blog
Open Menu
Product
Solutions
Resources
PrIcing
Guide Downloads
How to Guide

Step-by-Step Tutorial: How to Copy or Clone Access Cards and Key Fobs

By Bernhard Mehl
May 23, 2018

⚠️Important Update: Nearly 80% of all keycards used within commercial facilities may be prone to hacking due to protocol vulnerabilities. Kisi's 128bit AES encrypted passes and tags are designed to protect your business from such threats: learn more here.

How We Copied Key Fobs and Found Vulnerabilities in Keycards:

In this post you'll learn:

  • How many RFID cards exist
  • The best ways to copy your office 125khz access cards with step-by-step instructions in LESS than 1 minute (including the tools you need)
  • Another step-by-step guide on how the more advanced 13.56MHz cards can be copied (and, of course, which equipment you need)

Basically that means you’ll learn how to clone cards (NFC or RFID cloner) at your office desk!

5d08d831370a895c58eec465
template-9
container

The Impact of RFID Cards

IDTechEx found that in 2015, the total RFID market was worth $10.1 billion. The parent directory for NFC was estimated a $10.1 billion — from $9.5 billion in 2014, and $8.8 billion in 2013.

This market sizing includes all the tags, readers and software designed for RFID cards, including all form factors. IDTechEx states that the market is estimated to rise to $13.2 billion by 2020. The security industry has experienced a major overhaul with advances in technology. For example, door security has evolved from simple pad locks and keys to RFID-enabled cards and fobs that can be swiped and triggered, as well as using electric locks to open doors. While this technology is amazing, it requires constant evolution and adaptation to defend against malicious users.

Any new technology, from the moment it is introduced to the general public, is vulnerable to manipulation and hacking by malicious users. A good example of this is RFID tags in 2013. At the time, RFID technology had spread like wildfire across many sectors — tech companies, hospitals, and more were using 125khz cards to access door secured with electric locks. Most were using the EM4100 protocol card (a type of 125khz card) or a CMOS IC-based card, which had the information about the tag or fob stored openly. Since these ICs had no encryption or authentication, they would broadcast their information as soon as a reader was nearby. This posed a huge security risk to companies dealing with sensitive information and products. Essentially, anyone with the right equipment could steal or replicate these cards and fobs, whether they were authorized or not.

Interested in access control? Download our free Introduction to Access Control Guide!

I get it — these cards are out there, how can they be copied?

Previous posts on our blog explore how HID cards can be hacked and how the Wiegand protocol, used by HID readers, can be copied by HID card cloners. This post doesn’t go into as much technical depth but, rather, should be a fast and easy way for you to understand the card copying component.

How to Copy 125khz Cards — the Old Way:

A reader, like the one seen here, can easily copy the ID of an existing 125khz EM4100, or a similar type of protocol chip, and copy it to another card or fob. One of the first people to attack this security standard, in 2013, was Francis Brown—managing partner at the security firm, Bishop Fox. Brown set out to deliberately test the security of the standard and developed an Arduino powered reader/writer that could copy existing 125khz tags and fobs.

RFID Cloner

It's now been five years since Brown developed his tool to hack into these systems and plenty of companies have switched to a more secure, higher frequency standard; however, there are still many businesses that have not updated and still use the 125khz EM4100 cards and fobs, which makes them very vulnerable to attacks.

How to copy 125khz cards with an RFID copier—it's as easy as printing an email!

The “Handheld RFID Writer” (buy one here for as little as $11) works like this:

  • Turn on the device and hold a compatible EM4100 card or fob to the side facing the hand grip and click on the “Read” button.
  • The device will then beep if it succeeds, now replace the copied tag with an empty tag and press “Write”
  • The information stored on the original tag or fob will then be copied onto the new device

Done! Don’t believe how easy it is? Here’s a video to show you:

 

That’s how easy it is to copy or clone an access card or key fob.

How to copy HID cards and get them on your phone

People ask questions like: “How can a mobile’s NFC be used as an HID proximity card (used at the doors of a corporate office)?“ and “Is the iPhone 6’s NFC transmitter capable of being used as a contactless card reader?” and so on. 

