Smartcard Copier Tested (13.56MHz)

By Brian Rhodes, Published on Jul 05, 2017

Copying 125kHz cards is certainly easy, as our test results showed, but how about 13.56MHz smart cards? Are they more secure?

IPVM focused on the risk of Hacking Your Access Control With This $30 HID 125kHz Card Copier, but are more advanced 13.56 MHz 'smartcard' formats more secure?

We bought a smart card cloner, the unit shipped to us shown below:

The seller is undoubtedly polite, but would it work?

We tested the following card formats:

  • HID iClass Legacy and iClass SE (13.56 MHz)
  • MIFARE Classic 1K (13.56 MHz)
  • MIFARE DESFire EV1 (13.56 MHz)
  • HID ProxII and ISOProx (125 kHz)
  • Kantech XSF (125 kHz)
  • EM 4100 Generic Format (125 kHz)

Full results, videos and analysis inside.

Box *******

*** *** *** **** was ******* ** ** shown *****:

Fails ** **** **********

** *** **** ***** below, ** ***** *** this '**** ********' **.** MHz *** ****** ** clone ** **** ******* credential ******* **** ** modern access *******:

** *** ****, ** tried ******** **.** *** and *** *** *******, and **** *** **** to ************ ***** *** write ******** *** ******* EM *** *** *********.  Of ****, **** ** the *** ****** ******* were ***** ******, *** even *** **** *****, unencoded *** *** ****, Prox **, *** ******* formats ******* ** ***** units:

13.56 *** ****** **** ************ 

*** ********** ****** ** tested*** ******** ******* ** its **** ************ ******************* [**** ** ****** available]. **** ****-*** ******** from ********* **** ****** [link ** ****** *********] and **** [**** ** longer *********] *** **** than $***, *** **** this **** ** ** easy *** *********** ** procure, ********** *** ***** of * **** ** poses ** ********** ****** systems ** ******.

*******, *** ******* ** this ****, ************ **** this **** **** *** work ** **********, **** not ******** *** **** other ******* ******* *** present.  *************, *** ********** used ** ********* (********** ***** ****), *** *** ************** of *** ******* *** decoded ** ***. * unit ** ****** **** successfully ************ ***** ******** could ** * *** threat.

Eight ******* ******

** ****** ***** ****** control ** ******* **** this ****, *** **** one ****** ************ ******. Of *** **.** *** formats ** *****, **** MIFARE ******* *** *** iClass *****, **** **** copied.  *** *** *** kHz ****** *** **********, but *** ********** **** did *** **** *********.  The ***** ******* ****** included ****** *******, ****** Legacy, ****** **, ******* XSF, *** *** *******:

Most ****** ******* ************

***** **** ********** ****** may ** * **** for **** *********** ** RF ****, **** ***** used ** *** ******, Meal *****, ** ******** Buyer ******* ********, ** mostly ** *********** *** access ******* *******.  **** does *** **** **** those ******* *** ****** against *** ********, *******, just **** **** ********** device ** *** * big *******.

Blanks ********* ** ***

*** ********** ********** ** using ****** ********* '*********' formats ** *** ********** in ******** ******** ***** writable ***** ** **** stolen ***********.

********** ** ******* **** the **** ** **** test ****, ******* * blank ***** **** ** write ****** *********** ** is **** **** ****** and ********* **** ******* blank *** *** **-******** keyfobs ** *** ********** card *******.  ***** ****** cost ** ****** ** $0.35 ***** **** *** ship **** ***, ***** iClass ** ****** ***** cost $** **** *** often *** **** ******* controlled ** ************ ** even *********.

Comments (18)

I got some of these copiers as well and tested it with our 125khz cards we custom programmed for us. It wouldn't copy any of them. It said it did but when we tested the cards they never worked. It would however copy the cards and fobs that came with the kit. I'm curious to know if this is a flaw with the copier or if there's something in our cards that prevent them from being copied properly. 

I would say the $30 copier we tested is a better device for testing risk.  However, with that in mind, the risk of 125 kHz formats being copied is the intersection of several factors:

1. Most 125 kHz formats are unencoded (most 13.56 MHz are)

2. Finding rewritable blanks for 125 kHz formats is easy/ cheap (not with 13.56 MHz)

3. Using 'custom programmed' cards could offer protection, but defining what is actually 'custom' about them is vital.  There's a good chance that if the 'custom' part only addresses the facility codes, CSNs, or batch ID numbers which are the most common 'customized' factors, they still are vulnerable.

Friend,

Was item damage in mail?

The seller was ultra-polite!  

