Proximity Card Spoofer

proximity toy
It is really hard to find good information online about proximity cards. I’m sure some companies consider this obscurity a form of security, but Jonathan Westhues demonstrates how severely flawed that notion is. He found a data sheet mentioning a 125kHz carrier frequency. He was off and running from there, eventually building a device that can read and repeat a proximity card’s data. It’s been argued that RFID technology is safe because of the short read distance. Jon actually found it easier to passively read cards that were being energized by a legitimate reader than by the device alone. Make sure you check out his home built PCB mill while you’re at the site.

[Thanks barbobot]

Comments

  1. Blake Putnam says:

    Wow

  2. frumin says:

    Nice. Here, in Warsaw, we use proximity cards (MIFARE kind) to enter the subway station and as bus tickets. Let’s hope I won’t get into trouble reading other people’s tickets :)

  3. Michael ducker says:

    Sophomore? students at Olin College (www.olin.edu) made a similar contraption. They built their own USB reader and also built a handheld spoofer. I got to see it when I visited. It was an interesting project, as the entire school’s physical security is based on these cards, and the students as a school sanctioned project broke it.

  4. Mike Matthews says:

    Gotta love the google ads for RFID tag printers in an article talking about the insecurities of RFID. Classic.

  5. noouch says:

    I think the ski areas around the world (the richer ones use proximity cards) are going to love this ;)

    …but think of the possibilities: free entry to public transportation, schools and ski resorts. Also coming soon: amusement parks. Yay for proximity card spoofing.

  6. gus says:

    Perimeter security breached ;)

    For those interested, Jonathan will give a presentation on his proximity card reader/simulator at the REcon conference (www.recon.cx, Montreal, 17-19 June 2005).

  7. John says:

    Where can I buy one? I have a legitimate use for one at work.

  8. ANHTAI says:

    HI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s