No Secret Knocks Required At [Steve’s] House – Your Subway Pass Will Do


[Steve] is often host to all sorts of guests, and he was looking for an easy way to let his friends come and go as they please. After discovering that his front door came equipped with an electronic strike, he decided that an RFID reader would be a great means of controlling who was let in, and when.

Giving all your friends RFID cards and actually expecting that they carry them is a bit of a stretch, but lucky for [Steve] he lives near Boston, so the MBTA has him covered. Just about everyone in town has an RFID subway pass, which pretty much guarantees that [Steve’s] cohorts will be carrying one when they swing by.

He crafted a stylish set of wooden boxes to contain both the RFID reader and the Arduino that controls the system, matching them to the Victorian styling of his home. A single button can control the setup, allowing him to add and remove cards from access lists without much fuss. For more granular control however, [Steve] can always tweak settings from the Arduino serial console.

The card system is both stylish and useful – a combination that’s hard to beat.

26 thoughts on “No Secret Knocks Required At [Steve’s] House – Your Subway Pass Will Do

  1. Just a small addition: Also included in the setup is an Android app that talks with it via Bluetooth. This app lets you manage the lists (adding / removing) as well as assign one of your phone’s contacts to a given ID so you can know which ID belongs to whom. It can set the active group and can also open the door if you forgot your ID (but have your phone, the app, and the Bluetooth PIN to pair it).

  2. This is a beautiful build. I love the way the LED display and button were hidden. The only question I have is there any current limiting in driving the LED display or are you depending on inherent limiting by the shift register?

    1. On the particular build that I did, I neglected to do any current limiting beyond passing it through the shift register. Were I to do it again, I’d probably try to make a one- or two-layer board to keep it tidier and to make it easier to add components.

  3. This is beautiful—really—but not secure. True, few people would think of using their subway card to break into a house, but he is sort of opening his doors to the entire Boston metro area…

      1. Yeah, you have that correct. Each Charlie Card (as they’re called) has both an encrypted area that the MBTA uses and a unique ID (which is also printed in decimal form on the front of the card). This ID is unique to the MBTA system and (I believe) most of the cards by the same manufacturer. I’m not sure about the last one, but it doesn’t really matter much – it’s an 8-byte ID, so it’s pretty well dispersed.

        When people cite security issues with the system (you can potentially brute force the IDs or the Bluetooth PIN), it’d be much easier to just pick the lock or smash the glass. Not that I recommend doing any of the above, of course, but in terms of system weakness, electronics are not the weakest link.

        Also, we have an internal deadbolt as well.

    1. I agree with you Waffles.
      I use a similar system on my home , workshop , personal car.
      My Key is a implant and I have a spare card in my wallet if my hands are full all I have to do is put my back pocket close to the extended range reader I have and I am in. I used all commercial made readers and a really nice controller that can control one door and have two readers and it has a embedded web server that I can access remotely and look at a log on what tag has been used and when. And remotely open the door.
      The controller cost about the same as all of the parts above about $80.00 US I just added a 12Vdc vicor and a 12V 12ah battery for backup power.

      1. Do they have RFID chips yet that do encryption (pub/private key preferably) to prevent people from copying it or saving session keys when they walk past you and using them later?

      2. Cool! If you don’t mind me asking, where is your implant and where did you get it implanted? I find the concept rather intriguing and am a bit excited about the idea of waving my hand (or whatever) at my door :-)

      3. DarwinSurvivor: yes, they’re called Contactless Smart Cards (check Wikipedia) and it’s what most transportation systems use nowadays, since it wouldn’t be nice if a user could just change the ID and use another person’s credit.

    2. No, it says each card has its own ID, and I guess you would only switch access for some groups on for party night or whatever. I mean it’s been ages since my grandma snook in and boosted by pot supply, so it’s not like you can’t trust your friends and family, but if you don’t want to trust everybody, you can use the afore mentioned lists. I imagine you can program times for access or schedules in advance too, or at least it would be easy to add.

      “No gran, Monday nights are when we smoke. Your card won’t work then. We’ve been through this; you always bogart the joint.”

    1. There are a few instructions in the README (which is also the website), but I didn’t think the setup was done cleanly enough to warrant making it easily reproducible. All the source files that I can think of are included in the source code repository, including things like the lasercut patterns. I learned a lot along the way about how I should have done it ;-)

      If I build another one, I’ll clean up a bunch of the build and will probably make the Instructable then :-)

      1. “If I build another one, I’ll clean up a bunch of the build and will probably make the Instructable then :-)”

        Please don’t, the website write up is more than enough. I think (hope) the GP was being sarcastic. :)

        Also, good job, this looks amazing. This would be a good system for a frat house at a college as well.

    1. The MiFare classic crack has nothing to do with this particular use of the cards. That was used to extract the A and B keys, which would let you get at the encrypted memory. I’m not even touching that part of the card – just reading the unique ID from it and checking it against the master list.

      The security of the system is only as good as the weakest link, and I’m pretty sure I could pick my front door lock quicker than I could put together a tool to brute-force my way into it.

      That said, I should probably add a brute-force prevention timeout, just to thwart those who would be keen on attempting for the hell of it.

    2. You’d be terrified of mine, similar idea but uses credit cards (mag-stripe, not chip) instead.

      Because I’m only checking the 16-digit number, if you knew my credit card number you could clone my card and break into my house.

      It’s web-enabled (add/remove numbers), so you could hack that too. You can’t trigger the door lock over the web though, you still need a card.

      It won’t stop Mossad, the CIA or assorted uber-hackers, but it’s good enough, but at least it’s better than those hotel one on HAD a while back.

      Or you could, like in this case, decide it’s easier to put a brick though the window.

      (I do use an RFID tag to start my motocycler though)

      1. Cool! That seems reasonable enough – CC numbers are fairly private, so only trusted parties have access to it. At the very least, the intersection between those who you give your CC# to and those who have physical access to your front door is probably pretty small.

      2. A few family & friends, it has about a dozen CC numbers IIRC. The CC number by itself is a bit useless without expiry date & CVV.

        It’s pretty simple, the reader spits out the card details via RS232 to a PIC chip, the PIC then checks against a list stored in an EEPROM chip.

        The card list is updated by sending a list via RS232 as well, so that made adding the web interface pretty easy. That said, I’ve used the web interface exactly once.

        It’s been running for about 10 years, the reader isn’t exposed to the elements so it’s survived (besides, new ones are cheap).

        I thought about upgrading to RFID, but then I’d have to hand the tags out. Everyone has a card of some sort, a couple of people use old gift cards. Maybe I’ll upgrade once everyone has NFC in their phones.

  4. Adding a delay between each try of an RFID card would likely do a good job at preventing brute forcing. If you enforced a 5 second delay between any incorrect code “entered” then someone would be there for a long time before getting in.

    1. Heh. There is an ordinary key, but it’s a bit finicky and sticks a little. As a result, the RFID is much faster to use. Additionally, I’m now in the habit (between work and the MBTA) of waving my wallet at [the place] a card target [would be] whenever I encounter a door I can’t get through. This makes that habit work for home, too!


  5. Nice!
    I am looking into adding RFID to my electric bike to stop people stealing it, by crippling the brakes if someone tries to cycle it off.
    Also handy for turning on lights, etc and other housekeeping functions such as enabling battery charging.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.