Not only was there a handwritten note, he/they emailed several times afterward to make sure I received it. Overall, it was impressive.  I've bought an automobile and felt less appreciated.

 

Great information.  Thanks for another very informative article.

Great Report :)  I am interested in not only the card to reader security but also the reader to controller security ... which is often static and plain text.

My perception is that vendors focus on how many different codes are available as opposed to how secure the code is.  Most end users (but not all) are not threatened by someone who has a card for building "A" discovering that this card works for building "B". They are worried about credentials being copied or the reader to controller channel compromised.

Thanks

RBL

Hello Randy:

I am interested in not only the card to reader security but also the reader to controller security 

I'd suggest reading Wiegand vs OSDP as a primer on this link.

OSDP is encrypted and bi-directional, while Wiegand is unencrypted and pushes data in one direction only.

After the credential information leaves the reader, it largely loses whatever encryption or encoding the card or fob provides, so OSDP brings some security to the 'controller channel'.

 

I doubt the risk owner for building B is expecting building A's cardholders to have access to their stuff.  I really don't think the arson inspector for B's insurance company would like that either.   IT would tell you most card number formats out there should have died last century.  ("you should all be running on 128 bit UUID's")  The cardholder data, when in motion, anywhere, should be secured.  Security can mean OSDP with Secure Channel over 485 or TLS.  Security might just mean getting the project owner to behave responsibly and wire the tamper relay on the inside of the panel enclosure and doing a decent job of running metal conduit from the panel box back to the switch rack.

 

 

How many cars could an old style key for a similar make and model start .... many. How many cars were stolen that way ..... none.  I was just merely pointing out that the threat from someone going around and trying their cards on other facilities is extremely small (but not zero to your point).

You have correctly identified that there is a continuum of security options ... and that IT is a few generations ahead of physical security on awareness of these vulnerabilities. The fact is that what used to be a fairly large barrier to entry for a non-hacker has been significantly lowered with these devices. I purchased one that was featured on Engadget for less than $30 Canadian (almost free in US haha). It readily copied a very common credential. Convincing clients of the vulnerability is a simple demonstration. They own the risk. Not me. 

OSDP has raised the barrier. Perhaps on par with CAN bus type hacks in automobiles. OSDP with Secure Channel appears to have raised the bar a lot. Using Tampers and metal conduit also raise the barriers as you have pointed out.

Telling clients that the system that they upgraded a few years ago is now obsolete is a tough pill for physical security persons. IT learned over the past decades that 6 months is eternity for an unpatched system. IT learned ... mostly the hard way that there is a need to upgrade continuously.  Now that all physical security providers are getting in the game with an "app for that" they are learning the lessons of IT from a decade ago .... but I digress!!

The future will be moving all existing physical security communication standards, whether it be Wiegand or Contact ID will move to the much more mature domain of the OSI.  

Have a great Day

Randy

ps There is always too much security until there is not enough!

Thanks for the insightful comment.  +1 informative

Would be interested to know from this group if they've encountered any copiers that are more reliable than this one, even if the cost is higher. When I went to Amazon and did a search, there were a few others out there, but absolutely none of them had any ratings, or only had a single reviewer.

The $350 Rysc Proxmark3 series has been used to crack some 13.56 MHz formats, although it is more a crypto-sport device and not a merchandised copier.

Using it often requires programming knowledge and basic cryptography skills and is not a simple 'point 'n click' type of copier.

I have this copier work as stated for about 2 weeks and then died.

I would not recommend to get it as its quality is very poorly made.

the point of the copier is that there is writable media out there and it is possible to build a device to write to it.  If you don't like the thing on Amazon look up clonemycard.com.

There are apparently lots of systems using the card serial number (CSN) on smartcards.  There appear to be CSN cloners out there.  This makes sense as again there is now writable media so it is not true the CSN can't be written outside the factory.  Note ISO 14443 cards (stop saying 13.56, you sound like a bunch of people chatting in your rocking chairs on the front porch of the Old Integrator's Home.) have a CSN and so you could "clone a 13.56 card" when in fact you're just cloning the CSN.

If you use DESfire or some mechanism with (currently) strong crypto you are probably fine.

The proxmark is expensive because it's doing it all in a software defined radio.  It happens to be able to crack Mifare Crypto1 because that's a known hack.

