Important Update: It’s critical to recognize that a significant percentage of keycards in commercial spaces are susceptible to hacking due to weaknesses in their protocols. For robust protection against these threats, consider exploring advanced access methods and access control products like Kisi, which utilizes mobile credentials and 128-bit AES encryption.
Decoding Key Fob Cloning and Unveiling Keycard Vulnerabilities
In this comprehensive guide, we will delve into:
- The widespread presence of RFID technology.
- The mechanics of copying access credentials using a Key Fob Cloner like Flipper Zero.
- A straightforward, step-by-step method to clone your 125kHz office access cards in under a minute, detailing necessary equipment.
- An advanced guide on cloning more secure 13.56MHz cards, outlining the specific tools required.
Essentially, you’ll gain a practical understanding of how to perform key fob cloning (NFC or using an RFID cloner) right from your workspace.
The Pervasive Impact of RFID Key Fobs and Cards
The Radio-Frequency Identification (RFID) market is substantial, with IDTechEx valuing it at $12.8 billion in 2022. Near Field Communication (NFC) technology, closely related to RFID, reached $23.1 billion in the same period.
This extensive market encompasses tags, readers, and software for both RFID cards and key fobs across various applications. Projections estimate the RFID market will grow to $31.5 billion by 2031, showing an expected annual growth rate (CAGR) of 10.2% from 2022. The security sector has been significantly transformed by these technological advancements.
Door security, for instance, has progressed from traditional locks and keys to RFID-enabled cards and fobs, and now to mobile credentials accessible via smartphones. Electric locks are integral to this evolution. However, this rapid technological progress necessitates continuous adaptation to counter potential security threats.
Every new technology, upon its public release, inherently becomes a target for manipulation and exploitation. A prime example is the vulnerability of RFID tags, which became evident around 2013. By then, 125kHz RFID technology was widely adopted across industries, including tech companies and hospitals, for door access secured by electric locks.
Many systems relied on the EM4100 protocol card (a common 125kHz card type) or CMOS IC-based cards. These stored tag or fob information without encryption, openly broadcasting data to any nearby reader. This lack of security posed a significant risk, especially for organizations handling sensitive data, as unauthorized individuals could easily replicate these cards and fobs with readily available equipment.
Understanding Access Card Copying Techniques
Our previous articles have explored vulnerabilities in HID cards and the Wiegand protocol used by HID readers, detailing how HID card cloners can exploit these weaknesses. This article offers a more accessible, less technical overview of access card copying methods.
Leveraging the Flipper Zero Key Fob Cloner for Credential Copying
HID readers are known to be vulnerable, often compromisable in under a minute. The keycards and fobs associated with these systems are even more susceptible. A malicious actor only needs brief proximity to your card to compromise your secured access points.
The Flipper Zero is a compact, easily concealed handheld device that functions as a versatile key fob cloner. It can intercept and replicate RFID, NFC, Sub-GHz, and infrared signals, gaining notoriety as a hacking tool that exposes vulnerabilities in outdated security systems.
[Watch a demonstration of the Flipper Zero in action.]
While videos showcasing the Flipper Zero’s ability to perform harmless pranks like turning off TVs have gone viral, its capabilities extend to serious security breaches. It starkly illustrates the obsolescence of many keycard and reader systems in current access control infrastructures.
With mere momentary contact, the Flipper Zero can silently clone keycard credentials, even through wallets or pockets. This means someone near you could potentially copy your access card without your awareness. The cloned data allows the Flipper Zero to then emulate the original card, granting unauthorized access.
Readers cannot differentiate between a Flipper Zero and a legitimate card. This allows wrongdoers to not only mimic cards but also to quickly encode new cards, creating duplicate keycards for illicit use.
Relying on outdated technology for security is increasingly risky given the ease and speed of such attacks. Upgrading to a modern, cloud-based access control system like Kisi can significantly enhance your security posture and provide a more user-friendly access experience. Explore cloud-based access control solutions to learn more.
