When I was building an RFID door lock for my mum when she developed Alzheimer's, the hardest bit was getting a good range. I ended up getting a huge (and resin potted!) reader unit and using it with the long range cards. (The keyfob circuit but with a wider coil in a plastic card.) I got a decent range from it. It also greatly improved the range of the common keyfobs too. There does seem to be quite a precise science to reading the keyfobs accurately. I did a lot of experimentation with adding wider coils too.
That could work, but you might have more luck by agitating the rf signal. You can do that just by shaking the tag a little. I deal with uhf systems and even on these high powered systems I have to move the tag around or the reader in a paint brush pattern
I got one of those readers...got about 45 reads off random people in just one day! In my own building I can now get to 14 additional floors. Honestly, rfid on elevator control might provide some security, but the stairwell doors have no security. This is an important lesson here, security is usually only theatre;a show.
Could you explain how you would do such a thing? I'm looking into copying RFID tags as well, and progress is slow. How did you learn how to set up a reader, and where did you get your necessary supplies off the internet? Any advice is helpful. Thank you very much!
As LPL has proven so many times, that "lock" can be defeated with just a strong magnet - provided that it contains a relay to operate external circuits..
When my mother started to develop dementia, I added such a key fob to her wrist band, build such a reader using ESP8266 to command the electronic lock "Keymatic" to open the doors. So, she could continue to live in her home instead of a nursing home. That was really very helpful.
I did that too. A GPS tracker was also added to find her when she went on one of her long walks. It made life a lot easier for us all and took away a lot of the worry.
@@greatscottlab A good place to start with this research would be to look into a penetration testing tool called the Proxmark, and also one called an ESPkey. These combined with a long range reader (for reading at a distance of a couple feet/30-60cm) can be very powerful. Also check out some of the penetration testing videos on UA-cam such as Deviant Ollam's channel, or his many talks. Good Luck!
You can absolutely grab tags easily with off the shelf long range readers, adding a microcontroller with BT/wifi in line with the reader wiegand or rs485 data lines is also a good way to read/replay a code back to the controller.
Only mentioning the show because it uses real tech as part of the scenes, but Mr. Robot had a good scene showing this being done with an off the shelf reader placed into a bag. Maybe not as long range as your referring to, but a good example of how it can be done and mirrors talks I've seen at hacking conferences. You can purchase a device like a chameleon off aliexpress to do cloning and other attacks as well with replaceable antennas and is nice and compact.
There are no off the shelf long-range readers for 125kHz, the best have about 1m range (in best conditions). On the other hand, coppying an EM41xx tag is really easy and can be done without any encoding. You can even use a very simple circuitry and a phone, because the data frequency is within audio range. Simple AM demodulation into mic input, record it in WAW and play it back - boom.
I feel like the easiest way to "pick" that lock is to just pull the reader off the wall and short the appropriate pins to trigger the latch. That's why these systems usually use a separate controller - so there's nothing you can do to the external components to trigger the latch.
Came here to make the same comment. Don’t get a product that has the relay inside the same housing as the reader. Also don’t use 125KHz technology, get MIFARE DESFire. Much more secure.
I once worked at a place where access to the parking lot was controlled with a large RFID reader. I would stick my arm out the window with my card in hand and slow down to just the right speed for the card to be read and the gate to go up just barely in time. The terrified looks I got from some security guards were priceless. 😂
off topic but this reminded me of the deck-hand on a Sydney ferry, as the ferry was reversing from the wharf, the deckhand would just casually flick the rope loop off the bollard.
Security is more a game of deterrence than anything else, and so you weigh everything from the value to bad actors to the (in)convenience for the valid users and find a solution that is sufficient for the scenario. I think the biggest takeaway should be “just because it has a computer in it doesn’t mean it’s automatically more secure than other options”, and that is something we would all do well to remember.
About 15 years ago, I was the developer of a production tracking system. At one point we started implementing controls of what leaves the production floor to be loaded into trucks. So we added an RFID tracking system. The system began printing RFID labels (yes, just like any other thin sticker) on our Zebra printers. If you think that product from Amazon is a lot, the reader we had installed on top of the exist door was over 3 meters high and could read the labels of all boxes in a pallet before they gotten directly under it. And they were passive and not active tags, as the cost of those would make the solution unviable. So you have an idea of what's possible. Now, If you want to maximize the range of your reader, I'd look on content for metal detector designs. Seeing how simplistic you design was if compared to the ones I saw for metal detectors, I know there is a lot of room to increase that range with some freely available designs. I am working towards building a metal detector and it is way more complicated than I was hoping for when I had this terrible idea. So it's going to take a while 😂. But I think you'd probably be able to adapt them in no time.