Don't use media that can be copied.  Don't "just listen to your Manufacturer" (who's getting rich selling you CSN readers that cost almost nothing to make...) when checking whether your card tech is safe.  Don't use the CSN (I mean on your enterprise door lock.  Feel free to secure the lawn mower shed at your community pool with a wiegand CSN reader.)

look up clonemycard.com

I get a 404 going to http://www.clonemycard.com

I did go to https://www.clonemykey.com/key-card-cloning-service-rfid-proximity/ which seems related:

The Proxmark 3 is a very well supported device, and can now reproduce all the current Access cards, with the exception of SEOS & TWIC cards, if the keys are known. It can extract keys from most 13.56MHz formats with the exception of EV1 and SEOS. The availability of the windows versions and scripting have deskilled the process considerably.

Another factor is the availability of "Magic Cards" which can be completely reprogrammed including the CSN.

The most important thing to remember about smart cards is that they are only as secure as their keys, so how keys are generated, stored, and who knows them becomes extremely important, the best example is the original iClass Hack which was all about poor key storage!

I also bought a 30$ 125khz copier to test out our cards. I tested on 5 different cards and tags, one was copied with ease, rest the copier couldn't read.

It didn't make me uneasy to the security of those cards, but it's a good educational thing to show: don't leave your cards and tags laying around.

There are 2 basic 125 KHz proximity technologies, EM4xxx and ATA55xx, if a cloner doesn't say it will copy HID(based on ATA55xx), in my experience it copies the EM chips.

For research in this area, the best device is undoubtably the proxmark, available from RYSC and Elechouse in Hong Kong

http://www.elechouse.com/elechouse/index.php?main_page=product_info&cPath=90_93&products_id=2264&zenid=brg9icv4889k10m5uh1jgujqo5

I prefer the Elechouse version, it cheaper, has more memory and can run 2 antennas at once.

It comes with a very active forum, 25,000 members and 6000+ subscribers, so if you think cloning is not happening on a large scale, you are deluding yourself. Most of what I see is "second cards" one to leave in your car for parking as an example, of replacement apartment cards were the landlord wishes to charge $50 to users for a new card.

As to software it comes with handy utilities to identify card types and can copy any card (if you have the keys), it can extract keys from Mifare and iClass (based around PicoPass Silicon) not SEOS. It can also emulate all the cards. It can run from an easy to use GUI on a windows PC, although I prefer to run it under Ubuntu

After that the next threat is the availability of FPGA cards which can be programmed including the CSN, thereby breaking encrypted cards.

So in short Card security is now all about key management, i.e. how they are created, who knows the keys, where they are stored etc.

The question I would ask users is : "Who knows your keys, and how do you control your card issuance process?, along with how do you audit user actions?"

Whilst most Access Systems prevent the loading of 2 cards with the same system number to the system, very few prevent the creation of the 2 cards, once which can be added to the system, and the second stored for later use.

Read this IPVM report for free.

This article is part of IPVM's 6,602 reports, 890 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
K7 Wall Mounted IR Temp Gun Tested on Jun 26, 2020
The original K3 model was missing a number of important features but the...
Access Control and Video Integration Statistics 2020 on Oct 08, 2020
Video Surveillance and Access Control are two of the most common security...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020
An enterprising 20-year old is mass marketing medical devices on Facebook and...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Camera Course Summer 2020 - Last Chance on Jul 18, 2020
This is your last chance to register for the Summer 2020 Camera Course. This...
Sperry West / Alibaba Tablet Temperature Measurement Tested on Jul 07, 2020
In April, we ordered a ~$500 temperature tablet from Alibaba. We set it to...
The Future of H.266 For Video Surveillance Examined on Aug 17, 2020
First H.264, now H.265, is H.266 next? H.266 was recently announced amid...
K3 Wall Mounted IR Temperature Gun Tested on Jun 12, 2020
Is this the solution to not spending thousands of dollars on fever...

Recent Reports

Recruiters Online Show LIVE Today! on Oct 29, 2020
IPVM's 7th online show resumes today with 12 recruiters presenting themselves...
Hikvision AcuSense G2 Camera Test on Oct 29, 2020
Hikvision has released their next generation of AcuSense analytic cameras...
Biggest Problems Selling Access Control 2020 on Oct 29, 2020
Access control can cause integrators big headaches. What practical issues do...
Taiwan Geovision AI Analytics and NDAA Examined on Oct 29, 2020
Taiwan manufacturer Geovision's revenue has been falling for years. However,...
Bedside Cough and Sneeze Detector (Sound Intelligence and CLB) on Oct 28, 2020
Coronavirus has increased interest in detecting symptoms such as fever and...
Fever Tablet Thermal Sensors Examined (Melexis) on Oct 28, 2020
Fever tablet suppliers heavily rely on the accuracy and specs of...
Verkada Fires 3 on Oct 28, 2020
Verkada has fired three employees over an incident where female colleagues...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...