We have known that the cheaper RFID technologies were pretty insecure for a number of years. Researchers have demonstrated cloners of all varieties, but simple RFID tags are still being used for access control. Even my current employer uses them.
A while ago, I was looking at Hack A Day, and I saw an amazing project that somebody had made. It was an RFID card with a keypad on it. For the next couple of days, I couldn't get the image of the card out of my mind; the project reminded me of how much I wanted to build a RFID spoofer myself. The original author didn't release source code for their project, but they left enough clues that I could follow.
So, in typical fashion, I built my own reader hardware so I could have a look at the data from a card, and created my own version of the Universal RFID key.
The key I made works beautifully both on my garage door, as well as a number of other RFID readers I have tried!
I have decided to publish this, as more people should be aware of the design flaws that are inherent in older RFID implementations, and to allow others to make their own universal key.
Will this key let you into anybodies RFID protected office? Yes it will, assuming a couple of things are true
1) The have to be using 125kHz RFID tags that use the same encoding standard as I have designed this project for, and,
2) You have to have access to the number printed on the back of the tag - with that number, you can simply key it into the Universal RFID key, and it will emulate that tag.
So there you go - I hope you enjoy making this project. - And remember, with great power comes great responsibility!
Step 1: How does RFID work?
125 kHz RFID tags are commonly encased in a business card sized piece of plastic, or a round disk. The tag consists of a coil of wire, connected to a microchip. When the tag is brought into close proximity to a reader, energy is coupled inductively from the reader to the microchip within the tag.
The energy from the reader has dual use; firstly, it provides power to run the card, and secondly, it provides a communication medium for data to be transmitted. Once powered up, the tag modulates the bit pattern that is programmed into the tag using a signal that the reader can detect. The reader then reads this bit pattern, and passes it onto the door controller. If the bit pattern matches one that is authorised, the door will be unlocked. If the bit pattern does not match an authorised one, then the door won't unlock.
In the RFID system I was playing with, the bit pattern looked like this;
I will describe what this pattern actually means in the next page.
One interesting feature of the data transfer between the card and the reader, is that data is encoded using Manchester Encoding, which is a way of encoding data so that it can be transmitted over a single wire ensuring that the clock information is able to be recovered easily. With Manchester encoding, there is always a transition in the middle of a bit. If you want to transmit a 1, the transition would be from low to high, and if you want to transmit a 0, the transition would from from high to low. Because the transitions are in the middle of each bit, you can ensure that you have locked onto valid data. For a detailed description, have a look a this page.
The actual data is transmitted by the card effectively shorting the coil out - this applies an additional load to the transmitter in the reader, which can be detected.