Smartcard Copier Tested (13.56MHz)

By: Brian Rhodes, Published on Jul 05, 2017

Copying 125kHz cards is certainly easy, as our test results showed, but how about 13.56MHz smart cards? Are they more secure?

IPVM focused on the risk of Hacking Your Access Control With This $30 HID 125kHz Card Copier, but are more advanced 13.56 MHz 'smartcard' formats more secure?

We bought a smart card cloner, the unit shipped to us shown below:

The seller is undoubtedly polite, but would it work?

We tested the following card formats:

  • HID iClass Legacy and iClass SE (13.56 MHz)
  • MIFARE Classic 1K (13.56 MHz)
  • MIFARE DESFire EV1 (13.56 MHz)
  • HID ProxII and ISOProx (125 kHz)
  • Kantech XSF (125 kHz)
  • EM 4100 Generic Format (125 kHz)

Full results, videos and analysis inside.

******* ****** ***** ** certainly ****, ** *** test ******* ******, *** *** ***** 13.56MHz ***** *****? *** they **** ******?

**** ******* ** *** risk of ******* **** ****** ******* With **** $** *** 125kHz **** ******, *** *** **** advanced **.** *** '*********' formats **** ******?

** ****** * ***** card ******, *** **** shipped ** ** ***** below:

*** ****** ** *********** polite, *** ***** ** work?

** ****** *** ********* card *******:

  • *** ****** ****** *** iClass ** (**.** ***)
  • ****** ******* ** (**.** ***)
  • ****** ******* *** (**.** ***)
  • *** ****** *** ******* (125 ***)
  • ******* *** (*** ***)
  • ** **** ******* ****** (125 ***)

**** *******, ****** *** analysis ******.

[***************]

Box *******

*** *** *** **** was ******* ** ** shown *****:

Fails ** **** **********

** *** **** ***** below, ** ***** *** this '**** ********' **.** MHz *** ****** ** clone ** **** ******* credential ******* **** ** modern access *******:

** *** ****, ** tried ******** **.** *** and *** *** *******, and **** *** **** to ************ ***** *** write ******** *** ******* EM *** *** *********.  Of ****, **** ** the *** ****** ******* were ***** ******, *** even *** **** *****, unencoded *** *** ****, Prox **, *** ******* formats ******* ** ***** units:

13.56 *** ****** **** ************ 

*** ********** ****** ** tested*** ******** ******* ** its **** ************ ******************* [**** ** ****** available]. **** ****-*** ******** from ********* **** ****** [link ** ****** *********] and **** [**** ** longer *********] *** **** than $***, *** **** this **** ** ** easy *** *********** ** procure, ********** *** ***** of * **** ** poses ** ********** ****** systems ** ******.

*******, *** ******* ** this ****, ************ **** this **** **** *** work ** **********, **** not ******** *** **** other ******* ******* *** present.  *************, *** ********** used ** ********* (********** ***** ****), *** *** ************** of *** ******* *** decoded ** ***. * unit ** ****** **** successfully ************ ***** ******** could ** * *** threat.

Eight ******* ******

** ****** ***** ****** control ** ******* **** this ****, *** **** one ****** ************ ******. Of *** **.** *** formats ** *****, **** MIFARE ******* *** *** iClass *****, **** **** copied.  *** *** *** kHz ****** *** **********, but *** ********** **** did *** **** *********.  The ***** ******* ****** included ****** *******, ****** Legacy, ****** **, ******* XSF, *** *** *******:

Most ****** ******* ************

***** **** ********** ****** may ** * **** for **** *********** ** RF ****, **** ***** used ** *** ******, Meal *****, ** ******** Buyer ******* ********, ** mostly ** *********** *** access ******* *******.  **** does *** **** **** those ******* *** ****** against *** ********, *******, just **** **** ********** device ** *** * big *******.

