Smartcard Copier Tested (13.56MHz)

Published Jul 05, 2017 14:24 PM

Copying 125kHz cards is certainly easy, as our test results showed, but how about 13.56MHz smart cards? Are they more secure?

IPVM focused on the risk of Hacking Your Access Control With This $30 HID 125kHz Card Copier, but are more advanced 13.56 MHz 'smartcard' formats more secure?

We bought a smart card cloner, the unit shipped to us shown below:

The seller is undoubtedly polite, but would it work?

We tested the following card formats:

  • HID iClass Legacy and iClass SE (13.56 MHz)
  • MIFARE Classic 1K (13.56 MHz)
  • MIFARE DESFire EV1 (13.56 MHz)
  • HID ProxII and ISOProx (125 kHz)
  • Kantech XSF (125 kHz)
  • EM 4100 Generic Format (125 kHz)

Full results, videos and analysis inside.

Box Shipped

The box the unit was shipped in is shown below:

Fails To Copy Smartcards

In the demo video below, we shows how this 'more advanced' 13.56 MHz was unable to clone or copy popular credential formats used in modern access control:

In our test, we tried multiple 13.56 MHz and 125 kHz formats, and were not able to successfully clone and write anything but general EM 125 kHz varieties.  Of note, none of the HID Global formats were tried copied, not even the very risky, unencoded 125 kHz Prox, Prox II, and ISOProx formats cracked by other units:

13.56 MHz Copier Wide Availability 

The particular copier we tested was selected because of its easy availability from online resellers [link no longer available]. With next-day shipping from providers like Amazon [link no longer available] and eBay [link no longer available] for less than $100, the fact this unit is so easy and inexpensive to procure, evaluating how large of a risk it poses to commercial access systems is useful.

However, the results of this test, specifically that this unit does not work as advertised, does not mitigate the risk other similar copiers may present.  Fundamentally, the technology used is effective (as previous tests show), but the implementation of how formats are decoded is not. A unit or device that successfully incorporates these together could be a big threat.

Eight Formats Tested

We tested eight access control RF formats with this unit, and only one format successfully copied. Of the 13.56 MHz formats we tried, both MIFARE DESFire EV1 and iClass types, none were copied.  The HID 125 kHz format was recognized, but the credential info did not copy correctly.  The other formats tested included MIFARE Classic, iClass Legacy, iClass SE, Kantech XSF, and HID ISOProx:

Most Access Formats Incompatible

While this particular copier may be a risk for some credentials or RF tags, like those used as Bus Tokens, Meal Cards, or Retailer Buyer Loyalty programs, it mostly is ineffective for access control formats.  This does not mean that those formats are secure against any exploits, however, just that this particular device is not a big concern.

Blanks Difficult To Get

One logistical protection in using higher frequency 'smartcard' formats is the difficulty in locating suitable blank writable cards to copy stolen information.

Regardless if copiers like the unit in this test work, finding a blank donor card to write stolen information to is much more obtuse and expensive than finding blank 125 kHz re-writable keyfobs or HID compatible card formats.  Those blanks cost as little as $0.35 cents each and ship next day, while iClass SE blanks often cost $30 each and often are very tightly controlled by distributors if even available.

Comments are shown for subscribers only. Login or Join