Once you start looking, you will see RFID access control devices everywhere. These devices, when paired with an electrified lock and an access control card, will allow security teams the ability to restrict access to authorized personnel. This is great security – only authorized cards are able to gain access to these doors and often times they contain different security controls such that specific cards can only open specific doors.
Unfortunately, and an aspect of security that is often neglected, authorization does not mean authentication. These systems can provide authorization, such that a card that contains a specific sequence of bits it approved to unlock a door. These systems struggle with authenticating the individual that is attempting to access that door. They assume that if an authorized card is present, then the individual who holds that access card has been authenticated by another trusted party. This is the primary vulnerability with these systems.
Gear
To get started with RFID hacking, you will need a Proxmark3. This is a pretty robust tool that is essentially a controller for a low frequency and high frequency antennas that has an incredible community developing the firmware.
You can buy the Proxmark3 here:
https://hackerwarehouse.com/product/proxmark3-rdv4-kit/.
This kit comes with everything you need to get started.
You will need a known good RFID access control badge and an access control system that you own. (Do not test these tools on systems you don’t have approval to bypass!) In my case I had an old low frequency card used to access an old apartment building and some iClass SEOS high frequency cards. If you are getting started, I suggest sticking with low frequency cards to get your feet wet as they are a little bit easier to bypass and clone.
Installation
This is where we get to the RTFM segment of this tutorial. Once you receive the Proxmark3, you will need to flash the firmware to the device and install the drivers and software on your computer. Depending on the operating system you are working on, follow the guides here:
https://github.com/Proxmark/proxmark3/wiki/Getting-Started
Use
If you are working as a security professional and you’re looking to convince your boss to fund replacing your access control with a better system, this is where you’ll get some real value. With my low frequency Keri system, I was able to detect, read, and clone a card in two commands:
That is it. I now have two copies of the same card and as far as my access control system is concerned, both cards are identical. With a little bit of automation, a higher-powered antenna, and some social engineering, it would be trivial to collect the access control card information of a stranger. Or your boss while you’re in their office pitching an upgraded AC system.
In a later post I’ll cover the iClass SEOS cards and the struggles I had with these cards and what makes them better.
Josh's Cybersecurity Blog 