Hacking HID with Wiegand Protocol Vulnerability
Disclaimer: We are looking to make the world a safer place by educating readers on security issues. Please do not exploit or misuse the methods mentioned below in any way.
Fact: the keycard reader is the single most vulnerable point in your entire physical office security setup.
Yet, somehow we tend to only be concerned with choosing the right quality door lock, a solid access control system, and a high-security enforced door.But what about the keycard reader? It’s the one input where information is being sent from outside your office to the access control system.
This system is why your keycard reader exposed to potential threats from hackers seeking to infiltrate your business. We previously reported how a $10 device can hack HID cards, but now we want to explore why this can happen (hint: it’s really, really simple).
In order to do this, we’re going to dive beneath the surface of the keycard to understand exactly how the keycard reader is communicating with the access control system.
There are 3 basic protocols for keycard readers:
- Serial (RS232 including the hack gear here, RS422, RS458)
- Clock-and-Data / ABA format (Magnetic Stripe Track - mostly used in credit cards)
In this post we're going to focus solely on the Wiegand interface, as it is the most common protocol.
The Wiegand Protocol
Card readers to access offices, buildings, subways, and door locks were invented in the 1980’s, and with them came the Wiegand protocol (or Wiegand interface).
The main objective of the Wiegand protocol is to connect card readers to electronic entry systems via a specific protocol language.
However, this means that whoever can learn the Wiegand protocol language can talk to the electronic access system.
A basic keycard system typically looks something like this:
When John R. Wiegand, a renowned German engineer, discovered the Wiegand effect, he made a great discovery on how to make codes more secure on cards than magnetic stripe technology.
How did Wiegand do it?
Wiegand discovered that a certain ferromagnetic alloy metal (made of cobalt iron and vanadium) can be used to transfer a signal based on applying a magnetic field on the Wiegand alloy metal to induct different reactions.
Fun fact: The original patent was filed in 1974 (!). The fact that offices throughout the world are being secured by an over-40-year-old technology is a little scary!
What this means: Basic office HID keycards have a series of short-length Wiegand wires that encode the key via the presence or absence of wires. If a wire is there, it sends “1;” if a wire is missing it sends “0.”
This adds up to a series of 1’s and 0’s, e.g. 1010110100, which ends up being your keycard number. This number is fixed and can’t be changed.
Once a card is presented at the reader, this chain of 1’s and 0’s is sent to the host controller on the electronic access system in your IT room. On a technical level it looks like this:
The spots where the power falls to 0V, the system reads 0’s otherwise it counts 1’s when the currency stays at +5V.
The code on the card can be seen when the card is against bright light:
Clearly this has more stripes than the simplified example above; this is because this is an example of a 26 bit, aka the “universal format” for key cards. 26 bit means there are 26 stripes. Most access card manufacturers like HID hide this information in proprietary formats which they sell at additional cost. Encoding could look like this:
If you want to learn 5 ways to hack the Wiegand protocol, this post describes basics of accessing, skimming, emulating, brute forcing, and fuzzing.
If your office keycard reader looks like this, you should think about changing it ASAP.
Important to know: backwards compatible
Most key card readers sold today are still backwards compatible. This means that even if you buy secure biometric retina scanners - or smart card readers - there’s a chance they still use the Wiegand electrical data protocol to communicate to the access control system.
The implications? You can hack the system using plain text (no encryption), you can easily intercept signals sent back and forth from the access panel to the reader, and they can easily be replayed.
As a comparison, proximity cards work based on an Radio Frequency (RF) using 125 kHz field that the card reader emits to power the card. Once powered on, the card sends the data back to the reader where it is read by the host system. There are also active cards that emit a field to the reader themselves.
Here is the coil hidden in the card that allows the radio frequency to induct power.
These “prox cards” also send back 26bits. Higher security cards can be 40 or 84bits. Proximity cards protocols are all proprietary, which means there is no interoperability between brands like Mifare Classic, iCLASS, legic, Felica, etc.
What does this mean for you? You might be an office manager, IT manager or facilities workplace coordinator, and you probably have a to-do list for today that exceeds the next 30 hours. Just think about what would happen if someone walks in your office with a cloned keycard and hacks his or her way into your office. How much time and trouble would this cost you?
[update 1] our new post about cloning or copying ID prox cards
[update 2] our most read post about hacking HID
[update 3] understand how facility codes are programmed
[update 4] learn how access control systems work
[update 5] check out our review of HID Global