In the following segment, we’ll focus on your typical HID card, which works off of 13.56 MHz and is a bit more advanced to copy:

Why are these cards more difficult to copy?

Since the frequency is significantly higher, compared to the 125 KHz version, the amount of bits that can be sent per second is significantly higher. That means the data on the chip to be encrypted will be greater, rendering it more secure. Now that encryption is available for these cards, the way they communicate with a reader device is to send out a signal and the reader reads it. Unlike before, however, it no longer advertises all of its data; instead, it only broadcasts data that is public—like its ID and name.

Ok, I get it—they're difficult to copy, but how do we copy them?

To access sensitive information, you have to provide that sector of memory with the right key—otherwise, it will show up blank. Even though these cards are a lot more secure, once you know the encryption algorithm you can decrypt them and access the sensitive information. With that, people can also clone these cards relatively easily.

NFC reader / writer

Since most Android smart phones running the Android OS have NFC on them, reading these cards and, in certain cases cloning them, is easy.

—(If you don’t want to order equipment on Ebay, skip over this part and learn how to copy the card using a smartphone and an app)—

  1. Prepare to copy your HID cards—the tools you need: To get started, we need a few cheap components from Ebay—it’s sold under “NFC reader.” You can also check the NFC reader on Alibaba if you need higher volumes. I got my NFC reader/writer on NewEgg, which lists it as “NFC ACR122U RFID” reader/writer tool. It runs on Windows, Mac, and most Linux systems.
  2. Once you have the copy tool, you need a Windows-based computer. Install its drivers and start using it. You’ll also need a computer to run the software and, following this guide, you can clone Mifare Classic 1K Cards. Here’s the BlackHat Guide.

 

Hold on! I hope you didn’t order the NFC reader yet, because if you have an Android you can also do it with your phone!

Cloning Mifare NFC cards with a mobile phone:

Here's the easiest way to copy NFC cards to phone:

Although the BlackHat guide works well it can be a bit frustrating to use, since you have to get some components together and hack away at a guide for an hour or two to see some results.

The easiest way to clone Mifare NFC Classic 1K Cards is by using an Android smartphone with NFC capabilities. That’s right, your cellphone can be used to compromise the security of a company if they are using these types of cards (RFID security system). Just download the “Mifare Classic Tool” for Android. Pro Tip: It took me a while to figure out why it doesn’t work, but of course you need to turn on NFC. Go to your settings and search for NFC, make sure to enable it. Now we can start cloning cards that have never changed their default sector password.

How the app is used to copy the card:

The app comes with the default keys set by the manufacturer of NFC cards, you would not believe how many people never bother to change this. Tim Theeuwes has a great guide on how to clone NFC cards using your NFC-enabled smartphone. The following images are from his guide, which can be found here.

Clone NFC via app
Clone NFC via app

Clone NFC via an app:

Once we have read the key or fob we want, we can store all of the information onto a file. We can then use this information and write it back onto an empty card, essentially cloning the original or fob. Figure 5 below shows the “Write Sector” portion of the app, in which you can write individual sectors or write all of them. The important sector to keep in mind is sector 0 as it is what contains the UID and manufacturer's data, basically if you copy sector 0 to another fob then you’ve made a copy.

The Kisi Reader Pro uses the Mifare Desfire EV1 2K NFC cards, these are some of the most secure NFC cards out today. They provide an added level of security to the already existing Mifare Desfire NFC cards, making them incredibly secure.

If you want to know how we at Kisi use mobile credential and 128bit AES-encrypted NFC cards, check this overview of our mobile access control system or get in touch with us. If you are more interested in how access systems work then download our free PDF guide.

Bernhard Mehl

Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.

