Passive RFID tag cloning

Here’s an open source RFID cloner design that is about the same size as a standard RFID key card. It doesn’t need a battery to capture key codes, just the magnetic field generated by an RFID reader. You can see the functionality demonstrated in the video after the break. By holding the bottom button as the cloner is moved in range of the RFID reader, the microcontroller goes into learning mode. Now just hold up the card you wish to clone and the LED just above the buttons will light up when it has captured the code. Now the device will act just as the original RFID tag did.

This was developed by [Ramiro], the same person who built the barebones RFID emulator we saw a few days ago. When researching that story we complete skipped over this gem. He’s posted a ton of information on the tag itself. It doesn’t look like he has any PCBs or kits left, but the schematic and code are available for download. You should check in on the design considerations section because it discusses the read/write function that isn’t built into the current version. That’s why you see some add-on components on the hardware used in the demo video.

It seems like this is a lot more user-friendly than the last RFID spoofer we looked at.

32 thoughts on “Passive RFID tag cloning

  1. Yes! I have been wanting to build this, and now someone has done the hard part for me. Thank you!

    Very slick board by the way I like the small/slim design.

  2. ooh boy.. As much as I like this hack, I’m afraid it once again shows the weakness of RFID.

    This hack is great to get inside your local hackerspace when you lost your key.. However, I see this hack to be used in less legitimate circumstances..

    1. No magic there – card transaction logs were probably audited and the numbers didn’t add up, in fact by setting his balance so high it might have triggered the investigation.

      Mifare classic can be exploited, again no magic there.

      1. That was my view when someone presented the MiFare hack earlier this year. I figure that the logs are monitored. My Taiwan EasyPay card sometimes doesnt work and I just take it to the kiosk and they reload it or something. You can also go to an machine and it will display all of your transactions using the card. You can use it for pretty much anything here. Max amount you can put on the card is 10,000 Taiwan dollars which is $330 USD. Dont remember the maximum transaction per day. It has nothing that links it to you so if you lose it to bad. Since there is nothing that ties it to you, you could claim that you found the card. One other thing about the database is apparently they monitor it real time because they were able to track him. When you get on or off the mass transit you scan the card. You buy something at the store they know. So they know where you were at a certain time. Doesnt take long before they have your patterns. In fact there are video cameras all over the place here in Taiwan so they maybe capable of tying the card to a face. I know that they solve a lot crimes using the video cameras. For the paranoid you dont have to use the card. You can get a token or pay cash at the stores.

  3. RFID is not secure. It hasn’t been for a very long time. It should only be used to protect janitorial supplies not server rooms, credit cards, sensitive data etc. etc.

    I can see RFID keys making it easier for building staff to pass through semi-secure rooms like say an ER, but RFID should not be used for holding sensitive data or protecting sensitive material.

    1. No won’t work with HID directly, 125khz HID readers have slightly different signalling (still about as simple) but they also have fairly short RF bursts rather than a continuous carrier meaning you’ll probably need a coin cell to power the thing (or at least I did with my emulator)

  4. Sniffing the openly transmitted RFID serial number does not show any weakness in security based RFID systems. If the system needs to be secure, there have been encrypted RFID tags on the market for a long time. Have a search, maybe start at the Atmel website.

  5. Further to my above comment, sniffing the openly transmitted serial number is the same as someone scanning and reprinting a product barcode. This cannot be compared in any way to cracking a secured RFID transponder.

  6. mom didn’t tell ya, that chewing gum with your mouth open is impolite? wspecially when you record something, or talk to people. i won’t mention the sound you make while you breathe through your mouth… disguisting!

  7. Another comment, most of the time the Taiwan EasyPay cards have to be pressed tight against the reader and held there for at least a second for them to work. The buses have notoriously weak readers and sometimes you have to move the card around slowly to get it to read the card.

    Intercepting the signal without contact would be difficult. If you could make it about the same size as the card so that you could palm it…

    I have seen a couple of obvious non-standard cards that someone has made. A friend of mine has a card the shape of a cartoon character. He wont say where he got it.

  8. I’m thinking about putting together some of these kits sense his site seems dead/suspended. Just tell me how many you want and i’ll try to source the stuff. It wont be assembled of course. Also if anybody wants to make a .pcb file for me to send to the manufacture to speed things up i’ll give you the first kit for free.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s