Blanks ********* ** ***

*** ********** ********** ** using ****** ********* '*********' formats ** *** ********** in ******** ******** ***** writable ***** ** **** stolen ***********.

********** ** ******* **** the **** ** **** test ****, ******* * blank ***** **** ** write ****** *********** ** is **** **** ****** and ********* **** ******* blank *** *** **-******** keyfobs ** *** ********** card *******.  ***** ****** cost ** ****** ** $0.35 ***** **** *** ship **** ***, ***** iClass ** ****** ***** cost $** **** *** often *** **** ******* controlled ** ************ ** even *********.

Comments (18)

I got some of these copiers as well and tested it with our 125khz cards we custom programmed for us. It wouldn't copy any of them. It said it did but when we tested the cards they never worked. It would however copy the cards and fobs that came with the kit. I'm curious to know if this is a flaw with the copier or if there's something in our cards that prevent them from being copied properly. 

I would say the $30 copier we tested is a better device for testing risk.  However, with that in mind, the risk of 125 kHz formats being copied is the intersection of several factors:

1. Most 125 kHz formats are unencoded (most 13.56 MHz are)

2. Finding rewritable blanks for 125 kHz formats is easy/ cheap (not with 13.56 MHz)

3. Using 'custom programmed' cards could offer protection, but defining what is actually 'custom' about them is vital.  There's a good chance that if the 'custom' part only addresses the facility codes, CSNs, or batch ID numbers which are the most common 'customized' factors, they still are vulnerable.

Friend,

Was item damage in mail?

The seller was ultra-polite!  

Not only was there a handwritten note, he/they emailed several times afterward to make sure I received it. Overall, it was impressive.  I've bought an automobile and felt less appreciated.

 

Great information.  Thanks for another very informative article.

Great Report :)  I am interested in not only the card to reader security but also the reader to controller security ... which is often static and plain text.

My perception is that vendors focus on how many different codes are available as opposed to how secure the code is.  Most end users (but not all) are not threatened by someone who has a card for building "A" discovering that this card works for building "B". They are worried about credentials being copied or the reader to controller channel compromised.

Thanks

RBL

Hello Randy:

I am interested in not only the card to reader security but also the reader to controller security 

I'd suggest reading Wiegand vs OSDP as a primer on this link.

OSDP is encrypted and bi-directional, while Wiegand is unencrypted and pushes data in one direction only.

After the credential information leaves the reader, it largely loses whatever encryption or encoding the card or fob provides, so OSDP brings some security to the 'controller channel'.

 

I doubt the risk owner for building B is expecting building A's cardholders to have access to their stuff.  I really don't think the arson inspector for B's insurance company would like that either.   IT would tell you most card number formats out there should have died last century.  ("you should all be running on 128 bit UUID's")  The cardholder data, when in motion, anywhere, should be secured.  Security can mean OSDP with Secure Channel over 485 or TLS.  Security might just mean getting the project owner to behave responsibly and wire the tamper relay on the inside of the panel enclosure and doing a decent job of running metal conduit from the panel box back to the switch rack.

 

 

How many cars could an old style key for a similar make and model start .... many. How many cars were stolen that way ..... none.  I was just merely pointing out that the threat from someone going around and trying their cards on other facilities is extremely small (but not zero to your point).

You have correctly identified that there is a continuum of security options ... and that IT is a few generations ahead of physical security on awareness of these vulnerabilities. The fact is that what used to be a fairly large barrier to entry for a non-hacker has been significantly lowered with these devices. I purchased one that was featured on Engadget for less than $30 Canadian (almost free in US haha). It readily copied a very common credential. Convincing clients of the vulnerability is a simple demonstration. They own the risk. Not me. 

OSDP has raised the barrier. Perhaps on par with CAN bus type hacks in automobiles. OSDP with Secure Channel appears to have raised the bar a lot. Using Tampers and metal conduit also raise the barriers as you have pointed out.

