This is a great video demonstrating the vulnerabilities in many of the low security card solutions that are currently deployed around the world, in booth public and government facilities. We have kiosks here in the USA where you can actually duplicate low security cards at a convenience store in seconds or buy card duplicators online. There are lots of great access control solutions on the market today that support both high assurance or encrypted credentials that eliminate these types of vulnerability and the only thing that we can do is educate. Please keep up the good content.
I don't wish to sound critical, just helpful, in North America,(Canada) we call the lock you used a solenoid lock because the magnet does not directly hold the door. Otherwise your content is excellent so thank you for taking the time to produce a very well made video with great content. Im going to look for the PM3 / Chameleon info. Take care.
Thank you for the info Quentyn, we have a system where we think it is a HF 1K reader. We have some cards available to us but we would like to sniff out some other numbers as we think it is simply using the UID numbers. When you sniff out the reader is it giving you some current read cards or the initial cards stored on the data base and if so how many UID's would it give you. It sounds like the Proxmark 3 from 401 would be our best tool would you say. Does the Proxmark 3 come with any form of instructions. Thanks again for you assistance.
hey, are is anyone familiar with act enterprise management. im having an issue with some guy using a fob that he has probably hacked, when it accesses a barrier the space where the card details come up is blank and im unable to click in to it or get any information on it from the live system
Is there a way to clone a card and open a door without it registering in the system?? We are having issues at work, where people are getting in (witnessed), but when we go into the system, there is no marker!....??
Hi Quentyn, love your content. Can the Proxgrind Chameleon tiny emulate mifare DESFire cards? I see it has hardware capability but no current option in the app
indeed its not in the app, if you want to play with this you will need to use the terminal which is in the desktop app or you can use telnet on your favorite platform. Note that the support is experimental at the moment ( I havent played with it in a while)
Hello, I have a question. I have a desfire EV2 with a 7 byte UID. I tried the command that you do at 7:43 (hf mf csetuid), but then it says it wants 8 HEX symbols (my card has 14 HEX symbols) . I can't figure out what to do to fix this, can you help me please?
Correct me if I’m wrong, but in order to expose this vulnerability you need to have access to a card that is registered into the system. Is there any way to get around needing to obtain a registered card?
yes in thes systems you only need to spoof the card ID. You can either get a starting point from 1 card ( that you know is in the valid range) or you can i suppose just brute force a load of ID's
Hi Quentyn, very informative video's thank you. we are asked to copy cards in the past and try and make replacement cards for customers with lost cards and systems that are just full. We used to have a knowledgeable chap who would help on occasion but sadly he has retired. Sifting through all the videos we are getting a feel of things firstly we would need re-writable cards (mainly Mifare 1K H.F) would we be able to copy existing cards and write to a new card with a Chameleon Tiny. Can you explain how sniffing works, what card does it sniff from a reader, is it the last card used or initial master/programming cards and can we do this with a Chameleon Tiny. In my past life I used to fly model helicopters for films etc plus Drone work before drones were about very bulky in those days. Thanking you in advance for any info.
HI Vago, if you just want to copy cards then the icopyx may be a better option though for ease you will need to use their branded cards. The chameleon will need something to do the actual cracking / data dumping such as a proxmark etc
@@QuentynTaylor Thanks for your reply. can you enplane what is actually retrieved from sniffing is it the last card that was used or is it the original master card ID numbers and what is the best piece of equipment to use for this
@@vagonordigian8445 well in the case of the video above its just the uid of the card thats accessed. Sniffing would be the act of capturing the traffic between the card and reader which you would do if you have a valid UID and want to sniff the initial key the reader will send
Cool was reading the same thing earlier on proxymark that has both HF and LF antennas and can handle the encryption so I’ll order 1 off Alibaba tonight, thanks again for the help.👍
Hi! Great video! Would a MIFARE classic card be copied if the card number for the access control system is encrypted in the memory of the card (not CSN/UID but using the internal memory)? I read MIFARE could be cracked and then the keys revealed, then it would be easy to program any card with the same or with any card number and the access control readers at doors could read these fake cards.
