Your Building’s RFID Access Tags Might Be Really Insecure

[Gabe Schuyler] had a frustrating problem when it came to getting into his building’s garage. The RFID access system meant he had to remove his gloves while sitting on his motorcycle to fish out the keytag for entry. He decided to whip up a better solution with less fuss.

His initial plan was to duplicate the keytag and to sew one into his gloves. Purchasing a 125 KHz RFID tag duplicator off eBay, he was able to quickly copy the tag, and create one that worked with his garage’s entry system. While the duplicate tags worked well, they were still too big to easily fit into a glove. Attempts to create a duplicate with a smaller tag failed, too. Eventually, [Gabe] turned up a ring complete with a compatible RFID chip, and was able to duplicate his entry tag onto that. Now, by wearing the ring, he can enter his garage and building with a simple wave of the hand, gloves on or off.

Of course, duplicating an RFID tag is no major hack. As per [Gabe]’s Shmoocon talk on the topic, however, it shows that many buildings are using completely insecure RFID access methods with little to no security whatsoever. Anyone that found an access tag lying on the ground could easily replicate as many as they wanted and enter the building unimpeded. It also bears noting that you can snoop RFID cards from further away than you might expect.

20 thoughts on “Your Building’s RFID Access Tags Might Be Really Insecure

  1. A Similar happend at my work place. To open the gates you have to touch your card to the reader. However the way my car is built I have to open the entire door to get access to the reader. So I got a proxmark v3 and found out the card is a Mifare Desfire EV2 which is very secure. However it was worth a shot to do a primitive replay attack, right? Couldn’t believe my eyes when that gate opened. Turns out the manufacturer uses none of the card’s security features nether outside or inside the building. It simply reads the CardID and compares that to a known list. You don’t even have to fake the card type or protocol. Just use anything that has a matching 7 byte CardID.
    So I reported the issue and the manufacturer weaseled its way out by claiming the door system is not for security but only for recording who entered the building at which time. Of course buried in the documentation and fine print.

    Now I use a kasper oswald chameleon mini to conveniently switch between door access and EV-Charging access (same issue) until the parent company finally forces us to swap out all card readers (like 50) and install their (indeed secure) system.

    1. Similar thing with my previous office building – Mifare Classic cards, but only the UID was used. I actually ended up duplicating my tag onto a magic card after getting locked out one day when I was the only one in the office during the local covid lockdowns.

      Now I have a shiny new Flipper Zero that can do simple card read and emulation attacks… but also a new office building that uses Desfire cards properly, with the real identification token locked in a secure sector with a non-default key.

      So it’s a bit of a happy/sad situation, as I want both proper security and an easier form-factor for my tag, dammit :D

  2. it’s even worse than that.
    Many employers have cards in a sequential range, so any employee can read their card, and program another card for something in the same range – and then see what access it has.
    It normally doesn’t take that long to find a card that can access everything, and all it takes is a cheap $10 reader/writer.

  3. “Anyone that found an access tag lying on the ground could easily replicate as many as they wanted and enter the building unimpeded.”

    Enter WHICH building on the planet now? If you don’t know what door the key goes into you really don’t have a key, do you?

    The simple solution is to get one of those “reel it out, let it reel itself back in” doohickeys that large corporations and gummint agencies use. Problem solved.

    1. As someone who used a reel for a few years, I was more likely to drop my tag using it than not, because the cable inevitably wears out and breaks at some point, probably while flapping about on my belt. A loose tag would be on my keys or in my pocket, and it can’t spontaneously drop out of there.

      1. On axwalk around the streets surrounding where I work, I found a simple rfid card with an integrated envelope to hold the user’s ID. Which had the company name right on it.

        1. I have a moderately good key reel.
          Every couple of years I see some wear on the line, right where it attaches to my key ring.
          It is quite easy to pull an inch or so of line through the connector, tie a new knot, and cut off the frayed twine.
          Since the line was four feet to begin with, I expect it to last at least a decade or two before it becomes to short to use.

    2. As most cards also have printing on them, Logo, company name, employee name etc finding one probably tells you everything you need as to which building with a light internet search… And they kind of must have some printing on them – how else can your human employee identify which plain white card is their card for this place..

      For the global companies assume the local office, though quite possibly ALL the offices have the same keycard database – convenience vs security – so much easier if your usually USA/German/GB based employee can be sent to the little satellite office in Belgium for a week without having to issue new guest credentials, or time limited access to their normal ID etc…

    1. Without finding a tag to use, it might still be harder to pick than an average pin-tumbler lock. Copying tags seems similar to copying of keys, except that it is easy to invalidate an RFID tag that has been lost for any length of time.

      1. if they can’t get a tag in the first place (to know the range) it is indeed much more secure than a key. Especially if the system using it is vaguely intelligent and notices invalid tags (particularly in sequence).

        However, if you CAN get a tag, then change it to other valid tags, that is probably worse than keys..

        By the way – I think the use in this story is quite common, and I have done the same with work tags that aren’t the right type ie they tend to give out the credit card sized ones, and I program a keyfob one to the same number..

        But the central point remains – anyone with a ‘security’ system that just uses a card number is several decades out of date and not interested in security…

        1. Incorrect. You can just attach a sniffer to the outside of the door and scan all employees tags as they enter the building, or if they have a guard watching the reader you can follow any car leaving the building to the nearest gas station and sniff the card while they are inside the store.

    1. Place I use to work had that complete with metal detectors and searches. I think some forget the keycard places also have cameras by the door. Plus God forbid if one gets in the wrong door even with a working card because now the whole building knows who screwed up.

  4. “Something that you have” is nice. Something that you know and/or something that you are could be added, but for some reason has not been standardized in regular building access systems.

    I also just have a key that goes into a lock on my front door. I too can loose that key and it can be copied, it is perhaps a bit harder to sniff, but may be replicated from a picture perhaps :)

  5. Those are less about building security and more about keeping tabs on employees. Hence the “no tailgating” policy so strict that it requires slamming the door on the company’s president.

  6. RFID tags are more for convenience than security. If security is needed, entering a PIN on a keypad in addition to the RFID card usually adds enough security to fit the bill.

    Most implementations offer just as much security as a key lock. If you watch the Lock Picking Lawyer, you will know that any electronic lock has a standard key as a backup, and this is usually the weakest point in the security of a lock.

  7. My favorite way to copy a card that has full building access is to pour a can of cream of mushroom soup on the front walkway, then simply call the front desk of the largest firm leasing space there. “Hello? Yes, some drug addict has just thrown up all across your entry steps.” Then simply wait a few minutes for the building ‘engineer’ to show up with signage and cleaning apparatus. A cute accomplice can strike up a conversation with said engineer while one walks beside them and surreptitiously copies their all access fob.

Leave a Reply to jpaCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.