Smartcard Copier Tested (13.56MHz)

By Brian Rhodes, Published Jul 05, 2017, 10:24am EDT

Copying 125kHz cards is certainly easy, as our test results showed, but how about 13.56MHz smart cards? Are they more secure?

IPVM focused on the risk of Hacking Your Access Control With This $30 HID 125kHz Card Copier, but are more advanced 13.56 MHz 'smartcard' formats more secure?

We bought a smart card cloner, the unit shipped to us shown below:

The seller is undoubtedly polite, but would it work?

We tested the following card formats:

  • HID iClass Legacy and iClass SE (13.56 MHz)
  • MIFARE Classic 1K (13.56 MHz)
  • MIFARE DESFire EV1 (13.56 MHz)
  • HID ProxII and ISOProx (125 kHz)
  • Kantech XSF (125 kHz)
  • EM 4100 Generic Format (125 kHz)

Full results, videos and analysis inside.

Box *******

*** *** *** **** was ******* ** ** shown *****:

Fails ** **** **********

** *** **** ***** below, ** ***** *** this '**** ********' **.** MHz *** ****** ** clone ** **** ******* credential ******* **** ** modern access *******:

** *** ****, ** tried ******** **.** *** and *** *** *******, and **** *** **** to ************ ***** *** write ******** *** ******* EM *** *** *********.  Of ****, **** ** the *** ****** ******* were ***** ******, *** even *** **** *****, unencoded *** *** ****, Prox **, *** ******* formats ******* ** ***** units:

13.56 *** ****** **** ************ 

*** ********** ****** ** tested*** ******** ******* ** its **** ************ ******************* [**** ** ****** available]. **** ****-*** ******** from ********* **** ****** [link ** ****** *********] and **** [**** ** longer *********] *** **** than $***, *** **** this **** ** ** easy *** *********** ** procure, ********** *** ***** of * **** ** poses ** ********** ****** systems ** ******.

*******, *** ******* ** this ****, ************ **** this **** **** *** work ** **********, **** not ******** *** **** other ******* ******* *** present.  *************, *** ********** used ** ********* (********** ***** ****), *** *** ************** of *** ******* *** decoded ** ***. * unit ** ****** **** successfully ************ ***** ******** could ** * *** threat.

Eight ******* ******

** ****** ***** ****** control ** ******* **** this ****, *** **** one ****** ************ ******. Of *** **.** *** formats ** *****, **** MIFARE ******* *** *** iClass *****, **** **** copied.  *** *** *** kHz ****** *** **********, but *** ********** **** did *** **** *********.  The ***** ******* ****** included ****** *******, ****** Legacy, ****** **, ******* XSF, *** *** *******:

Most ****** ******* ************

***** **** ********** ****** may ** * **** for **** *********** ** RF ****, **** ***** used ** *** ******, Meal *****, ** ******** Buyer ******* ********, ** mostly ** *********** *** access ******* *******.  **** does *** **** **** those ******* *** ****** against *** ********, *******, just **** **** ********** device ** *** * big *******.

Blanks ********* ** ***

*** ********** ********** ** using ****** ********* '*********' formats ** *** ********** in ******** ******** ***** writable ***** ** **** stolen ***********.

********** ** ******* **** the **** ** **** test ****, ******* * blank ***** **** ** write ****** *********** ** is **** **** ****** and ********* **** ******* blank *** *** **-******** keyfobs ** *** ********** card *******.  ***** ****** cost ** ****** ** $0.35 ***** **** *** ship **** ***, ***** iClass ** ****** ***** cost $** **** *** often *** **** ******* controlled ** ************ ** even *********.

Comments (18)

I got some of these copiers as well and tested it with our 125khz cards we custom programmed for us. It wouldn't copy any of them. It said it did but when we tested the cards they never worked. It would however copy the cards and fobs that came with the kit. I'm curious to know if this is a flaw with the copier or if there's something in our cards that prevent them from being copied properly. 