Mount the reader on the inside of the door for more security, the tag can be read through the door if its thin enough and not metal lined. Plus nobody knows it's there 👍🏻
Long Range RFID system use UHF 433MHz & 928 MHz Transmitter along with sensitive receivers that can detect a fraction of change in the transmitted wave. If we increase the operating frequency of RFID system then the power required for transmission is decreased and improve the sensitivity also. Another way is modify the 125khz coil circuit with high speed switching transistor and adjust the gain of opamp at detector end with optimal level with pot...I think it works ✌️
9:45 You might want to consider using a smith chart, it will make it a lot easier to calculate the impedance matching networks.I do the same thing however in my work a capacitor is usually just a thicker PCB trace and an inductor a thinner PCB trace :)
@@mrkv4k Smith charts will work at any frequency, his method works great too! And nothing is purely a simple LC tank, everything has parasitics. The parasitics in this case are fortunately (mostly) negligible. I just mentioned it because smith charts are fun!
@@linuxguy1199 It's not usefull, because it's more complicated than having simple 1/(L*w^2) formula in excel (which is what I do). They way how you'd calculate the capacitance on a smith chart would be 1. Calculate the inductor impedance. 2. Make a point on a smith chart 3. Make a straight line and measure new point. 5. Take the new value and convert it back into capacitance. All this is pretty useless, because the impedance of antenna coil for 125kHz systems is usually somewhere in 380i+30 range and you don't have to bother with the resistive part. Just compute what capacitance would have the -380i impedance (which is what you're doing with that formula). There is no advanced matching needed, because the frequency is low and the coil can be energized by one transistor fed by a square wave signal. Plus it's usually a serial resonant circuit. Smith charts are very usefull if you are computing antennas for 13.56MHz systems, but that's a different story.
@@mrkv4k You're missing the point, It would be cool if he made a video using them! :P Also, smith charts can and are very commonly used for multiple frequencies (by tracing an impedence curve from your start to stop frequency, then doing each operation on two points of the curve). For simple stuff like this they aren't practical, they become far more practical when doing higher frequency stuff where the impedance matching is far more critical (RF filters, FET RF amplifiers, crystal detectors, crystal filters,, etc).
You can get commercial long distance RFID readers and reverse engineer how they work… they are used in tolling and parking entrances to read rfid tags on cars as they drive in
Please continue! The Mythbusters were looking into this years ago and were discouraged from looking further. It would be very interesting to see what you could pull off!
The LPL hack with the magnet to the relay was more fun :) (I think a general good indication: if you connect the lock contacts to the outside device it’s not safe) BTW the „better“ RFID systems go a long way to document that they should not be used as access control :) Only rfid Chips with smart card function can do challenge/response and are (partially, think relay attacks) safe.
all the designers need to do is place a hall effect sensor near the realy, so that if you bring a magnet near it, it will just sound the alarm, but then again a seperate control units makes much more sense
They could just follow you in, which is what they do in my building works fine. I don't know all my neighbors and don't want to go to war with any of the more touchy ones.
alternatively bring a very strong magnet close to it sometimes they will directly pull the bolt open sometimes they will trip a solenoid that opens the bold sometimes they will crash the software which then resets and defaults to open
We used to make coils that where rectangular about 1meter x 1 meter in size and where build to be hidden in concrete floors to read tags in prison buildings. Not used for opening doors but for tracking people, so nobody could escape because rfid is indeed a bad idea for locking doors. We could read tags up to about 3 meters. The electronics for this was made in house as well. Had a sizeable amplifier for driving the coil i remember, can't remember what exactly we did to get the range it had something to do with waveforms and filtering.
Interesting stuff. Always wondered how easy it was to NFC at a distance. Realistically from a home security perspective this is no worse than most door locks. Average door? Easy to pick/rake/bump. A thief will probably just break something (like the window next to the door) instead.
Once RFID door locks become popular, then it's probably not a far stretch to imagine read made hacking devices showing up on Aliexpress for a few dollars. We are basically at this point with car locks now.
@@ShahZahid Even rolling codes can be tricked, e.g. with RF repeaters that forward signals between the keyfob and the car, even if both are a significant distance apart.
