How I copied key fobs and found vulnerabilities in keycards

In this post I’d like to show you:

• How many RFID cards are out there
• The best ways to copy your office 125khz access cards with a step-by-step instruction in LESS than 1 minute (*including the tools you need)
• Another step-by-step guide on how the more advanced 13.56MHz cards can be copied (and of course which equipment you need)

Basically that means you’ll learn how to clone cards (NFC or RFID) on your office desk!

How many RFID cards are out there – the threat

Skip this part if you’re looking for the instructions on how to clone or copy cards.

IDTechEx find that in 2015, the total RFID market is worth $10.1 billion. (source) This is up from $9.5 billion in 2015 the market worth of RFID. The parent directory for NFC was estimated to be worth $10.1 Billion dollars. Again, up from $9.5 billion dollars in 2014, and $8.8 billion in 2013.

This market sizing includes all tags, readers and the software designed for RFID cards, including all form factors. IDTechEx states that the market is estimated to rise to 13.2 billion by 2020. With the modern advances in technology security has seen a big overhaul. We have gone from simple pad locks and keys to RFID enabled cards and flops that can be swiped and trigger and electric lock to open a door. While the technology is really amazing we have to be constantly evolving if we want to stay on top of threats.

Every time there is a new piece of technology there are those with the knowledge and bad intentions to use it for their own gains. A good example of this was RFID tags in 2013, by this time the technology had spread like wildfire and all from technology companies to hospitals where using 125khz cards. These were using the EM4100 protocol card (a type of 125khz card) a CMOS IC based card, were the information about the tag or fob was stored. Since these ICs had no sort of encryption or authentication what they would do is start to broadcast their information as soon as a reader was nearby.

So I get it -- these cards are out there, how can they be copied?

We are now entering the part where we explain step-by-step how to copy these 125 khz access cards can be copied. Previous posts written by the Kisi community, explore how HID cards can be hacked or the Wiegand protocol used by HID readers can be copied. This post doesn’t go so much in depth on the technical side but should rather be a fast and easy way for you to understand purely the copying card part.

How to copy 125khz cards – the old way

Such reader as the one seen here, can easily copy the id of an existing 125khz EM4100 or similar type protocol chip and copy to another card or fob. One of the first people to attack this security standard was broken by Francis Brown, managing partner at security firm Bishop Foxback in 2013 at Blackhat (here are the slides). Brown set out to deliberately test the security of the standard and developed an Arduino powered reader/Writer that could copy existing 125khz tags and fobs.

Now its been 3 years since Brown developed his tool to hack into these systems and plenty if companies have been switched to a more secure higher frequency standard. Even still there are quite a few businesses that habe not updated and still use the 125khz EM4100 cards and fobs, which makes them very vulnerable to attacks.

How to copy 125khz cards with an RFID copier – as easy as printing an email!

The “Handheld RFID Writer” (buy here on ebay under the search term RFID copier) works as following:

• you turn on the device and hold a compatible EM4100 card or fob to the side facing the hand grip and click on the “Read” button.
• The device will then beep if it succeeds, now replace the copied tag with an empty tag and press “Write”.
• The information stored on the original tag or fob will then be copied on to the new device.

Done! Don’t believe how easy it is? Here’s a video to show you:

That’s how easily you can copy these cards now a days, using a device that costs less than $20.

How to copy HID cards and get them on your phone

I’ve read a few questions on quora which asked “How can a mobile’s NFC be used as an HID proximity card (used at the doors of corporate office)?“, “Is the iPhone 6’s NFC transmitter capable of being used as a contactless card reader?” and so on. 

In the following segment, we’ll focus on your typical HID card which works off of 13.56 MHz and is a bit more advanced to copy:

Why are these cards more difficult to copy?

Since the frequency is significantly higher compared to the 125 KHz version, the amount of bits that can be sent per second is significantly higher. That means the data on the chip to be encrypted thus making them more secure. Now that there is encryption available for these cards the way they communicate with a reader device is they send out a signal and the reader reads it. Unlike before however they no longer just advertise all of their data; instead they only advertise data that is public, like its id and name.

Ok I get it -- they are difficult to copy, but how do we copy them?

To access sensitive information you have to provide that sector of memory with the right key, else it will show up as blank. Even though these cards are a lot more secure once you know the encryption algorithm you can decrypt those keys and have access to the sensitive information. With that they can also clone these cards relatively easy.

Since most Android smart phones running the Android OS have NFC on them reading these cards and in certain cases clone them can be done relatively easy.

(if you don’t want to order stuff on ebay, jump over this part below and learn how to copy the card using a smartphone and an App!)

‍

1. Prepare to copy your HID cards – the tools you need: To get started we will first need a couple of cheap components which we can grab from our favorite security store Ebay – it’s sold under “NFC reader”. You can also check the NFC reader on our second favorite store Alibaba if you need higher volumes. In this case I got my NFC reader / writer tool on NewEgg which lists it as “NFC ACR122U RFID” reader/Writer tool. This tool runs on Windows/Mac, and most Linux distributions.
2. Once you have the copy tool, you need a Windows based computer, install its drivers and start using it. You’ll also need a computer to run the software and following the following guide you can clone Mifare classic 1k Cards. Here’s the BlackHat Guide

Hold on! I hope you didn’t order the NFC reader as of yet, because if you have an Android, you can also do it with your phone!

‍

‍

‍

Cloning Mifare NFC cards with a mobile phone

Thanks for reading till here, this is the easiest way to copy HID cards:

Although the BlackHat guide works really well it can be a bit frustrating to use since you have to get some components together and hack way at a guide for an hour or two to see some results.

The easiest way to clone Mifare NFC classic 1k cards is by using an Android smartphone with NFC capabilities. That’s right, your cellphone can be used to take compromise the security of a company if they are using these types of cards. Just download the “Mifare Classic Tool” for Android. Pro Tipp: It took me a while to figure out why it doesn’t work, but of course you need to turn on NFC. Go to your settings and search for NFC, making sure to enable it if it isn’t. Now we can start cloning cards which have never changed their default sector password.

How the App is used to copy the card

The app comes with the default keys set by the manufacturer of the NFC cards, you would not believe how many people never bother to change this. Tim Theeuwes has a great guide on how to get clone NFC cards using your NFC enabled smartphone. The following images are from his guide which can be found here.

Once we have read the key or fob we want we can store all of the information onto a file, we can then use this information and write it back to an empty card essentially cloning the original or fob. Figure 5 below shows the “Write Sector” portion of the app, in which you can write individual sectors or write all of them. The important sector to keep in mind is sector 0 as it is what contains the UID and manufacturers data, basically if you copy sector 0 to another fob then you’ve made a copy.

The Kisi Reader Pro uses the Mifare Desfire EV1 2k NFC cards, these are some of the most secure NFC cards out today. They provide an added level of security to the already existing Mifare Desfire NFC cards, making them incredibly secure.

If you want to know how we at Kisi use mobile credential and 128bit AES encrypted NFC cards, check out this video or get in touch with us via getkisi.com. If you are more generally interested in how access systems work – check out our guide.