Passive RFID tag cloning - Hack a Day

Passive RFID tag cloning

posted Sep 30th 2011 3:02pm by Mike Szczys
filed under: Microcontrollers, security hacks

Here’s an open source RFID cloner design that is about the same size as a standard RFID key card. It doesn’t need a battery to capture key codes, just the magnetic field generated by an RFID reader. You can see the functionality demonstrated in the video after the break. By holding the bottom button as the cloner is moved in range of the RFID reader, the microcontroller goes into learning mode. Now just hold up the card you wish to clone and the LED just above the buttons will light up when it has captured the code. Now the device will act just as the original RFID tag did.

This was developed by [Ramiro], the same person who built the barebones RFID emulator we saw a few days ago. When researching that story we complete skipped over this gem. He’s posted a ton of information on the tag itself. It doesn’t look like he has any PCBs or kits left, but the schematic and code are available for download. You should check in on the design considerations section because it discusses the read/write function that isn’t built into the current version. That’s why you see some add-on components on the hardware used in the demo video.

It seems like this is a lot more user-friendly than the last RFID spoofer we looked at.

Comments [28]

tagged: clone, pic, rfid, spoofer, tag

28 Responses to Passive RFID tag cloning

Spork says:

September 30, 2011 at 3:21 pm

Yes! I have been wanting to build this, and now someone has done the hard part for me. Thank you!

Very slick board by the way I like the small/slim design.

Reply Report comment

NewCommenter1283 says:

September 30, 2011 at 4:22 pm

Creepy

Its been here for years,
“protecting” server rooms…

People who make this and anything simillar are
creeps and will be hated for generations to come.

Then again might as well show people how unsecure of a “security” system it is. (COUGH, TOY) Suprisingly, the biggest data threat still comes from physcal access to an unsecured server’s usb-ports,,, of which u can eaisly get access to using this RFID cloner? hmm

RFID_CLONE = USB_CLONE = WIKILEAKS

*#&(_*&#_)%&($_%09&_)#&(%_)%* RFID!!!

SOLUTION: we are(yous are) all too lazy/stupid to use two pieces of copper wire on a serial port and then stretch your arm all the way out to the reader… oh yeh, i forgot, your pretty little arm is all too overworked to press the card into the 4-pin connector at the gate. oh the humanity. wheres RFID to save your precious arms from actually using them!?!?!?!! you would all rather have fat arms and a CLONED PASSPORT…

Say, whats the range? can it be increased?
Of course! Anything can, but im not telling you how!

“cloned passport”
yes i said it. deal with it!
BECAUSE ITS OPEN SOURCE NOW BABY!

Reply Report comment
- David M. says:
  
  October 1, 2011 at 10:03 am
  
  Are you on drugs?
- David M. says:
  
  October 1, 2011 at 10:07 am
  
  I’ve been working on replicating Scanlime’s reader using a Teensy and HID cards.
- reason says:
  
  January 21, 2012 at 1:08 pm
  
  Yeah, you’re right. We should all stick our heads in the sand and never learn how anything works.
  
  Stupid Nazi
NewCommenter1283 says:

September 30, 2011 at 4:24 pm

@STAFF
&
@Spork
oops i hit reply when i meant to regular post, sorry Spork

Reply Report comment

woutervddn says:

September 30, 2011 at 4:03 pm

ooh boy.. As much as I like this hack, I’m afraid it once again shows the weakness of RFID.

This hack is great to get inside your local hackerspace when you lost your key.. However, I see this hack to be used in less legitimate circumstances..

Reply Report comment

MSylvia says:

September 30, 2011 at 4:26 pm

At least its not a 1 Button enter everything weakness

Reply Report comment

HermitInClearView says:

September 30, 2011 at 8:30 pm

Beware, as much as has been posted that these systems like MyFare are easy pickings, there is something hidden that apparently is not common knowledge or open source.

Engineer hacks ‘unbreakable’ MRT EasyCard security system.

Reply Report comment

John R says:

October 1, 2011 at 6:49 am

No magic there – card transaction logs were probably audited and the numbers didn’t add up, in fact by setting his balance so high it might have triggered the investigation.

Mifare classic can be exploited, again no magic there.