well there is the ID number of the card is one thing and that can always be read. In the video above i am just showing how to simulate the ID number. However in other videos i show how to copy the data on an encrypted card and then you can write to any compatible card
not really, it depends on the technology that the card uses. Many / most are desfire ev2's or similar and they cant ( for good reason) be copied so easily
this is not "bypassing" anything. It's copying an existing fob. Thats like saying I'm bypassing my door lock if I get a new key cut at the store and use that. It's not. Bypassing it would be entering without having access to the original key, and make it accept a custom key of your own, or even better, if you can open the door bypassing the whole reader entirely
Bro, your music is way too loud. Some of us have big speakers with sleeping people and have to turn it up quite a bit to hear your voice. Great content otherwise.
This is a great video demonstrating the vulnerabilities in many of the low security card solutions that are currently deployed around the world, in booth public and government facilities. We have kiosks here in the USA where you can actually duplicate low security cards at a convenience store in seconds or buy card duplicators online. There are lots of great access control solutions on the market today that support both high assurance or encrypted credentials that eliminate these types of vulnerability and the only thing that we can do is educate. Please keep up the good content.
Could you give examples? Secured system at a normal price? Thank you
Wow I have never seen a kiosk that copies RFID cards before that is pretty cool
Only just discovered your channel. You are doing a great job! Thanks!
I don't wish to sound critical, just helpful, in North America,(Canada) we call the lock you used a solenoid lock because the magnet does not directly hold the door. Otherwise your content is excellent so thank you for taking the time to produce a very well made video with great content. Im going to look for the PM3 / Chameleon info. Take care.
aah i think you are correct in the UK as well. a maglock is a different kind of lock. Thanks for pointing this out !
Man I wish I could afford all these test rfid systems and cloners, appreciate your vids bro!
I'm learning so much
Hi Could you please put a video showing how to update the chameleon mini thanks
Thank you so much, you will hear more from my local bank :)
Just kidding, thank you for the video
what if you lost the card? is there anyway to copy the key sensor & place it onto a new card?
could you explain abit more on how to changes values for example you said you could change the balance on a vending machine card
Great video!
Thank you for the info Quentyn, we have a system where we think it is a HF 1K reader. We have some cards available to us but we would like to sniff out some other numbers as we think it is simply using the UID numbers. When you sniff out the reader is it giving you some current read cards or the initial cards stored on the data base and if so how many UID's would it give you. It sounds like the Proxmark 3 from 401 would be our best tool would you say. Does the Proxmark 3 come with any form of instructions. Thanks again for you assistance.
Do you have to have a writeable key or can you emulate the same technology from your phone using NFC?
if your phone supports it then yes
Great stuff. Many thanks
Would you happen to know If Paxton net 2 cards are similar to this,
Hello, may I ask what kind of chip is often used in residency permit card?
is there an app that can do the same thing as the camelion? my phone has NFC, WIFI and Bluethooth
no there are useful tools like NFC pro but there arent ones that allow you to emulate another card in the same way
@@QuentynTaylor ahh what a shame, Chameleon it is then! Thanks for the reply
hey, are is anyone familiar with act enterprise management. im having an issue with some guy using a fob that he has probably hacked, when it accesses a barrier the space where the card details come up is blank and im unable to click in to it or get any information on it from the live system
Is there a way to clone a card and open a door without it registering in the system?? We are having issues at work, where people are getting in (witnessed), but when we go into the system, there is no marker!....??
it really depends on the system and how its setup
Hi Quentyn, love your content. Can the Proxgrind Chameleon tiny emulate mifare DESFire cards? I see it has hardware capability but no current option in the app
indeed its not in the app, if you want to play with this you will need to use the terminal which is in the desktop app or you can use telnet on your favorite platform. Note that the support is experimental at the moment ( I havent played with it in a while)
Hello, I have a question. I have a desfire EV2 with a 7 byte UID. I tried the command that you do at 7:43 (hf mf csetuid), but then it says it wants 8 HEX symbols (my card has 14 HEX symbols) . I can't figure out what to do to fix this, can you help me please?
hi the cmds are specific to a mifare classic not desfire
May I ask the chip which is not orginal 4K but compatible with 4K milfare card can be read and edited?
you can edit the data on the card if you need i show how on the yale conexis video
@@QuentynTaylor thank you. We are supplying this kind of card which is not original, worry about if our chip cannot match our client system
Correct me if I’m wrong, but in order to expose this vulnerability you need to have access to a card that is registered into the system. Is there any way to get around needing to obtain a registered card?
yes in thes systems you only need to spoof the card ID. You can either get a starting point from 1 card ( that you know is in the valid range) or you can i suppose just brute force a load of ID's
@@QuentynTaylor thank you for the quick response and the answer. I appreciate it.
