3

Recently they've added a new lock to my building which looks like this:

keylock

Now we were given the code to access the building, but not the cards/tags. I swiped my tag used for a different lock and it does beep, so I know it can read one. My question is would it be possible to brute force it or figure out a way to make a card/tag for it? It's super annoying typing in 4 digit code and hitting # on such a narrow keypad. There is no manufacturer listed on it, all it says is "Wiegand", but knowing the company that installed it, be sure it's a Chinese production (meaning a knockoff of otherwise popular product of the same type).

Monomeeth
  • 109
  • 3
Predrag Beocanin
  • 200
  • 1
  • 3
  • 9
  • Brute force the combo, or brute force the lock? They're both physical security concerns, though one's more likely to land you in jail :P – cpast Jan 15 '15 at 04:18
  • 1
    I know the key combo, I'm wondering how do I manufacture a card/tag so I can get in without having to type stuff in. It's my building, I can prove it if it's a huge concern ^^ – Predrag Beocanin Jan 15 '15 at 04:19
  • 2
    Is that a wizard hat button? – Mike Ounsworth Apr 07 '16 at 00:00

4 Answers4

1

It depends on the card technology in use. If it uses "dumb" cards/tags that merely broadcast a block of data when powered on then all it takes to defeat it is to read that data block from a legitimate card and then simulate a card transmitting that data block.

If the cards in use employ crypto such as Mifare DESFire (or HID cards though I have no experience with them), then it becomes a bit more complicated as the card first authenticates the reader before transmitting the secret, and the entire communication is encrypted. The only solution here would be to attack a legitimate card first which itself is difficult if the card is properly designed (though there are exploits on Mifare Classic cards that allow the recovery of all secrets in a matter of minutes).

André Borie
  • 12,826
  • 3
  • 42
  • 76
  • Heya, well actually the card reader from the picture is what I have in my building, but I don't swipe cards, I use this: http://i.imgur.com/JJmfa0d.jpg

    Main reason behind this is I want to figure out if it's possible to duplicate this in a different form (say, make it thinner and tape to the back of my phone) or something along those lines. Also, the keypad from the picture is one of two we have, for which my blue thingy doesnt work. It reads it but beeps incorrect. I'd like to make it read this or figure out the key and create a card. tl;dr - maintenance people are braindead

     – Predrag Beocanin Apr 19 '16 at 20:12
  • The keyfob looks like Mifare but with this el-cheapo reader I'm sure all it compares is the UID which can be read with any compatible reader (UID is not for security and even the official Mifare documentation says it) and then written on a counterfeit Mifare which allows UID spoofing (official ones don't). You'll need a LibNFC-compatible reader (PN53x), a counterfeit Mifare and a few minutes of your time. – André Borie Apr 19 '16 at 20:14
1

If and only if the reader has a card associated, you can do it. You would need to scan the card associated, and copy it to disk, then write it to a card that allows changeable UID. It will take you at most 30 minutes to brute a card, after which you can make as many copies as you wish. The proxmark brand of reader-writers is best in my opinion, though e.g. an Elechouse PN532 knock-off can be used with a laptop to do the same thing, almost as fast, but with reduced range (you can however improve the 13MHz antenna). Mifare classic can be read from more than 10cm away using a proxmark.

The cards look like Mifare Classic 1K, and are absolutely broken, forever.

Kali linux comes with the prerequisite tools installed. See this link. While it is possible store tags on some NFC enabled phones, I just ordered 20 classic cards with changeable UID, and it is not difficult to copy one card's data and UID to another card. You can keep tags on NFC enabled phones, and though I haven't tried it I presume it requires that the card isn't protected in some way.

It would be much faster and cheaper to read the specs for that door controller, find the signal to open the lock, and just add a supertiny button (to provide that signal when pressed) at the bottom of the device. Provided it's not vandalproof, of course. This simple method has been used widely to pop open safes in hotel rooms and similar locations, google it.

Happy hunting.

user2497
  • 590
  • 2
  • 7
1

No it isnt possible. Cards do send a Another signal to the wiegand controller than the code, so the wiegand controller wont accept a card entered as a code, or a code entered as a card.

You could ask the landlord or administrator of the building to add the tag for the different lock, into the "authorized list" of that reader or controller. Then the tag on your keychain, which is EM4102, will then work both for the lock where it originally works, and for the lock on your building, so you have one single tag for both locks. Thats not a security risk since nothing is stored inside the tag except for a read-only serial, the tag itself does not know where it belongs to.

But I Think you will get a card. Propably there was keylock or only a code lock Before, and its very common when Rolling out a card-access-system, to just give a common Group code, until cards are rolled out. Then the common Group code is deleted from system. This to ensure no authorized person is rejected access to the building until the transisition period is over.

I have even seen setups where administrators, when setting up card readers without a keypad, to put a common card inside a "real estate lock box", and give the lockbox code to everyone that should have access to the building. When all cards/tags are rolled out, then the common card and lock box are removed from the wall and from the authorized list.

sebastian nielsen
  • 8,964
  • 1
  • 20
  • 33
  • Ah they didn't really upgrade our security, but the old keypad died and they couldn't fix it so they added a new one, so I'm pretty convinced we won't be getting cards. Also I was always interested how those things work (the tag I have for the main gate is what they call a 'magnetic tag' around here) and how come such a simple technology can't be penetrated. Still trying to figure out how to copy and remodel the key I already have, just figured I'll give this a shot while I'm at it. Thank you anyway! – Predrag Beocanin Jan 15 '15 at 06:29
  • There is possibility for penetration, but Think of the keypad and the RFID coil as 2 separate interfaces. The reader wont accept a card number as input to the keypad, and the reader wont accept a code, as input via the RFID coil. So basically, if the authorization list is CODE=1234# and CARD=NONE then it wont matter how much you "remodel" your gate card, then the reader is configured to never accept any card. But you say its your building, what do you mean then? It is a apartment building? You can Always ask your landlord, they can be nice and add your card as convience. – sebastian nielsen Jan 15 '15 at 06:59
-3

Bruteforcing a RFID reader is possible in theory. For my school project, I did a RFID emulator that can clone the card and then emulate it. I am sure if you program the microcontroller instead of emulating the card it read, is to emulate all combinations from that range of numbers which represent the card id

schroeder
  • 129,372
  • 55
  • 299
  • 340
David
  • 1
  • 1
    Your last statement is incomplete. You start with "if" but do not end with a "then". If you program the microcontroller, then what? You will be able to bruteforce? Then you will be able to find a combination that works? – schroeder Apr 06 '16 at 14:31