Telling clients that the system that they upgraded a few years ago is now obsolete is a tough pill for physical security persons. IT learned over the past decades that 6 months is eternity for an unpatched system. IT learned ... mostly the hard way that there is a need to upgrade continuously.  Now that all physical security providers are getting in the game with an "app for that" they are learning the lessons of IT from a decade ago .... but I digress!!

The future will be moving all existing physical security communication standards, whether it be Wiegand or Contact ID will move to the much more mature domain of the OSI.  

Have a great Day

Randy

ps There is always too much security until there is not enough!

Thanks for the insightful comment.  +1 informative

Would be interested to know from this group if they've encountered any copiers that are more reliable than this one, even if the cost is higher. When I went to Amazon and did a search, there were a few others out there, but absolutely none of them had any ratings, or only had a single reviewer.

The $350 Rysc Proxmark3 series has been used to crack some 13.56 MHz formats, although it is more a crypto-sport device and not a merchandised copier.

Using it often requires programming knowledge and basic cryptography skills and is not a simple 'point 'n click' type of copier.

I have this copier work as stated for about 2 weeks and then died.

I would not recommend to get it as its quality is very poorly made.

the point of the copier is that there is writable media out there and it is possible to build a device to write to it.  If you don't like the thing on Amazon look up clonemycard.com.

There are apparently lots of systems using the card serial number (CSN) on smartcards.  There appear to be CSN cloners out there.  This makes sense as again there is now writable media so it is not true the CSN can't be written outside the factory.  Note ISO 14443 cards (stop saying 13.56, you sound like a bunch of people chatting in your rocking chairs on the front porch of the Old Integrator's Home.) have a CSN and so you could "clone a 13.56 card" when in fact you're just cloning the CSN.

If you use DESfire or some mechanism with (currently) strong crypto you are probably fine.

The proxmark is expensive because it's doing it all in a software defined radio.  It happens to be able to crack Mifare Crypto1 because that's a known hack.

Don't use media that can be copied.  Don't "just listen to your Manufacturer" (who's getting rich selling you CSN readers that cost almost nothing to make...) when checking whether your card tech is safe.  Don't use the CSN (I mean on your enterprise door lock.  Feel free to secure the lawn mower shed at your community pool with a wiegand CSN reader.)

look up clonemycard.com

I get a 404 going to http://www.clonemycard.com

I did go to https://www.clonemykey.com/key-card-cloning-service-rfid-proximity/ which seems related:

The Proxmark 3 is a very well supported device, and can now reproduce all the current Access cards, with the exception of SEOS & TWIC cards, if the keys are known. It can extract keys from most 13.56MHz formats with the exception of EV1 and SEOS. The availability of the windows versions and scripting have deskilled the process considerably.

Another factor is the availability of "Magic Cards" which can be completely reprogrammed including the CSN.

The most important thing to remember about smart cards is that they are only as secure as their keys, so how keys are generated, stored, and who knows them becomes extremely important, the best example is the original iClass Hack which was all about poor key storage!

I also bought a 30$ 125khz copier to test out our cards. I tested on 5 different cards and tags, one was copied with ease, rest the copier couldn't read.

It didn't make me uneasy to the security of those cards, but it's a good educational thing to show: don't leave your cards and tags laying around.

There are 2 basic 125 KHz proximity technologies, EM4xxx and ATA55xx, if a cloner doesn't say it will copy HID(based on ATA55xx), in my experience it copies the EM chips.

For research in this area, the best device is undoubtably the proxmark, available from RYSC and Elechouse in Hong Kong

http://www.elechouse.com/elechouse/index.php?main_page=product_info&cPath=90_93&products_id=2264&zenid=brg9icv4889k10m5uh1jgujqo5

I prefer the Elechouse version, it cheaper, has more memory and can run 2 antennas at once.

