Locker RFID

This post is about a device that uses different types of RFID tags for opening and closing a personal locker.

More information about RFID on the dedicated "Technology" page.

Attack scenario's

• Bruteforce RFID UID

• Card cloning

• Card read and simulation

• Card write sector 0 (dos)

Real life scenario's

Card skimming by placing a reader next or on top of the existing reader. To execute a card cloning or card simulation attack.

A Bruteforce attack by trying multiple UID'S on a specific locker. This is not ideal because you will have to press a button each time before you can unlock it, this is not very realistic.

A Dos attack by rewriting sector 0 on users RFID cards. Only possible with writeable cards.

Steps

Steps for a card cloning/simulation attack.

1. Use card 1 to lock the locker.

2. Scan card 1 with a rfid reader to get the UID.

3. Write UID of card 1 to card 2.

4. Use card 2 to open the locker or simulate the UID of card 1 to open the locker by using the proxmark3.

Proxmark easy Steps

Steps for a card cloning/Simulate attack using a proxmark.

1. Use card 1 to lock the locker.

2. Scan card 1 with proxmark using the command hf search to get the UID and type of card.

   

3. Check default keys of Mifare classic card using the command hf mf chk *1 ? (Go to step 9 for Simulate UID).

   

4. Dumping keys for each sector to dumpkeys.bin using command hf mf nested 1 0 A ffffffffffff d

5. Create dump file with the command hf mf dump

   

6. Get card 2 change UID with the command hf mf csetuid 795f17ad

7. Use card 2 to open locker.

   

8. Simulate card 1 using the command hf 14a sim t 1 u 795f17ad

9. Use the proxmark to open locker

DEMO

Tools used

• Proxmark is handy for reading/writing data and to simulate RFID tags

  • Software and firmware used from the proxmark3 GitHub

• RFID card 1 M1 S50 13,56 MHZ

• RFID card 2 UID 13,56 MHZ (clone card)