Any HID Proximity Keycard Can Easily Be Hacked Using A $10 device

By Bernhard Mehl
December 4, 2018

Disclaimer: We are looking to make the world a safer place by educating readers on security issues. Please do not exploit or misuse the below mentioned methods in any way.

When we first launched Kisi in 2012, we met a few people at a Chaos Computer Club event, Europe’s most recognized hacker organization. While there, we saw some club members using keycard duplicators (available on eBay for $50) to covertly add money onto a student ID card. This demonstration highlighted how easily accessible devices like this could be used to undermine established security methods.Those keycard duplicators launched in 2008 (check out RFIDOT) and have remained under the radar of people not familiar with security technology. In this article we look at why this device not posed a major threat or created a mainstream problem yet.

Technically speaking, manually copying and duplicating keycards is difficult. Without a programming backround, it's unlikely that someone could copy an HID keycard, which narrowed the risk down to a specific group of people before the invention of keycard duplicators.

But there are more reasons why these white plastic cards survived a little longer than they should have. One of the biggest reasons is that companies today mostly use more expensive HID keycards which are harder to copy, even for experienced security researchers. But again, inexpensive keycard duplicators won the day.

At Black Hat, the biggest security conference in the US, researchers presented a $10 device that was able to copy key cards used for access control systems in under 60 seconds!

Here is the open source data and the video of how it works. The article also uses pretty drastic language to describe the experience.

Pro Tip: HID proximity cards, popular access cards used by offices all over the world, and the protocol that underlies them, known as Wiegand, are inherently obsolete and should not be used anymore.

According to researchers, this means that 80% of all companies use vulnerable technology to secure their offices.

5cf6e8428ea8d3a68f6c93e3
template-9
container

Why are magnetic stripe HID keycards so easy to copy?

Simply put, a keycard is a device that stores a password. When presented in front of a key card reader, the password and its access credentials are transmitted to the reader. The door unlocks if the access credential number is correct.

Is your bank password stored on your debit card? No, and the banks designed the passwords to be stored externally from your debit card for a good reason.

Why does this not apply to your access control system?

Despite the amount of money companies spend on server security, secure WiFi, firewalls, anti-virus software, and email gateways within an office, managers often forget about the first line of defense in any office environment - the front door. Vulnerabilities in keycard systems and legacy access control systems are often downplayed on or forgotten because the people walking through the physical building become comfortable with their surroundings. And even when office buildings do get burglarized (which happens more often than you'd think), companies are hesitant to make those incidents public.

The reality is that intruders, no matter their level of technological prowess, generally take the path of least resistance when scoping a target. And since the invention of the aforementioned keycard duplicators, it's become almost laughably easy to exploit outdated keycard technology, walk into an office and take any computers, laptops, safe boxes or anything of value.

This is why cloud-based access control is such an attractive alternative for businesses of any size. Cloud access control allows offices to operate without keycards or badges of any kind while tightening building security to levels never seen before and even improving employee flexibility of movement.

Why Keycards Are Still Around:

  • Companies rely on self-regulating mechanisms. When someone lose's theiryour keycard or are unsure about it’s usage, you just cut it off like an old credit card and get a new one (although when this happens, it might be too late).
  • A picture is printed on the keycard. As previously mentioned, Google’s CIO Ben Fried is a fan of key cards solely because they provide a layer of visibility for security guards to match the picture on your ID with your face. However security guards kind of defeat the purpose of keycards anyway!
  • As @TyMcNeely pointed out, an HID keycard like SEOS or Indala can not be hacked using this device but might be vulnerable in other ways.

If you work in an office using key cards, think twice about how you manage them and who you give them to. To keep your office safe, read how you can choose a secure access control system.

[update 1] Our new post about cloning or copying ID prox cards

[update 2] Check the most read post about hacking HID

[update 3] In this context it might be great to understand how facility codes work, how facility codes are programmed and about hid card format calculator

[update 4] Since HID readers are an IoT product, read our whitepaper post about secure IoT and physical security

Bernhard Mehl

Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.

How to Guide
Access Control Basics
Guides