CarontePass: Open Access Control For Your Hackerspace

A problem faced by all collaborative working spaces as they grow is that of access control. How can you give your membership secure access to the space without the cost and inconvenience of having a keyholder on site at all times.

[Torehc] is working on solving this problem with his CarontePass RFID access system, at the Kreitek Makerspace (Spanish, Google Translate link) in Tenerife, Canary Islands.

Each door has a client with RFID readers, either a Raspberry Pi or an ESP8266, which  connects via WiFi to a Raspberry Pi 2 server running a Django-based REST API. This server has access to a database of paid-up members and their RFID keys, so can issue the command to the client to unlock the door. The system also supports the Telegram messaging service, and so can be queried as to whether the space is open and how many members are in at a particular time.

All the project’s resources are available on its GitHub repository, and there is a project blog (Spanish, Google Translate link) with more details.

This is a project that is still in active development, and [Torehc] admits that its security needs more work so is busy implementing HTTPS and better access security. As far as we can see through the fog of machine translation at the moment it relies on the security of its own encrypted WiFi network, so we’d be inclined to agree with him.

This isn’t the first hackerspace access system we’ve featured here. The MakerBarn in Texas has one using the Particle Photon, while the Lansing Makers Network in Michigan have an ingenious mechanism for their door, and the Nesit hackerspace in Connecticut has a very fancy system with video feedback. How does your space solve this problem?

The HackadayPrize2016 is Sponsored by:

27 thoughts on “CarontePass: Open Access Control For Your Hackerspace

  1. I have looked at the RFID you are using myself for a same type of application, only for my home. The problem with this RFID reader is that by itself is not secure. The encryption protocol is outdated.

    How do you ensure yourself that the key doesn’t get spoofed?

    1. Hello!

      It is known that RFID is not secure, so I’m implementing authentication by Telegram. It is that the only chatid each person can identify and give access if necessary using the command “/open” from the smartphone. With this could have number of ways to access and perhaps a moment stop using RFID.
      I would also add the fingerprint sensor arduino, but I have to study its behavior.

      Thanks for the feedback

    2. I am using some EM4102 read only tags to open my door.
      The RFID reader is placed outside and connected or RX and TX to an Arduino inside.
      If the Arduino receives the right number from the the RFID reader, then it opens the door. If the wrong number is transmitted, then the Arduino blocks reading for 5s.For each failled attempt, then the wait time is doubled. So brute forcing will not be that easy. Not even if the reader is torn out and a serial connection to the Arduino is made.

      I think the weakest link in this system is the RFID Tag. Anybody with the right hardware could read it and clone it.

      So yes there is a simple way to get access to my house. But seriously I think i don’t think theives would use this technic since it is not very common to secure doors that way. It is alot simpler to just break a windows and get in or pick the conventional lock of the door.

    1. Mifare conventional use for RC522 reader.
      Customers use an API made in django that is only accessible with username and password (authorized). Although I am implementing authentication for tokens for safety.

      Thanks for the question

  2. Just a thought, but a digital lock on a hackerspace door seems to me like issuing a challenge to members!

    That being said, anyone that manages to get in despite not being granted access deserves to be there! :)

    1. They liked enough, especially integration with telegram.
      They can see from Telegram when it opens or closes the space, or people are in at the moment.

      And of course, access is a form of security that not to exclude anyone.

    2. Yeah who cares. The kind of people who can hack the door should just get a beer. And people know each other, so it would be discovered sooner or later.

      Actually, don’t issue any RFID tags at all. Just setup the access panels and let people know that they need to prove themselves. ;)

  3. Relying on just the uid of the card is not the smartest thing for access control, as this isn’t protected in any way. There are even chinese card where this uid can be written. This would offer the same security as 125KHz tags.

    Mostly a S50 card or two is supplied with those ebay readers and those cards have a ‘secureish’ memory. Better store something there and protect it with a PIN.

  4. I have had a project in my head for a while now that involves building an electronic lock system but one that uses only open components (that can be replaced with something from a different vendor without needing any other hardware changes to the system) and open source software and not some proprietary RFID system (that may or may not be secure and may or may not be easy to get parts for in 10 years).

    Never went anywhere with it because I have no buildings or other things that need securing to build it for, no money to build it and no hardware skills to actually build it.

    One of these days I will figure out where to dump this idea so others who might actually be interested in it can do something with the information.

  5. At our previous location, we used a homebrewed rfid AND pin keypad solution (pure rpi). Each member had a unique pin tied to their card. Essentially 2 factor auth. Worked great except for our very quickly put together solution wasn’t portable and a one-time installation that was not re-created when we moved locations. We have a second solution being built similar to this that will integrate with openhab and provide security cam shots to board members who want them.

    At our current location, we have a keypad with a ‘key’ (pin) that all members are given. Its changed periodically (event and schedule driven). Just like a physical key except it doesn’t cost anything to change out whenever we want.

  6. Hi there,
    very niced project indeed. We at the Makerspace in Dresden (Germany) using quite the same approach. Its called RoseGuarden. If interessted, please have a look at .
    We are using:

    Raspberry Pi instead of the ESP/Proton
    Flask instead Django
    Pure Bootstrap instead of the AdminLTE
    And the same RC522.

    Maybe someone is interessted in collaboration. It should be easy to take the best of one system to improve the others.

    Some ideas to the already hacked Crypto1. We are only store a unique hash (encrypted with a systemwide password). The hash only identify a single user. No further informations are stored. The binding between tag (UID + Hash) and user is stored in a SQLLite-Database. The hacking of the system gets very hard with that. It is only possible to corrupt a single card. Nevertheless we trying to get the Desfire-Tags working. This should be possible with the same reader and are working on that. HTTPS is interesting too, especially with the free “letencrypt” certificats.

    Please feel welcome to write me for any ideas of collaboration and have fun with this cool project.


  7. Funny, I was talking about doing something similar at a makerspace meeting last week.
    For us, out meetings are at the city library so access is already controlled but we wanted to use RFID to control access to an electronic parts cabinet for members. I already have a reader and some tags I got from Ebay for a few bucks and if you search Julian Llett on youtube, he does a test of the same reader I bought and shows what type of data is returned when you scan an RFID token. I love Julian’s postbag videos…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.