** *** and *** *** *******, and **** *** **** to ************ ***** *** write ******** *** ******* EM *** *** *********. Of ****, **** ** the *** ****** ******* were ***** ******, *** even *** **** *****, unencoded *** *** ****, Prox **, *** ******* formats ******* ** ***** units:

13.56 *** ****** **** ************

*** ********** ****** ** tested*** ******** ******* ** its **** ************ *******************. **** ****-*** ******** from ********* ******************** **** **** $***, the **** **** **** is ** **** *** inexpensive ** *******, ********** how ***** ** * risk ** ***** ** commercial ****** ******* ** useful.

*******, *** ******* ** this ****, ************ **** this **** **** *** work ** **********, **** not ******** *** **** other ******* ******* *** present. *************, *** ********** used ** ********* (********** ***** ****), *** *** ************** of *** ******* *** decoded ** ***. * unit ** ****** **** successfully ************ ***** ******** could ** * *** threat.

Eight ******* ******

** ****** ***** ****** control ** ******* **** this ****, *** **** one ****** ************ ******. Of *** **.** *** formats ** *****, **** MIFARE ******* *** *** iClass *****, **** **** copied. *** *** *** kHz ****** *** **********, but *** ********** **** did *** **** *********. The ***** ******* ****** included ****** *******, ****** Legacy, ****** **, ******* XSF, *** *** *******:

Most ****** ******* ************

***** **** ********** ****** may ** * **** for **** *********** ** RF ****, **** ***** used ** *** ******, Meal *****, ** ******** Buyer ******* ********, ** mostly ** *********** *** access ******* *******. **** does *** **** **** those ******* *** ****** against *** ********, *******, just **** **** ********** device ** *** * big *******.

Blanks ********* ** ***

*** ********** ********** ** using ****** ********* '*********' formats ** *** ********** in ******** ******** ***** writable ***** ** **** stolen ***********.

********** ** ******* **** the **** ** **** test ****, ******* * blank ***** **** ** write ****** *********** ** is **** **** ****** and ********* **** ******* blank *** *** **-******** keyfobs ** *** ********** card *******. ***** ****** cost ** ****** ** $0.35 ***** **** *** ship **** ***, ***** iClass ** ****** ***** cost $** **** *** often *** **** ******* controlled ** ************ ** even *********.

Comments (18)

I got some of these copiers as well and tested it with our 125khz cards we custom programmed for us. It wouldn't copy any of them. It said it did but when we tested the cards they never worked. It would however copy the cards and fobs that came with the kit. I'm curious to know if this is a flaw with the copier or if there's something in our cards that prevent them from being copied properly.

I would say the $30 copier we tested is a better device for testing risk. However, with that in mind, the risk of 125 kHz formats being copied is the intersection of several factors:

1. Most 125 kHz formats are unencoded (most 13.56 MHz are)

2. Finding rewritable blanks for 125 kHz formats is easy/ cheap (not with 13.56 MHz)

3. Using 'custom programmed' cards could offer protection, but defining what is actually 'custom' about them is vital. There's a good chance that if the 'custom' part only addresses the facility codes, CSNs, or batch ID numbers which are the most common 'customized' factors, they still are vulnerable.

Friend,

Was item damage in mail?

The seller was ultra-polite!

Not only was there a handwritten note, he/they emailed several times afterward to make sure I received it. Overall, it was impressive. I've bought an automobile and felt less appreciated.

Great information. Thanks for another very informative article.

Great Report :) I am interested in not only the card to reader security but also the reader to controller security ... which is often static and plain text.

My perception is that vendors focus on how many different codes are available as opposed to how secure the code is. Most end users (but not all) are not threatened by someone who has a card for building "A" discovering that this card works for building "B". They are worried about credentials being copied or the reader to controller channel compromised.

Thanks

RBL

Hello Randy:

I am interested in not only the card to reader security but also the reader to controller security

I'd suggest reading Wiegand vs OSDP as a primer on this link.

OSDP is encrypted and bi-directional, while Wiegand is unencrypted and pushes data in one direction only.

After the credential information leaves the reader, it largely loses whatever encryption or encoding the card or fob provides, so OSDP brings some security to the 'controller channel'.

I doubt the risk owner for building B is expecting building A's cardholders to have access to their stuff. I really don't think the arson inspector for B's insurance company would like that either. IT would tell you most card number formats out there should have died last century. ("you should all be running on 128 bit UUID's") The cardholder data, when in motion, anywhere, should be secured. Security can mean OSDP with Secure Channel over 485 or TLS. Security might just mean getting the project owner to behave responsibly and wire the tamper relay on the inside of the panel enclosure and doing a decent job of running metal conduit from the panel box back to the switch rack.