It comes with a very active forum, 25,000 members and 6000+ subscribers, so if you think cloning is not happening on a large scale, you are deluding yourself. Most of what I see is "second cards" one to leave in your car for parking as an example, of replacement apartment cards were the landlord wishes to charge $50 to users for a new card.

As to software it comes with handy utilities to identify card types and can copy any card (if you have the keys), it can extract keys from Mifare and iClass (based around PicoPass Silicon) not SEOS. It can also emulate all the cards. It can run from an easy to use GUI on a windows PC, although I prefer to run it under Ubuntu

After that the next threat is the availability of FPGA cards which can be programmed including the CSN, thereby breaking encrypted cards.

So in short Card security is now all about key management, i.e. how they are created, who knows the keys, where they are stored etc.

The question I would ask users is : "Who knows your keys, and how do you control your card issuance process?, along with how do you audit user actions?"

Whilst most Access Systems prevent the loading of 2 cards with the same system number to the system, very few prevent the creation of the 2 cards, once which can be added to the system, and the second stored for later use.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems connecting software, readers, and locks. Despite being buried inside...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
Access Control Course Fall 2019 - Last Chance on Oct 17, 2019
Register Now - Fall 2019 Access Control Course. Thursday, October 17th is the last day to register. IPVM offers the most comprehensive access...
Pelco CEO Out, New CEO Found on Oct 15, 2019
Just 2 months after Pelco was sold, Pelco's CEO is out, with Pelco bringing in an outside President and searching for a new CEO from the industry,...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
HID Fingerprint Reader Tested on Oct 09, 2019
HID has released their first access reader to use Lumidigm optical sensors, that touts it 'works with anyone, anytime, anywhere'. We bought and...
Fail Safe vs. Fail Secure Tutorial on Oct 02, 2019
Few terms carry greater importance in access control than 'fail safe' and 'fail secure'. Access control professionals must know how these...
Access Control Mustering Guide on Sep 30, 2019
In emergencies, determining where employees are located can be critical for knowing whether they are in danger. Access systems can be used for...
Access Control Mantraps Guide on Sep 26, 2019
One of access's primary goals is keeping people out of places they should not be, but slipping through open doors (ie: Tailgating) is often...
Access Control Time & Attendance Guide on Sep 24, 2019
Access control systems can do more than lock doors. With little or no extra equipment, they can be used to track labor hours for employees...

Most Recent Industry Reports

Resideo Stock Plunges 40%, CFO Ousted on Oct 23, 2019
The horrible year for the ADI / Honeywell Home spinout, Resideo, just got worse, with their stock plunging another 40% today. Not even a year...
Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems connecting software, readers, and locks. Despite being buried inside...
Alarm.com Acquires OpenEye on Oct 21, 2019
Alarm.com is targeting commercial expansion and now they have a commercial cloud VMS with the acquisition of OpenEye. In this note, based on...
Government-Owned Hikvision Wants To Keep Politics Out Of Security on Oct 21, 2019
'Politics' made Hikvision the goliath it is today. It was PRC China 'politics' that created Hikvision, funded it, and blocked its foreign...
Integrated IR Camera Usage Statistics 2019 on Oct 21, 2019
Virtually every IP camera now comes with integrated IR but how many actually make use of IR or choose 'super' low light cameras without IR? In...
Alarm Veteran "Demands A Criminal Investigation" Of UL on Oct 18, 2019
The Interceptor's Project pressure against UL continues to rise. Following Keith Jentoft's allegation that "UL Has Blood On Their Hands", Jentoft...
Camect "Worlds Smartest Camera Hub" Tested on Oct 18, 2019
Camect is a Silicon Valley startup that claims the "Smartest AI Object Detection On The Market", detecting not only people and vehicles, but...
Hikvision Global News Reports Directory on Oct 17, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Camera Calculator V3.1 Release Improves User Experience on Oct 17, 2019
IPVM has released a new version of our Camera Calculator, V3.1, with significant user experience improvements, a new development plan, and an...