Reply Report comment
- HermitInClearView says:
  
  October 2, 2011 at 9:24 am
  
  That was my view when someone presented the MiFare hack earlier this year. I figure that the logs are monitored. My Taiwan EasyPay card sometimes doesnt work and I just take it to the kiosk and they reload it or something. You can also go to an machine and it will display all of your transactions using the card. You can use it for pretty much anything here. Max amount you can put on the card is 10,000 Taiwan dollars which is $330 USD. Dont remember the maximum transaction per day. It has nothing that links it to you so if you lose it to bad. Since there is nothing that ties it to you, you could claim that you found the card. One other thing about the database is apparently they monitor it real time because they were able to track him. When you get on or off the mass transit you scan the card. You buy something at the store they know. So they know where you were at a certain time. Doesnt take long before they have your patterns. In fact there are video cameras all over the place here in Taiwan so they maybe capable of tying the card to a face. I know that they solve a lot crimes using the video cameras. For the paranoid you dont have to use the card. You can get a token or pay cash at the stores.

ho0d0o says:

September 30, 2011 at 9:33 pm

RFID is not secure. It hasn’t been for a very long time. It should only be used to protect janitorial supplies not server rooms, credit cards, sensitive data etc. etc.

I can see RFID keys making it easier for building staff to pass through semi-secure rooms like say an ER, but RFID should not be used for holding sensitive data or protecting sensitive material.

Reply Report comment

Jayson says:

September 30, 2011 at 9:48 pm

I wonder if this will work in HID standards.

Reply Report comment

John R says:

October 1, 2011 at 12:55 am

No won’t work with HID directly, 125khz HID readers have slightly different signalling (still about as simple) but they also have fairly short RF bursts rather than a continuous carrier meaning you’ll probably need a coin cell to power the thing (or at least I did with my emulator)

Reply Report comment

alan says:

October 1, 2011 at 1:55 am

Sniffing the openly transmitted RFID serial number does not show any weakness in security based RFID systems. If the system needs to be secure, there have been encrypted RFID tags on the market for a long time. Have a search, maybe start at the Atmel website.

Reply Report comment

alan says:

October 1, 2011 at 1:57 am

Further to my above comment, sniffing the openly transmitted serial number is the same as someone scanning and reprinting a product barcode. This cannot be compared in any way to cracking a secured RFID transponder.

Reply Report comment

John R says:

October 1, 2011 at 3:07 am

Well said. Just because these RFID systems were designed with no security it doesn’t mean that all of them are.

Reply Report comment

elektrophreak says:

October 1, 2011 at 1:58 am

Yes! This is the next thing for me to build. It looks great and works great… it should be useful!

Reply Report comment

cake says:

October 1, 2011 at 5:37 am

mom didn’t tell ya, that chewing gum with your mouth open is impolite? wspecially when you record something, or talk to people. i won’t mention the sound you make while you breathe through your mouth… disguisting!

Reply Report comment

t&p says:

October 1, 2011 at 5:44 am

lol. dude just throws the thing at the end

Reply Report comment

HermitInClearView says:

October 2, 2011 at 9:39 am

Another comment, most of the time the Taiwan EasyPay cards have to be pressed tight against the reader and held there for at least a second for them to work. The buses have notoriously weak readers and sometimes you have to move the card around slowly to get it to read the card.

Intercepting the signal without contact would be difficult. If you could make it about the same size as the card so that you could palm it…

I have seen a couple of obvious non-standard cards that someone has made. A friend of mine has a card the shape of a cartoon character. He wont say where he got it.

Reply Report comment

reza says:

October 3, 2011 at 1:54 am

The site is suspended.. seems someone got upset.

Reply Report comment

Seth says:

October 3, 2011 at 6:03 am

Does anyone have a mirror?

Reply Report comment
- Jeffery MacEachern says:
  
  October 4, 2011 at 1:46 am
  
  Whoops. I should have done so. :(

Kashan Ahmad says:

October 4, 2011 at 3:56 am

Can someone please share the construction details ?

Reply Report comment

RFIDiva says:

October 4, 2011 at 10:12 am

Looks like a lot of work….

Reply Report comment

Mao says:

February 23, 2012 at 4:45 am

It’s possible buy one of that somewhere?

Reply Report comment

B says:

April 27, 2012 at 3:28 am

anyone a diy instruction to build this ?

Reply Report comment

Leave a Reply

Hack a Day serves up fresh hacks each day, every day from around the web as well as hacking related news.

Send us your hacks

Hacks

Resources

Most commented on (30 days)

Recent comments

steveylonder: Next time waterproof them with
deadlyfoez: LOL. I just found the
theBitman: We need to have a
chango: I often deal with relatively
Douglas: Wish I was close enough
nerdinnam: DIY electrofishing (along with exploso-fishing)
tedmeyers: Another thing to try is
n0lkk: [youtube http://www.youtube.com/watch?v=EWLV6I1ZhGE&version=3&hl=en_US]
n0lkk: This should lead you on
damntech: Neat, thanks for the hard