Be the first to know about our latest articles!

Subscribe
  1. Blog
  2. Access Control Basics
2/28/2018

Hacking HID with Wiegand Protocol Vulnerability

Disclaimer: We are looking to make the world a safer place by educating readers on security issues. Please do not exploit or misuse the methods mentioned below in any way.

⚠️Important update: as many as 80% of all keycards currently used within commercial facilities may be prone to hacking due to protocol vulnerabilities. We are launching a free service (U.S. and Canada only for now) where we assess if your cards are secure. Learn more here!

Fact: the keycard reader is the single most vulnerable point in your entire physical office security setup.

Yet, somehow we tend to only be concerned with choosing the right quality door lock, a solid access control system, and a high-security enforced door.But what about the keycard reader? It’s the one input where information is being sent from outside your office to the access control system.

This system is why your keycard reader exposed to potential threats from hackers seeking to infiltrate your business. We previously reported how a $10 device can hack HID cards, but now we want to explore why this can happen (hint: it’s really, really simple).

In order to do this, we’re going to dive beneath the surface of the keycard to understand exactly how the keycard reader is communicating with the access control system.

The Basics

There are 3 basic protocols for keycard readers:

In this post we're going to focus solely on the Wiegand interface, as it is the most common protocol.

The Wiegand Protocol

Card readers to access offices, buildings, subways, and door locks were invented in the 1980’s, and with them came the Wiegand protocol (or Wiegand interface).

The main objective of the Wiegand protocol is to connect card readers to electronic entry systems via a specific protocol language.

However, this means that whoever can learn the Wiegand protocol language can talk to the electronic access system.

A basic keycard system typically looks something like this:

Basic access control system

When John R. Wiegand, a renowned German engineer, discovered the Wiegand effect, he made a great discovery on how to make codes more secure on cards than magnetic stripe technology.

How did Wiegand do it?

Wiegand discovered that a certain ferromagnetic alloy metal (made of cobalt iron and vanadium) can be used to transfer a signal based on applying a magnetic field on the Wiegand alloy metal to induct different reactions.

Fun fact: The original patent was filed in 1974 (!). The fact that offices throughout the world are being secured by an over-40-year-old technology is a little scary!

What this means: Basic office HID keycards have a series of short-length Wiegand wires that encode the key via the presence or absence of wires. If a wire is there, it sends “1;” if a wire is missing it sends “0.”

This adds up to a series of 1’s and 0’s, e.g. 1010110100, which ends up being your keycard number. This number is fixed and can’t be changed.

Once a card is presented at the reader, this chain of 1’s and 0’s is sent to the host controller on the electronic access system in your IT room. On a technical level it looks like this:

Wiegand wires

The spots where the power falls to 0V, the system reads 0’s otherwise it counts 1’s when the currency stays at +5V.

The code on the card can be seen when the card is against bright light:

26 bit Wiegand wiring

Clearly this has more stripes than the simplified example above; this is because this is an example of a 26 bit, aka the “universal format” for key cards. 26 bit means there are 26 stripes. Most access card manufacturers like HID hide this information in proprietary formats which they sell at additional cost. Encoding could look like this:

Wiegand format

If you want to learn 5 ways to hack the Wiegand protocol, this post describes basics of accessing, skimming, emulating, brute forcing, and fuzzing.

HID card reader

If your office keycard reader looks like this, you should think about changing it ASAP.

Important to know: backwards compatible

Most key card readers sold today are still backwards compatible. This means that even if you buy secure biometric retina scanners - or smart card readers - there’s a chance they still use the Wiegand electrical data protocol to communicate to the access control system.

The implications? You can hack the system using plain text (no encryption), you can easily intercept signals sent back and forth from the access panel to the reader, and they can easily be replayed.

As a comparison, proximity cards work based on an Radio Frequency (RF) using 125 kHz field that the card reader emits to power the card. Once powered on, the card sends the data back to the reader where it is read by the host system. There are also active cards that emit a field to the reader themselves.

Here is the coil hidden in the card that allows the radio frequency to induct power.

RF keycard coil

These “prox cards” also send back 26bits. Higher security cards can be 40 or 84bits. Proximity cards protocols are all proprietary, which means there is no interoperability between brands like Mifare Classic, iCLASS, legic, Felica, etc.

We acknowledge HID’s work in providing smart cards like Indala or privClass, however basic systems like ADTKeyscanKeri Systems or others still use Wiegand or Prox based keycards provided by HID.

What does this mean for you? You might be an office manager, IT manager or facilities workplace coordinator, and you probably have a to-do list for today that exceeds the next 30 hours. Just think about what would happen if someone walks in your office with a cloned keycard and hacks his or her way into your office. How much time and trouble would this cost you?

For even more information on the Wiegand protocol, download Honeywell’s 1 page pdf or HID Global’s 5 page pdf (which also nicely explains differences of Wiegand format).

[update 1]Here is our new post about cloning or copying ID prox cards

[update 2] Our most read post about hacking HID

[update 3] Understand how facility codes are programmed

[update 4] learn how access control systems work

[update 5] check out our review of HID Global

Brought to you by Kisi, a technology driven physical access solution powered by mobile, cloud and IoT.
No items found.
Access Your Office the Modern Way

Discover how we provide secure access to hundreds of fast-growing companies like yours

Kisi Reader

Download the Access Control Guide

Get Expert Advice on Security and IoT

Free access to our best guides, industry insights and more

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get notified of new articles

46,885 marketers are already subscribed to Kisi's blog. Leave your email to get your weekly newsletter.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Access Control Basics
Useful Resources