Lots of hotels, offices, and apartment buildings are now using NFC-based access control systems. As a result, plenty of people ask about the practicality of cloning their access card to produce a spare or emulating their card via an NFC-capable smartphone. In this article we’ll look into why, while theoretically possible, doing so is often not practical.
Types of access control systems
In order to discuss how NFC access control systems can be defeated, we must start with looking at how they work in the first place. All access control systems must perform two operations: authentication of the tag and determination if it has sufficient credentials to open a specific lock (these two operations are sometimes combined). There are several approaches to this which all have their own technical trade-offs and repercussions on the practicality of cloning the tag.
Plain data
This is a really poor approach that doesn’t offer any real security, but there are probably some hotels out there using it. With a plain data access control system, there is no authentication step, the data on the tag merely provides the credentials used to determine if it should work for a specific lock.
Pure tag code
NFC tags have an unchangeable serial number (also known as a UID or tag code) baked into the chip at the factory. For most tag technologies, each manufacturer is assigned a block of tag codes to use for their tags, which the manufacturers generally then assign in a globally unique fashion. In order to use this serial for authentication, the locks can be programmed with a white list of tag codes that they should trust. If the locks are provided with individualized white lists, the tag code also functions as the access credentials. Alternatively, a system-global whitelist that contains all the tags in the access control system may be used, in which case the tag contains its credential information in its read/write memory.
Cryptographically signed/encrypted data
The tag code-only system is the simplest from an NFC operations perspective, but, in addition to some security issues that we will explore later, managing updates to the lock whitelists is often a significant practical stumbling block. Therefore, a more flexible approach is often used where the tag’s memory contains either an encrypted data block or a plaintext data block with a cryptographic signature. Public-key cryptography is ideal for this application, but a symmetric key generated secretly using a combination of system-wide global secrets and the tag’s tag code can also be used. Such a system can be very attractive as it enables you to introduce new tags into the system to replace broken ones without having to update any locks.
Authenticated tags
Certain advanced tags have access control capabilities built on a cryptographically secure three-pass mutual authentication using a symmetric key. This allows the lock to authenticate the tag without any secrets being exposed to attackers. The credentials can then be safely stored in the tag in whatever format is desired. Traditionally, chips that support this type of operation were very expensive, but with the low-cost MIFARE Ultralight C now readily available, this style of access control is much cheaper to implement, so systems using this approach should become more and more common.
Cloning tags
Now that we’ve covered the three broad categories of access control systems, lets look at how they can be attacked.
Plain data
This is trivial to defeat. Assuming one has a tag of the appropriate type, all that is required is an utility that can copy tag contents from one tag to another. If you live in an apartment or condominium that uses an access control system of this style, it would be wise to complain to your board given how simple defeating it is.
Pure tag code
The most obvious attack on tag-code based systems is by acquiring or emulating a tag that can be configured to provide a trusted tag code. Luckily for users of such systems, this is easier said than done. Setting up the necessary infrastructure to produce changeable tag code cards is an expensive endeavour, and the resulting tags will only be useful for attacking relatively insecure systems. That said, such tags are available, but for many types of tags, you’ll have to roll your dice with random sellers on Alibaba in order to acquire them. More usefully, some devices such as the Proxmark3 and ChameleonMini can be configured to emulate a tag with a user specified UID. Theoretically, Android devices, depending on their NFC controller, may also be able to emulating such a tag, but the Android SDK only supports a limited form of tag emulation which does not include this capability. If tag code-based system is of the style that uses plain data for credentials, it is also possible to steal someone else’s credentials by copying their card onto yours or, if the format can be reverse engineered, alter your card’s data to grant yourself whatever access credentials you desire.
Cryptographically signed/encrypted data
Fundamentally, tags in this system can be cloned the same way as in a tag-code only system. With a device such as a Proxmark3, one can emulate both the tag code and the the data on the tag, rendering it impossible for the lock to determine the difference. However, assuming a tag-unique key generation scheme is used, this does make it so that one cannot copy a valid dataset from one card to another. Additionally, without cracking the signing/encryption keys it is only possible to clone an existing tag using this system, it won’t be possible to alter a tag’s credentials.
Authenticated tags
The security of authenticated tags depends largely on the quality of the key diversification algorithm as well as the type of tag in use. Clearly, if the system uses the factory default key or some other readily guessable configuration, the security of the system can be defeated quite easily. However, if the system has been implemented using a strong key diversification algorithm, you are stuck either attacking the card directly or attacking the cryptographic algorithm*. Most current NFC cards use either Rijndael-128 (aka AES) or TripleDES for encryption, both of which are considered impractical to crack with current computers. It should be noted that some older access control systems may still use the MIFARE Classic card with Crypto-1 encryption instead of AES/TripleDES, which can be successfully attacked, although doing so is outside of the scope of this post. So, if a modern algorithm is in use and you don’t have access to supercomputers, you’re stuck trying to directly attack the card itself. Certain cards do have demonstrated flaws that may be attackable, but for the current versions of the popular secure cards, no effective attacks have been published. Therefore, as long as a modern card and a decent key diversification algorithm is in use, cloning these types of access control tags is not realistically possible.
* You could also attack the lock, but that is quite invasive and would most likely be fairly obvious to the building’s security.
Summary
The practicality of cloning an access control tag depends on how the access control system’s tag verification and credential management operates. If the system is very poorly designed, it is simple to clone a tag with just an Android phone or other NFC device to copy the data from one tag to another. With better systems, a changeable UID tag or a specialized reader such as a Proxmark3 will have to be acquired. If instead a modern smartcard with true cryptographic authentication is used, cloning cards is not possible unless the system was very poorly implemented.
Oct 16, 2016