Agree
Disagree
Informative: 3
Unhelpful
Funny

I would say the $30 copier we tested is a better device for testing risk.  However, with that in mind, the risk of 125 kHz formats being copied is the intersection of several factors:

1. Most 125 kHz formats are unencoded (most 13.56 MHz are)

2. Finding rewritable blanks for 125 kHz formats is easy/ cheap (not with 13.56 MHz)

3. Using 'custom programmed' cards could offer protection, but defining what is actually 'custom' about them is vital.  There's a good chance that if the 'custom' part only addresses the facility codes, CSNs, or batch ID numbers which are the most common 'customized' factors, they still are vulnerable.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Friend,

Was item damage in mail?

Agree
Disagree
Informative
Unhelpful
Funny: 7

The seller was ultra-polite!  

Not only was there a handwritten note, he/they emailed several times afterward to make sure I received it. Overall, it was impressive.  I've bought an automobile and felt less appreciated.

 

Agree
Disagree
Informative: 2
Unhelpful
Funny: 5

Great information.  Thanks for another very informative article.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Great Report :)  I am interested in not only the card to reader security but also the reader to controller security ... which is often static and plain text.

My perception is that vendors focus on how many different codes are available as opposed to how secure the code is.  Most end users (but not all) are not threatened by someone who has a card for building "A" discovering that this card works for building "B". They are worried about credentials being copied or the reader to controller channel compromised.

Thanks

RBL

Agree
Disagree
Informative
Unhelpful
Funny

Hello Randy:

I am interested in not only the card to reader security but also the reader to controller security 

I'd suggest reading Wiegand vs OSDP as a primer on this link.

OSDP is encrypted and bi-directional, while Wiegand is unencrypted and pushes data in one direction only.

After the credential information leaves the reader, it largely loses whatever encryption or encoding the card or fob provides, so OSDP brings some security to the 'controller channel'.

 

Agree
Disagree
Informative
Unhelpful
Funny

I doubt the risk owner for building B is expecting building A's cardholders to have access to their stuff.  I really don't think the arson inspector for B's insurance company would like that either.   IT would tell you most card number formats out there should have died last century.  ("you should all be running on 128 bit UUID's")  The cardholder data, when in motion, anywhere, should be secured.  Security can mean OSDP with Secure Channel over 485 or TLS.  Security might just mean getting the project owner to behave responsibly and wire the tamper relay on the inside of the panel enclosure and doing a decent job of running metal conduit from the panel box back to the switch rack.

 

 

Agree
Disagree
Informative
Unhelpful
Funny

How many cars could an old style key for a similar make and model start .... many. How many cars were stolen that way ..... none.  I was just merely pointing out that the threat from someone going around and trying their cards on other facilities is extremely small (but not zero to your point).

You have correctly identified that there is a continuum of security options ... and that IT is a few generations ahead of physical security on awareness of these vulnerabilities. The fact is that what used to be a fairly large barrier to entry for a non-hacker has been significantly lowered with these devices. I purchased one that was featured on Engadget for less than $30 Canadian (almost free in US haha). It readily copied a very common credential. Convincing clients of the vulnerability is a simple demonstration. They own the risk. Not me. 

OSDP has raised the barrier. Perhaps on par with CAN bus type hacks in automobiles. OSDP with Secure Channel appears to have raised the bar a lot. Using Tampers and metal conduit also raise the barriers as you have pointed out.

Telling clients that the system that they upgraded a few years ago is now obsolete is a tough pill for physical security persons. IT learned over the past decades that 6 months is eternity for an unpatched system. IT learned ... mostly the hard way that there is a need to upgrade continuously.  Now that all physical security providers are getting in the game with an "app for that" they are learning the lessons of IT from a decade ago .... but I digress!!

The future will be moving all existing physical security communication standards, whether it be Wiegand or Contact ID will move to the much more mature domain of the OSI.  

Have a great Day

Randy

ps There is always too much security until there is not enough!

Agree: 3
Disagree
Informative: 2
Unhelpful
Funny

Thanks for the insightful comment.  +1 informative

Agree
Disagree
Informative
Unhelpful
Funny

Would be interested to know from this group if they've encountered any copiers that are more reliable than this one, even if the cost is higher. When I went to Amazon and did a search, there were a few others out there, but absolutely none of them had any ratings, or only had a single reviewer.

Agree
Disagree
Informative
Unhelpful
Funny

The $350 Rysc Proxmark3 series has been used to crack some 13.56 MHz formats, although it is more a crypto-sport device and not a merchandised copier.

Using it often requires programming knowledge and basic cryptography skills and is not a simple 'point 'n click' type of copier.

