When teaching how to attack access control systems such as proximity card readers, it’s much easier to have a solution that allows me to demonstrate, as well as provides students the ability to practice these attacks in the classroom.
Access control systems vary from location to location, and getting approval from the facility’s owner to attack the access control system for training purposes can be much more of a headache than what it’s worth. So, to sidestep those issues, and to have a consistent training platform, I built a portable RFID access control system.
The hardware used is a single-door access control system mounted on a board that’s big enough to hold all components. The single-door system was chosen for simplicity, as I do not have to worry about external controllers, and more programming steps. The self-contained unit also keeps the size down, allowing it to be more portable. There are several versions of these available on Amazon.
For the wiring, I used a smaller gauge of speaker wire. The voltage requirements of the system are low enough that this wire is sufficient. I also had quite a bit of it on hand. You can also use individual strands inside of CAT6 cable as well, if you’re in a pinch.
For cable management, I used a staple gun, some yellow Gaffers tape, and a few plastic nail-in cable clips.
The electric door strike required a few pieces of wood in order to mount it properly, since it’s designed to be recessed into a door frame. I also needed to create some space behind the reader and door exit button for the wires.
I’ll be the first to admin that my craftsmanship on this initial build isn’t the greatest. In my defense, this was put together quickly to make sure it was worth while. Since I believe that it is worth while, I am going to take the time to clean up this build and give it much more of a professional look. 🙂
I have been asked several times about what type of attacks I am able to perform against this setup. Because there are several resources available on the internet to explain this attacks and tools in great depth, I’m only going to mention the type of attack, and a few resources to get you started in the right direction.
For the purposes of this project, all of these attacks are against a low-frequency Wiegand protocol access control system, which is the most widespread protocol for proximity card readers.
Badge Cloning / Replaying Credentials
Capturing credentials off of a proximity card is pretty straight-forward.
Get close enough to the card with a tool that reads HID cards such as the Proxmark3! There are several options available. Many of the smaller, handheld devices only have a range of a couple of inches at most. The larger HID readers have been known to read badges from almost 2 feet away.
For the larger readers, here is a review I wrote for the BosCloner, long-range HID badge cloning device:
These tools also allow you to replay the credentials that have been captured via your ProxMark device and broadcasting them. Once you’re close enough to the building’s badge reader for it to pick up your Proxmark’s broadcast signal, it will think that it has just read the access card from that user, and let you in.
Here is a video of Tim replaying credentials that were captured from his Proxmark, which is hidden inside of a clipboard.
You can also write these captured credentials to a blank access badge, where you have essentially cloned the users’ badge. The Proxmark3 and BosCloner will do this easily. There are several other cheaper options available as well.
Card Reader Implant
Tools such as the BLEKey are physical devices that are implanted between the card reader and controller. The BLEKey in particular can then be accessed and controlled via Bluetooth to review and replay credentials that have been captured from the moment it was implanted.
Once you have certain information off of a card, you can then brute force the reader for other valid credentials. This can be done with tools such as the Proxmark3 Easy, and the correct firmware.
Here is one example: