So my company moved to a new building which uses HID RFID cards for access control. These cards are typically white with some sort of numeric code printed on one side of them. I have not included an image of my card due to (later) obvious reasons..
Setting up my Proxmark3 RDV4 reader
Some time ago I joined the Kickstarter for an updated version of the Proxmark3 RFID reader/writer and immediately broke it during the initial flash update. After I was able to unbreak the reader (hint: kill network-manager and modem-manager before trying to flash the new image) this seems to be a good time to test those pesky access cards. Also a huge Thank you! to the Proxmark support team for helping me.
So, what’s stored on a HID RFID card?
Now with a working reader let’s start by gathering data from my RFID card. To do this, I lay my RFID card on the reader initially search for low-frequency cards.
Please note, that I have exchanged the Faculty Code (XXX), Card Number (YYYY) and TAG ID (ZZZZZZZZZZ) — with that information you would be able to enter our office.. not that it seems hard to brute force anyway. The Tag ID can also be calculated from the Faculty Code and Card Number. This makes it double stupid that the card number is printed on the backside of the card (and thus can be easily be photographed/noted).
Try to emulate the card and open the door
Now that we have the Card ID we can use the Proxmark to simulate our card..
And with that, our office and building doors open.. fun time and amazing security!
Author Andreas Happe
License CC BY-NC-ND 4.0