Related Articles

Any HID Proximity Keycard Can Easily Be Hacked Using A $10 device
December 4, 2018
How to Open a Cannabis Dispensary in California
July 13, 2019
bettercloud
Seamless employee on-and off-boarding
August 23, 2018
Fail Safe vs Fail Secure
Best Resources
Access Control - Sample RFP
Physical Security Assessments
Mobile Access News
Employee Spotlight - Karen
Smart Door Alerts
Digital Employee Badge
Chat with Founders
Device Management
Hacking HID Keycard with $10 Device
Hacking HID with Wiegand Protocol Vulnerability
Copy prox HID ID Card
Workplace Tool Deployment
Access Control API
WiFi Speed Test Apps
Communication Protocols Used by IoT
Kisi for Slack
Building a Slack Doorbell
AC Installation Costs and Price per Door
Name Badge Templates
HIPAA Compliant
Cutting Slack
Solutions for Old Key Fobs
SEO for Coworking Space Websites in 2019
Office Security
IoT in Physical Security
Smart Locks Hacked By Bluetooth
Beacon Security Issues
Running a Successful Coworking Space
Kisi iOS 4.0.0 Release
IT Budget Planning
3 Tips for Coworking Spaces
Choosing Electrical Contractor
NICU Security
Signs to Change Access Control
Top 3 Safety and Security Tips for Airbnb Hosts
What is IoT?
Microchip Tagging Oneself
Office Design Productivity
7 Tips to Prevent Cloud Security Threats
Coworking vs Facility Management
Benefits of Cloud Access Control
Avoiding Locksmith Scams
10 Cloud Tools
Carrying Out Vendor Security Assessments
Ultimate Real Estate Apps Guide
6 Layers of Security Your IoT Setup Needs
Internet Of Things in the Workplace
2018 Most Influential People in Coworking
Top HR Influencers to Watch in 2018
Employee Spotlight - Jorge
Types of Physical Security Threats
HID Card Types
Remote IT Management
Identity Access Management Tools
Access Control System Maintenance
How Do Hotel Key Cards Work
Physical and Cyber Security Convergence
How to Set Up Your Enterprise WiFi
Step-by-Step Tutorial: How to Copy or Clone Access Cards and Key Fobs
GDPR Public Announcement
How to Calculate Facility Code Using Card Bit Calculators
Authentication Protocol Overview: OAuth2, SAML, LDAP, RADIUS, Kerberos
How to Avoid a Demagnetized Key Card or Key Fob
HID iClass SE Reader - Take a look inside the components | Kisi
How to Share Your Company WiFi Password Securely
Equipment Leasing Models
Magnetic door lock troubleshooting
On and Offboarding
Employee Spotlight - Alberto
Door Entry System Options For Gyms
Church Security Policy and Procedures
School Security, Safety and Access Control for Plan Education
Hospital Access Control
Employee Spotlight - Nate
3 Types of Cloud Access Control for Elevators Using Kisi
The 2 Burglar Alarm Options for Offices: Simplified With Kisi’s Access Control
Employee Spotlight - Jamie
How IoT Drives the Convergence of Cyber and Physical Security
How Security Can Increase the Revenue at Your Shared Workspace
Kisi Implements Free Access Card Security Test
Converting Corporate Headquarters to Coworking With 24/7 Access Control
Interview With Workspace Strategies
Keyless Access Control for Flexible Workspaces
Using Kisi With Fire Alarms
iWatch Series 4 Release: Did You See That Apple Door Reader?
Internet of Things Technologies in Smart Buildings for Flexible Workspaces
Kisi Named to Inc. 500 List of Fastest Growing Companies
IoT Marks the Convergence of Physical Security and Cybersecurity
The Future of Self-Storage: Q&A With StoreMe
How to Design and Equip a Best-in-Class Conference Room
The IT Experience on Becoming a Certified Google Administrator
Using Modular and Flex Spaces to Foster Collaboration
Security, Scalability and Growth: Toward a Comprehensive IT Strategy
Employee Spotlight: Mateusz
Daycare Security Measures: Door Locks, Unauthorized Access and Security Breaches
Everything You Need to Know About Warehouse Security
Synagogue Security Plan and Safety Procedures
Cannabis Security Plan
Access Control Basics
How to Guide