You might have heard the stories or seen the YouTube videos of random people hacking electronic access control systems.
The tools that claim to do this are available widely, including at eBay for just $30 [link no longer available].
We bought one of these cheap gadgets, shown below:
Inside, find our full test results, including a demo video of how easy it is to do, how widely these cards are deployed, and what steps you can take to cut the risk.
- 500 SMART CARD READER WRITER. The Smart Card Reader/Writer will allow you to change the information on a smart card. It connects to your computer, either personal or laptop, and runs using software. You must be running Windows 95/98/ME/XP, etc. Use of the device is straightforward. First, turn on your computer and run the software.
- An example of a contact smart card is a credit card that has the smart chip implanted in its plastic. Whenever the credit card is swiped, the reader will be able to access data from the smart card. Smart card readers mainly act as a medium between a computer or a terminal to the smart card.
- The Virtual Smart Card Architecture provides software to emulate smart cards and a smart card reader. The virtual smart card is internally accessible as PC/SC reader and externally as USB CCID reader or through a contactless smart card.
Smart Card Hack free download - Smart Defrag, SCR3310 USB Smart Card Reader drivers, Ralink 802.11n Wireless LAN Card, and many more programs.
Easy HID Card Copies
Our demo video below shows how the $30 copier can be used in seconds to spoof HID 125kHz formatted access cards:
In our test, we copied multiple 125 kHz formats and tested them on multiple readers. While very cheap, the card copier did not malfunction or create corrupted copies in any of the 15+ cards we copied.
The Big Risk
Get Notified of Video Surveillance Breaking News
Indeed, to access control systems, these copies look identical to legit cards. The screenshot below, for our test shows that multiple copies are indistinguishable from the HID factory original:
The risk is that unauthorized copies can be made and used to gain access, with no outward sign or record of being a duplicate.
Formats Matter
One specific caveat to this test: not all card types and formats are at risk. This particular tool can be used to copy 125kHz card types, including popular HID Prox, ISOProx, and Prox II formats, and several others commonly used in access control such as EM4100 and AWID formats.
Specifically this tool cannot copy any 13.56MHz 'Smartcard' formats like HID iClass, or DESFire/MIFARE varieties. One of the major differences between those formats is 13.56MHz formats are encrypted and the data they hold must be first decoded by the companion reader with a specific 'key' value, otherwise the information they transmit in open air is heavily hashed and obscured.
However, most 125kHz formats are simply not encrypted at all. This means the process of copying them simply energizes the card, and stores the information it broadcasts. Card details are stored on the card exactly as the system uses them, so sensitive card numbers and facility codes are easy to pull from thin air.
Vulnerable 125 kHz Common
Despite the risks of unsecured 125 kHz cards and fobs, they are commonly used and even preferred by many installers and end users. In our Favorite Access Control Credentials 2016, those vulnerable types command 32% of the favorite votes:
Indeed, these credentials vulnerable to copiers are still used in tens of thousands of systems, with millions of issued credentials circulating every day.
Cheap & Easy To Get
The copier we tested was purchased for $30 shipped [link no longer available]. Overall, the price of the unit tested was slightly higher due to the configuration of copying HID formats, but units as low as $10 [link no longer available] can be purchased to copy basic EM4100 formats alone.
The kit we purchased was shipped with several blank re-writable keyfobs, but were not a suitable blank format needed to copy HID cards. So we bought a box of HID compatible card formats (T5557) for $0.35 cents each, for a total test package costing less than $45.
The chilling lesson is these products are very inexpensive, readily available, and sold by multiple vendors eager to ship next day with no questions asked to anyone, crook or honest.
How It Works
The device used to copy the cards works much the same way as normal card readers, with transceiver coil, power supply, IC chip, buzzer and even LEDs components shared by both:
Given the principal operation of contactless card readers, the copier excites the coil and delivers power wirelessly to the card, which then momentarily stores energy and then uses it to broadcast card details back to the copier. The image below shows a transparent example of a card, revealing all these components:
The copier includes a small amount of memory to store those details, and then pushes them to a blank card, writing them permanently as a copy.
Near Contact Required
One particular factor of this unit are cards to be copied must be held close to the copying antenna to work, a distance of less than 1'. This is somewhat a benefit to cardholders, because someone bent on stealing and spoofing card details must be very close to do it.
However, the time needed to steal the information is fast - less than 5 seconds, and it is conceivable that someone could have card details copied and stolen without realizing it, especially in crowded groups of people.
But the method used by this device is available in other forms functional at longer distances - some claiming 5 feet range or more and often using modified off-the-shelf long range readers:
These longer range copiers are much more expensive ($500+ vs. $30), physically larger, and require more power than 2 AA batteries. However, carrying the components covertly in a backpack or briefcase means that those stealing cards can just blend in better with crowds.
Mitigating This Risk
So what can be done to prevent this exploit? The most straightforward step is to discontinue using HID (or any) 125 kHz cards, fobs, and readers and switch to encrypted and hashed 13.56 MHz formats. For more details, see our Hackable 125kHz Access Control Migration Guide.
Given current pricing, the higher frequency types are more expensive, but only a modest 15% - 25% more, and frequently offered at pricing the same or under the less secure 125 kHz types.
“We found flaws in widely-used ATMs from the largest manufacturers,” the paper said. “We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit.” the paper said.
Smart Card Software Download
EMV devices generate the so-called “unpredictable numbers” (UNs) for every transaction, but the experts claimed that payment machines fail to properly generate random numbers that are required by the EMV protocol to securely authenticate transaction requests for Chip-and-Pin cards.
“This variant of the pre-play attack may be carried out by malware in an ATM or POS terminal, or by a man-in-the-middle between the terminal and the acquirer,” the paper said.
“The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say ‘Verified by PIN’.” the researchers explained.
Smart Card Reader Writer Software
Smart Card Writer Software Hacks Free
(Security Affairs – Chip-and-PIN cards, cybercrime)