Agree
Disagree
Informative: 1
Unhelpful
Funny

I have this copier work as stated for about 2 weeks and then died.

I would not recommend to get it as its quality is very poorly made.

Agree
Disagree
Informative
Unhelpful
Funny

the point of the copier is that there is writable media out there and it is possible to build a device to write to it.  If you don't like the thing on Amazon look up clonemycard.com.

There are apparently lots of systems using the card serial number (CSN) on smartcards.  There appear to be CSN cloners out there.  This makes sense as again there is now writable media so it is not true the CSN can't be written outside the factory.  Note ISO 14443 cards (stop saying 13.56, you sound like a bunch of people chatting in your rocking chairs on the front porch of the Old Integrator's Home.) have a CSN and so you could "clone a 13.56 card" when in fact you're just cloning the CSN.

If you use DESfire or some mechanism with (currently) strong crypto you are probably fine.

The proxmark is expensive because it's doing it all in a software defined radio.  It happens to be able to crack Mifare Crypto1 because that's a known hack.

Don't use media that can be copied.  Don't "just listen to your Manufacturer" (who's getting rich selling you CSN readers that cost almost nothing to make...) when checking whether your card tech is safe.  Don't use the CSN (I mean on your enterprise door lock.  Feel free to secure the lawn mower shed at your community pool with a wiegand CSN reader.)

Agree
Disagree
Informative
Unhelpful
Funny

look up clonemycard.com

I get a 404 going to http://www.clonemycard.com

I did go to https://www.clonemykey.com/key-card-cloning-service-rfid-proximity/ which seems related:

Agree
Disagree
Informative
Unhelpful
Funny

The Proxmark 3 is a very well supported device, and can now reproduce all the current Access cards, with the exception of SEOS & TWIC cards, if the keys are known. It can extract keys from most 13.56MHz formats with the exception of EV1 and SEOS. The availability of the windows versions and scripting have deskilled the process considerably.

Another factor is the availability of "Magic Cards" which can be completely reprogrammed including the CSN.

The most important thing to remember about smart cards is that they are only as secure as their keys, so how keys are generated, stored, and who knows them becomes extremely important, the best example is the original iClass Hack which was all about poor key storage!

Agree
Disagree
Informative: 1
Unhelpful
Funny

I also bought a 30$ 125khz copier to test out our cards. I tested on 5 different cards and tags, one was copied with ease, rest the copier couldn't read.

It didn't make me uneasy to the security of those cards, but it's a good educational thing to show: don't leave your cards and tags laying around.

Agree
Disagree
Informative
Unhelpful
Funny

There are 2 basic 125 KHz proximity technologies, EM4xxx and ATA55xx, if a cloner doesn't say it will copy HID(based on ATA55xx), in my experience it copies the EM chips.

For research in this area, the best device is undoubtably the proxmark, available from RYSC and Elechouse in Hong Kong

http://www.elechouse.com/elechouse/index.php?main_page=product_info&cPath=90_93&products_id=2264&zenid=brg9icv4889k10m5uh1jgujqo5

I prefer the Elechouse version, it cheaper, has more memory and can run 2 antennas at once.

It comes with a very active forum, 25,000 members and 6000+ subscribers, so if you think cloning is not happening on a large scale, you are deluding yourself. Most of what I see is "second cards" one to leave in your car for parking as an example, of replacement apartment cards were the landlord wishes to charge $50 to users for a new card.

As to software it comes with handy utilities to identify card types and can copy any card (if you have the keys), it can extract keys from Mifare and iClass (based around PicoPass Silicon) not SEOS. It can also emulate all the cards. It can run from an easy to use GUI on a windows PC, although I prefer to run it under Ubuntu

After that the next threat is the availability of FPGA cards which can be programmed including the CSN, thereby breaking encrypted cards.

So in short Card security is now all about key management, i.e. how they are created, who knows the keys, where they are stored etc.

The question I would ask users is : "Who knows your keys, and how do you control your card issuance process?, along with how do you audit user actions?"

Whilst most Access Systems prevent the loading of 2 cards with the same system number to the system, very few prevent the creation of the 2 cards, once which can be added to the system, and the second stored for later use.

Agree
Disagree
Informative: 3
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,958 reports, 927 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports