Disclaimer: We are looking to make the world a safer place by educating readers on security issues. Please do not exploit or misuse the below mentioned methods in any way.
When we started KISI, we met a couple of folks at the Chaos Computer Club, Europe’s most recognized hacker organization. Using keycard duplicators like the ones you can easily purchase on eBay for $50, Chaos Computer Club was able to add a couple of bucks on our student card. These keycard duplicators launched 2008 (check out RFIDOT) - so why has this device not posed a threat or created a problem yet?
People sought keycard replacement services for a reason. Technically, copying and duplicating keycards is hard. The premise is that if you cannot program, you would not be able to copy the magnetic HID keycard. So only a few people were able to copy keycards.
But there are more reasons why these white plastic cards survived a little longer than they should have. One of the biggest reasons is that companies today mostly use more expensive HID keycards. They are supposedly and seemingly hard to copy, even for experienced security researchers.
That has been the case, but it changed last week.
At Black Hat, the biggest security conference in the US, researchers presented a $10 device that was able to copy these key cards used for access control systems that were claimed to be “hard to copy” in under 60 seconds!
HID proximity cards, popular access cards used by offices all over the world, and the protocol that underlies them, known as Wiegand, are inherently obsolete and should not be used anymore.
According to researchers, this means that 80% of all companies use vulnerable technology to secure their offices.
Why are researchers able to easily copy and duplicate a magnetic stripe HID keycard?
If you think about it, a keycard is pretty much a device that stores a password on the card. When presented in front of a key card reader, the password and its access credentials are transmitted to the reader. The door unlocks when the access credential number is correct.
Is your bank password stored on your debit card? No, and the banks designed the passwords to be stored externally from your debit card for a good reason.
Why does this not apply to your access control system?
What is also interesting is that many companies invest in server security, secure wifi, firewalls, anti-virus, secure web, and email gateways. They say it’s in the name of security: “We are vanguards and believers of tools that bolster office security.” They think that intruders are lazy, they don’t want to make things complicated, and they want to take the path of the least resistance.
You think you have a strong cyber security system in place? Ironically, someone can just walk into your office and take some computers.
Similar to office security: cloud access and networks are too difficult to get in, so it's actually easier to do it the old fashioned way. By exploiting the archaic and outdated HID keycard technology, an intruder can easily duplicate a key card and walk in to your office to steal a couple of laptops.
This happens all the time - it just never becomes public because companies don't want to announce that they have been burglarized and had their computers stolen.
A couple of thoughts on why keycards are still around:
- Companies rely on self-regulating mechanisms. When you lose your keycard or are unsure about it’s usage, you just cut it off like an old credit card and get a new one (although when this happens, it might be too late).
- A picture is printed on the keycard. As previously mentioned, Google’s CIO Ben Fried purely is a fan of key cards because they provide a layer of visibility - making it possible for security guards to match the picture on your ID with your face. Yes, adding security guards to your office entrance is a way to prevent burglaries. Then, what do you truly need the key card for?
- As @TyMcNeely pointed out, an HID keycard like SEOS or Indala can not be hacked using this device but might be vulnerable in other ways.
If you work in an office using key cards, think twice about how you manage them and who you give them to. To keep your office safe, read how you can choose a secure access control system.
[update 1] our new post about cloning or copying ID prox cards
[update 2] check the most read post about hacking HID
[update 3] in this context might be great to understand how facility codes work and how facility codes are programmed
[update 4] Since HID readers are an IoT product, read our whitepaper post about secure IoT and physical security