How many cars could an old style key for a similar make and model start .... many. How many cars were stolen that way ..... none. I was just merely pointing out that the threat from someone going around and trying their cards on other facilities is extremely small (but not zero to your point).

You have correctly identified that there is a continuum of security options ... and that IT is a few generations ahead of physical security on awareness of these vulnerabilities. The fact is that what used to be a fairly large barrier to entry for a non-hacker has been significantly lowered with these devices. I purchased one that was featured on Engadget for less than $30 Canadian (almost free in US haha). It readily copied a very common credential. Convincing clients of the vulnerability is a simple demonstration. They own the risk. Not me.

OSDP has raised the barrier. Perhaps on par with CAN bus type hacks in automobiles. OSDP with Secure Channel appears to have raised the bar a lot. Using Tampers and metal conduit also raise the barriers as you have pointed out.

Telling clients that the system that they upgraded a few years ago is now obsolete is a tough pill for physical security persons. IT learned over the past decades that 6 months is eternity for an unpatched system. IT learned ... mostly the hard way that there is a need to upgrade continuously. Now that all physical security providers are getting in the game with an "app for that" they are learning the lessons of IT from a decade ago .... but I digress!!

The future will be moving all existing physical security communication standards, whether it be Wiegand or Contact ID will move to the much more mature domain of the OSI.

Have a great Day

Randy

ps There is always too much security until there is not enough!

Thanks for the insightful comment. +1 informative

Would be interested to know from this group if they've encountered any copiers that are more reliable than this one, even if the cost is higher. When I went to Amazon and did a search, there were a few others out there, but absolutely none of them had any ratings, or only had a single reviewer.

The $350 Rysc Proxmark3 series has been used to crack some 13.56 MHz formats, although it is more a crypto-sport device and not a merchandised copier.

Using it often requires programming knowledge and basic cryptography skills and is not a simple 'point 'n click' type of copier.

I have this copier work as stated for about 2 weeks and then died.

I would not recommend to get it as its quality is very poorly made.

the point of the copier is that there is writable media out there and it is possible to build a device to write to it. If you don't like the thing on Amazon look up clonemycard.com.

There are apparently lots of systems using the card serial number (CSN) on smartcards. There appear to be CSN cloners out there. This makes sense as again there is now writable media so it is not true the CSN can't be written outside the factory. Note ISO 14443 cards (stop saying 13.56, you sound like a bunch of people chatting in your rocking chairs on the front porch of the Old Integrator's Home.) have a CSN and so you could "clone a 13.56 card" when in fact you're just cloning the CSN.

If you use DESfire or some mechanism with (currently) strong crypto you are probably fine.

The proxmark is expensive because it's doing it all in a software defined radio. It happens to be able to crack Mifare Crypto1 because that's a known hack.

Don't use media that can be copied. Don't "just listen to your Manufacturer" (who's getting rich selling you CSN readers that cost almost nothing to make...) when checking whether your card tech is safe. Don't use the CSN (I mean on your enterprise door lock. Feel free to secure the lawn mower shed at your community pool with a wiegand CSN reader.)

look up clonemycard.com

I get a 404 going to http://www.clonemycard.com

I did go to https://www.clonemykey.com/key-card-cloning-service-rfid-proximity/ which seems related:

The Proxmark 3 is a very well supported device, and can now reproduce all the current Access cards, with the exception of SEOS & TWIC cards, if the keys are known. It can extract keys from most 13.56MHz formats with the exception of EV1 and SEOS. The availability of the windows versions and scripting have deskilled the process considerably.

Another factor is the availability of "Magic Cards" which can be completely reprogrammed including the CSN.

The most important thing to remember about smart cards is that they are only as secure as their keys, so how keys are generated, stored, and who knows them becomes extremely important, the best example is the original iClass Hack which was all about poor key storage!

I also bought a 30$ 125khz copier to test out our cards. I tested on 5 different cards and tags, one was copied with ease, rest the copier couldn't read.

It didn't make me uneasy to the security of those cards, but it's a good educational thing to show: don't leave your cards and tags laying around.

There are 2 basic 125 KHz proximity technologies, EM4xxx and ATA55xx, if a cloner doesn't say it will copy HID(based on ATA55xx), in my experience it copies the EM chips.

For research in this area, the best device is undoubtably the proxmark, available from RYSC and Elechouse in Hong Kong

http://www.elechouse.com/elechouse/index.php?main_page=product_info&cPath=90_93&products_id=2264&zenid=brg9icv4889k10m5uh1jgujqo5

I prefer the Elechouse version, it cheaper, has more memory and can run 2 antennas at once.

