In this post, you’ll learn:
- How many RFID cards exist
- The best ways to copy your office 125khz access cards with step-by-step instructions in LESS than 1 minute (including the tools you need)
- Another step-by-step guide on how the more advanced 13.56MHz cards can be copied (and, of course, which equipment you need)
You’ll learn to clone cards (NFC or RFID cloner) at your office desk!
The Impact of RFID Cards and RFID Key Fobs
IDTechEx found that in 2015 the total RFID market was worth $10.1 billion. The parent directory for NFC was estimated at $10.1 billion — from $9.5 billion in 2014 to $8.8 billion in 2013.
This market sizing includes all the tags, readers, and software designed for RFID cards and key fobs, including all form factors. IDTechEx states that the market will rise to $13.2 billion by 2020. The security industry has experienced a significant overhaul with advances in technology.
For example, door security has evolved from simple padlocks and keys to RFID-enabled cards and fobs that can be swiped and triggered, as well as electric locks to open doors.
While this technology is impressive, it requires constant evolution and adaptation to defend against malicious users.
Any new technology, from the moment it is introduced to the general public, is vulnerable to manipulation and hacking by malicious users. An excellent example of this is RFID tags in 2013.
At the time, RFID technology had spread like wildfire across many sectors — tech companies, hospitals, and more were using 125khz cards to access doors secured with electric locks.
Most were using the EM4100 protocol card (125khz card) or a CMOS IC-based card, which had the information about the tag or fob stored openly. Since these ICs had no encryption or authentication, they would broadcast their information as soon as a reader was nearby.
This posed a huge security risk to companies dealing with sensitive information and products.
Essentially, anyone with the right equipment could steal or replicate these cards and fobs, whether authorized or not.
How can they be copied?
Previous posts on our blog explore how HID cards can be hacked and how the Wiegand protocol, used by HID readers, can be copied by HID card cloners. This post doesn’t go into as much technical depth but should be a fast and easy way to understand the card copying component.
How to Copy 125khz Cards? — the Old Way:
Like the one seen here, a reader can easily copy the ID of an existing 125khz EM4100 or a similar protocol chip and copy it to another card or fob.
One of the first people to attack this security standard in 2013 was Francis Brown—managing partner at the security firm Bishop Fox. Brown set out to test the security of the standard deliberately and developed an Arduino-powered reader/writer that could copy existing 125khz tags and fobs.
It’s been five years since Brown developed his tool to hack into these systems, and plenty of companies have switched to a more secure, higher frequency standard.
However, many businesses have not updated and used the 125khz EM4100 cards and fobs, making them vulnerable to attacks.
How to copy 125khz cards with an RFID copier?
The “Handheld RFID Writer” (buy one here for as little as $11) works like this:
- Turn on the device, hold a compatible EM4100 card or fob to the side facing the hand grip, and click the “Read” button.
- The device will then beep if it succeeds, replace the copied tag with an empty one, and press “Write.”
- The information stored on the original tag or fob will then be copied onto the new device
Done! Don’t believe how easy it is? Here’s a video to show you:
That’s how easy it is to copy or clone an access card or RFID key fob.
How to copy HID cards and get them on your phone?
People ask questions like: “How can a mobile’s NFC be used as an HID proximity card (used at the doors of a corporate office)? “and “Is the iPhone 6’s NFC transmitter capable of being used as a contactless card reader?” and so on.
In the following segment, we’ll focus on your typical HID card, which works off of 13.56 MHz and is a bit more advanced to copy:
Why are these cards more difficult to copy?
Since the frequency is significantly higher than the 125 kHz version, the amount of bits that can be sent per second is significantly higher. That means the data on the chip to be encrypted will be greater, rendering it more secure.
Now that encryption is available for these cards, they communicate with a reader device to send out a signal, and the reader reads it. Unlike before, however, it no longer advertises all of its data; instead, it only broadcasts public data—like its ID and name.
How do we copy them?
To access sensitive information, you must provide that memory sector with the right key—otherwise, it will appear blank.
Even though these cards are much more secure, once you know the encryption algorithm, you can decrypt them and access sensitive information. With that, people can also clone these cards relatively easily.
Since most Android smartphones running the Android OS have NFC, reading these cards and sometimes cloning them is easy.
—(If you don’t want to order equipment on eBay, skip over this part and learn how to duplicate the card using a smartphone and an app)—
- Prepare to copy your HID cards—the tools you need: We need a few cheap components from eBay—it’s sold under “NFC reader.” You can also check the NFC reader on Alibaba for higher volumes. I got my NFC reader/writer on NewEgg, which lists it as the “NFC ACR122U RFID” reader/writer tool. It runs on Windows, Mac, and most Linux systems.
- Once you have the copy tool, you need a Windows-based computer. Install its drivers and start using it. You’ll also need a computer to run the software, and following this guide, you can hack Mifare Classic 1K Cards. Here’s the BlackHat Guide.
Hold on! I hope you didn’t order the NFC reader yet, because if you have an Android, you can also do it with your phone!
Cloning Mifare NFC cards with a mobile phone:
Here’s the easiest way to copy NFC cards to a phone:
Although the BlackHat guide works well, it can be frustrating since you have to get some components together and hack away at a guide for an hour or two to see some results.
The easiest way to clone Mifare NFC Classic 1K Cards is by using an Android smartphone with NFC capabilities. That’s right; your cellphone can be used to compromise a company’s security if they are using these types of cards (RFID security system).
Just download the “Mifare Classic Tool” for Android. Pro Tip: It took me a while to figure out why it doesn’t work, but you must turn on NFC. Go to your settings and search for NFC; enable it. We can start cloning cards that have never changed their default sector password.
How is the app used to copy the card?
The app comes with the default keys set by the manufacturer of NFC cards; you would not believe how many people never bother to change this. Tim Theeuwes has a great guide on cloning NFC cards using your NFC-enabled smartphone. The following images are from his guide, which can be found here.
Hacking NFC via an app:
Once we have read the key or fob we want, we can store all of the information in a file. We can then write this information back onto a blank card, essentially cloning the original or fob. Figure 5 below shows the “Write Sector” portion of the app, where you can write individual sectors or all of them.
The critical sector to remember is sector 0, which contains the UID and manufacturer’s data; if you copy sector 0 to another fob, you’ve made a copy.
The Reader Pro uses the Mifare Desfire EV1 2K NFC cards, some of today’s most secure NFC cards. They provide an added security level to the existing Mifare Desfire NFC cards, making them incredibly secure.