Legacy Methods: Cloning 125kHz Cards the Old Way
Certain readers can easily extract the ID from 125kHz EM4100 cards or similar protocol chips and transfer this data to another card or fob. Francis Brown, a security expert at Bishop Fox, demonstrated this vulnerability in 2013. He developed an Arduino-based reader/writer to prove how easily 125kHz tags and fobs could be copied.
Despite the decade since Brown’s demonstration and the availability of more secure, higher-frequency standards, many organizations still use vulnerable 125kHz EM4100 systems, making them prime targets for key fob cloning attacks.
Modern Key Fob Cloning: Using an RFID Copier for 125kHz Cards
A “Handheld RFID Writer,” readily available for purchase online for under $10, simplifies the cloning of 125kHz cards. Here’s how it operates:
- Activate the device. Position a compatible EM4100 card or fob against the designated side and press ‘Read.’
- A successful read is indicated by a beep. Replace the original tag with a blank tag and press ‘Write.’
- The data from the original tag is then copied onto the new tag.
This process is remarkably simple, as demonstrated in numerous online videos.
The ease of cloning access cards and RFID key fobs has been a known vulnerability for years.
Advanced Cloning: Copying HID Cards and Integrating with Smartphones
The ability to copy access credentials has long been a topic of interest, with questions like, ““How can a mobile’s NFC be used as an HID proximity card?” and “Can the iPhone 6’s NFC transmitter function as a contactless card reader?”.
This section focuses on cloning typical 13.56 MHz HID cards, which are generally considered more challenging to copy.
Enhanced Security of 13.56MHz Cards
The higher frequency of 13.56 MHz cards allows for a greater data transfer rate compared to 125kHz cards. This increased bandwidth enables more complex encryption, enhancing security. Encrypted cards communicate with readers by exchanging signals rather than broadcasting all data openly, only revealing public information like ID and name.
Techniques for Cloning 13.56MHz Cards
Accessing sensitive data on 13.56MHz cards requires the correct decryption key for specific memory sectors. While these cards are more secure, knowing the encryption algorithm allows for decryption and access to sensitive information, facilitating cloning.
The NFC capability in most modern smartphones simplifies reading and, in some cases, cloning these cards.
—(If you prefer not to purchase additional hardware, the following section details how to clone cards using just a smartphone and a dedicated app)—
It’s worth noting that you might not need to buy an NFC reader, as your smartphone might suffice.
Mobile Key Fob Cloning: Cloning Mifare NFC Cards with a Smartphone
While previous methods, like the BlackHat guide, are effective, they can be complex and time-consuming.
Cloning Mifare NFC Classic 1K Cards can be achieved more simply using an NFC-enabled Android smartphone. This method underscores how easily company security can be breached if relying on these card types. For a deeper understanding of RFID security systems, refer to our comprehensive guide.
The “Mifare Classic Tool” app for Android is designed for this purpose. Ensure NFC is enabled in your phone settings to begin cloning cards that still use default manufacturer sector passwords.
Step-by-Step App-Based Card Cloning
This app utilizes default keys set by NFC card manufacturers. Surprisingly, many systems still operate without changing these default settings. Tim Theeuwes offers an excellent guide on smartphone-based NFC card cloning. The following images illustrate the process from his guide.
Hacking NFC via a Mobile App
Once a card or fob is read, its data can be saved to a file. This file can then be used to write the data onto a blank card, effectively cloning the original. The app allows writing individual sectors or all sectors, with sector 0 being critical as it contains the UID and manufacturer data. Copying sector 0 to another fob creates a functional clone.
The Kisi Reader Pro employs Mifare Desfire EV1 2K NFC cards, which are among the most secure NFC cards available, offering enhanced security over standard Mifare Desfire cards.
Consider upgrading to mobile credentials and 128-bit AES-encrypted NFC cards for superior security. Explore our mobile access control system or contact us for more information. For a broader understanding of access control systems, download our free PDF guide.
Seeking Robust Access Control Solutions?
Request a quote on our website to discover secure access control options.