It comes with a very active forum, 25,000 members and 6000+ subscribers, so if you think cloning is not happening on a large scale, you are deluding yourself. Most of what I see is "second cards" one to leave in your car for parking as an example, of replacement apartment cards were the landlord wishes to charge $50 to users for a new card.

As to software it comes with handy utilities to identify card types and can copy any card (if you have the keys), it can extract keys from Mifare and iClass (based around PicoPass Silicon) not SEOS. It can also emulate all the cards. It can run from an easy to use GUI on a windows PC, although I prefer to run it under Ubuntu

After that the next threat is the availability of FPGA cards which can be programmed including the CSN, thereby breaking encrypted cards.

So in short Card security is now all about key management, i.e. how they are created, who knows the keys, where they are stored etc.

The question I would ask users is : "Who knows your keys, and how do you control your card issuance process?, along with how do you audit user actions?"

Whilst most Access Systems prevent the loading of 2 cards with the same system number to the system, very few prevent the creation of the 2 cards, once which can be added to the system, and the second stored for later use.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Mobile Access Usage Statistics 2019 on Jul 18, 2019
The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new...
How To Troubleshoot Wiegand Reader Problems - Inverted Wiring on Jul 16, 2019
Wiegand is the dominant method of connecting access readers, but problems can arise for installers. In fact, one of the most difficult reader...
Nortek Blue Pass Mobile Access Reader Tested on Jul 11, 2019
Nortek claims BluePass mobile readers are a 'more secure and easy to use approach to access', but our testing uncovered security problems and...
Poor OSDP Usage Statistics 2019 on Jul 09, 2019
OSDP certainly offers advantages over decades-old Wiegand (see our OSDP Access Control Guide) but new IPVM statistics show that usage of OSDP, even...
Directory of 60 Video Surveillance Startups on Jun 25, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
HID Mobile Tested on Jun 21, 2019
HID Global is one of the largest access brands, but their mobile access has had challenges. Indeed, the company has already restructured their...
Genetec Synergis Cloud Link - Complex, Costly and Confusing on Jun 18, 2019
Genetec's Synergis Cloud Link is complex, costly and confusing compared to competitor access control architectures. Inside this note, we examine...
Biometrics Usage Statistics 2019 on Jun 17, 2019
While face and fingerprint recognition are used regularly for smartphones, it is not as common in physical security. In this note, we examine...
Farpointe Data Conekt Mobile Access Reader Tested on Jun 13, 2019
California based Farpointe Data has been a significant OEM supplier of conventional access readers for years to companies including DMP, RS2, DSX,...
Dumber Techs, Bad Box Movers, Says Australian Distributor on Jun 10, 2019
Techs today are "dumber" than they used to be, despite better education and training and that makes a typical day "frustrating" for one...

Most Recent Industry Reports

History of Video Surveillance on Jul 19, 2019
The video surveillance market has changed significantly since 2000, going from VCRs to emerging into an AI cloud era.  The goal of this history...
Mobile Access Usage Statistics 2019 on Jul 18, 2019
The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new...
New GDPR Guidelines for Video Surveillance Examined on Jul 18, 2019
The highest-level EU data protection authority has issued a new series of provisional video surveillance guidelines. While GDPR has been in...
Wyze AI Analytics Tested - Beats Axis and Hikvision on Jul 17, 2019
$20 camera disruptor Wyze has released free person detection deep learning analytics to all of their users, claiming users will "Only get notified...
Anyvision Aims For 2022 Revenue of $1 Billion on Jul 17, 2019
Only 3 video surveillance manufacturers do a billion dollars or more in annual revenue - Hikvision, Dahua, and Axis. Now, Anyvision plans to join...
HD Analog vs IP Guide on Jul 16, 2019
For years, HD resolution and single cable signal/power were IP camera advantages, with analog cameras limited to much lower resolution and...
How To Troubleshoot Wiegand Reader Problems - Inverted Wiring on Jul 16, 2019
Wiegand is the dominant method of connecting access readers, but problems can arise for installers. In fact, one of the most difficult reader...
ZeroEyes Gun Detection Startup on Jul 16, 2019
A gun detection video analytics startup, ZeroEyes, is being led by a group of 6 former Navy SEALs, aiming to "save lives" by using AI to assist...
Motorola Acquires Watchguard, Adds to Vigilant And Avigilon on Jul 15, 2019
2 years ago, Motorola had no position nor relevancy to video surveillance. Now, they own major video surveillance, LPR and body camera providers...
Hikvision Global News Reports Directory on Jul 15, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact