Clone your building key fob

  • Sun, Oct 20, 2024
  • 3-minute read

Here in Spain, it’s rising the trend of buildings allowing people to enter with key fobs instead of with a traditional key.

To access your building, you just let the reader you find next to the entrance scan your key fob and you’re in. To be honest, I see it as more practical than carrying a key. Even more practical would be if that key fob could be fitted behind my phone case. If I wanted to enter my building, I would only need to take my phone, move it closer to the reader and I’m in. That’s what we will be talking about today.

Most of the companies that offer this access control equipment use a technology called MIFARE Classic. The most common one can store up to 1KB of data, but most of the companies using it only use the 4 bytes the chip starts with to identify who is trying to access, they even leave intact the default encryption keys inside these chips.

This technology is now so old that it has several vulnerabilities disclosed that allow us to clone the chip contents if the default keys are still present inside the chip. Taking advantage of that and having a tool to modify these chips such as a Proxmark3 allows us to copy the contents to other key fobs of our liking. The one I have is in the form of a sticker that can be fitted almost anywhere. If you want to look for one like this, just search on Google “mifare classic 1k magic card”.

I bought some time ago a Proxmark3 clone on AliExpress that works like the original one. Having that and connecting the device to your computer, you can dump the content of the chip and write it onto another one of those “magic cards”.

If anyone is willing to reproduce this, the RfidResearchGroup/proxmark repository has tutorials for flashing the firmware to one of those AliExpress clones and installing a CLI executable for interacting with that device. I will leave some of the commands needed for this.

  1. “proxmark3 /dev/<deviceid>” starts communication with the device so we can send commands to it.

  2. “hf seach” looks for NFC cards in contact with Proxmark3, the device. It will show information about the provided card.

  3. “hf mf autopwn” is used for MIFARE cards to try and dump the contents of them with various techniques. If successful, it will create a file ending in “.bin”.

  4. “hf mf cload -f <dump file from previous step>.bin” will write the contents of the file resulting from the previous step into a provided “magic card” about which we talked a few paragraphs before.

And that’s how it’s done! After this whole procedure, you can use your new card as the cloned one without any difference in behaviour.