What program/ client do you have on your computer in order to display/ modify code and decrypt?
using the proxmark with the iceman software build
Hi Quentyn, very informative video's thank you. we are asked to copy cards in the past and try and make replacement cards for customers with lost cards and systems that are just full. We used to have a knowledgeable chap who would help on occasion but sadly he has retired. Sifting through all the videos we are getting a feel of things firstly we would need re-writable cards (mainly Mifare 1K H.F) would we be able to copy existing cards and write to a new card with a Chameleon Tiny. Can you explain how sniffing works, what card does it sniff from a reader, is it the last card used or initial master/programming cards and can we do this with a Chameleon Tiny. In my past life I used to fly model helicopters for films etc plus Drone work before drones were about very bulky in those days. Thanking you in advance for any info.
HI Vago, if you just want to copy cards then the icopyx may be a better option though for ease you will need to use their branded cards. The chameleon will need something to do the actual cracking / data dumping such as a proxmark etc
@@QuentynTaylor Thanks for your reply. can you enplane what is actually retrieved from sniffing is it the last card that was used or is it the original master card ID numbers and what is the best piece of equipment to use for this
@@vagonordigian8445 well in the case of the video above its just the uid of the card thats accessed. Sniffing would be the act of capturing the traffic between the card and reader which you would do if you have a valid UID and want to sniff the initial key the reader will send
Is it better than mifare ultralight?
Hey bro do you know if the chameleon or proxymark3 will clone Keri?
i dont think so as Keri are 125khz - you would need something like an icopyX
by the way the proxmark will clone a keri but not the chameleon as the chameleon is only HF
Cool was reading the same thing earlier on proxymark that has both HF and LF antennas and can handle the encryption so I’ll order 1 off Alibaba tonight, thanks again for the help.👍
Hi! Great video!
Would a MIFARE classic card be copied if the card number for the access control system is encrypted in the memory of the card (not CSN/UID but using the internal memory)? I read MIFARE could be cracked and then the keys revealed, then it would be easy to program any card with the same or with any card number and the access control readers at doors could read these fake cards.
well there is the ID number of the card is one thing and that can always be read. In the video above i am just showing how to simulate the ID number. However in other videos i show how to copy the data on an encrypted card and then you can write to any compatible card
Do u have vids on Hid iclass readers?
i dont as due to lock down i dont have access to one - as soon as lockdown finishes i will try to find one to have a play
Would I be able to add my 8 conta less credit cards on there?
not really, it depends on the technology that the card uses. Many / most are desfire ev2's or similar and they cant ( for good reason) be copied so easily
will any of these work with paxton fobs?
sorry i dont have any paxton fobs to try with
Do you ship to the Unites States of America ?? Please say yes
err i dont actually sell anything - so i dont ship anywhere
So are there ways to overcome this?
yes dont use mifare classic use desfire or similar - and dont use mifare classic that auths only on the ID of the card
this is not "bypassing" anything. It's copying an existing fob. Thats like saying I'm bypassing my door lock if I get a new key cut at the store and use that. It's not. Bypassing it would be entering without having access to the original key, and make it accept a custom key of your own, or even better, if you can open the door bypassing the whole reader entirely
Hello
electronic systems are always more vurnable than physical locks.
But at the end, you still need a card to clone from.. otherwise all this hacking setup is lame...
I have a project related you
do go on i am interested
Not at all what I w a s looking for
Bro, your music is way too loud. Some of us have big speakers with sleeping people and have to turn it up quite a bit to hear your voice. Great content otherwise.
apologies for that - i will try to balance the music and the vocals to be similar volume
@@QuentynTaylor Thanks :)
Try some headphones