@@andreasu.3546hmm intresting, but wouldn't you have to press a button on the keyfob to activate it, cuz it cant be pinging to the car all the time, that would absolutely kill the battery life
NFC =/= RFID. There's encryption method required. NFC tags carry an ic capable to solve specific key challenge that the reader gives out when it gets in range. Most would have write-once memory that the reader sets to 'pair' the tag the first time it is used. RFID at its simplest form like shown here just carries its own id. That's why it is usually only used to, well, identify things in warehouses.
LF tags are ideal for implanting into pets as they are about the size of a grain of rice so don't cause irritation and the read range and security are not a problem. HF is still used, especially its NFC variant where security is more important and the slightly better read range is useful. In industry UHF is the most common standard now as it has a much better read range (even small hand held devices can read a few metres) and multiple tags can be read at once.
To me this kind of lock would be used where you just want to keep unwanted walk ins out, but not for securing it for locking up and keeping your items safe from thieves. Kind of like a staff only area and you don't want to keep having to use an actual key to get in and out all the time.
Yeah, it's not bad for example coffee rooms for staff, it will keep stragglers out fine, and can probably use just a code instead of a tag. It's not too shabby for an apt building front door either, as you can get those open usually just by randomly buzzing people.
So radio is simply electromagnetic waves pulsing through the electromagnetic field because the a radio transmitter’s antenna is constantly an electromagnet that continuously oscillates between polarities?
this is why at the pharmaceutical factory i worked security at for 15 years i insisted that all the card readers also require a pin (which only some doors had). after cloning a fewer people higher access rfid cards i showed them how easy it was to clone a card. I had to compromise as set up a anti pass back system to prevent the same card from entering a door twice with out scanning out.
In the early days of WiFi I used to design corporate WiFi networks and the first thing I need to do was check or set the access points output to 25mW because pda’s weren’t that powerful. People thought it was counterintuitive to place more individual AP’s in stead of one big antenna at 100mW at the center of a room. What they forgot was that it’s a half-duplex communication and just turning up the WiFi amp is like SHOUTING REALLY LOUD whilst putting fingers in your ears. Changing the op-amp in this video reminded me of this. And it reminded me of a time before lithium ion and that pda’s were a thing…
Great video and idea, I just wanted to add up by looking at the internal circuit of the lock ( 3:57 ) that this lock uses a regular relay (almost certain to trigger the lock to open) which makes me sure you can open it just by using a powerful magnet (say neodymium) on the side of the lock, which is a known venerability to most cheap and even some premium security systems.
You had me glued to the screen with this. I'm working on an RFID product using Gen2 tags (~900MHz). I have read tags over 2m and I have a more powerful reader I haven't tried yet. I assumed that lock tags would perform some kind of encryption, or at least use a unique number that can't be easily copied. Gen2 tags include a permanent, unique identifier as far as I know. I'm shocked that those tags can just be copied and work.
yes this is exactly what i was thinking about as well, the long range rfid readers are mostly of UHF which is around 900mhz. the 125khz ones are just horrible in terms of protection, heck even the 13.5mhz ones have ton of exploits due to security flaws
The HID maxiprox 5375 rfid readers at garages can read up to 3 feet away (~90cm), That is obviously much farther than the 30cm goal you want, but the coil wrapped in there is roughly 30cm x 30cm
There's a lot more to rfid systems than these simple readers use. This one only reads the serial number of the tag. A secure system would use read and write keys for the rfid tag, preventing anyone without the key from reading anything other than the SN, and those readers would be looking for the data stored on it, rather than the SN. You can easily clone a mifare classic serial number, but getting the secured data is far more difficult (not going to go into the ways to do so here). This video does a good job of showing you why you don't want to use one of these cheap readers though, not including the fact you can just pull it off and jump connections with a paperclip to open the lock.
In india we have Some thing called "Fast Tag" this is a long distance RF ID reading solution (i believe). Used in car to detect the vehicle details to deduct tool charges on High ways. Maybe some things you will like to see and I'll also like to watch 😉
yea we have one too, but those are encrypted, if they weren't secure someone could have changes the id and some poor guy would have to pay for the tool charges, also on a side note its kind of illegal to tamper with those tho i wonder what frequency those operate at probably UHF
What you try there is one of the original flaws of RFID systems that has been known pretty much since the beginning. The communication between the reader and tag can be eavesdropped on from up to 20x the effective working distance for an actual tag - more with the right equipment. Since virtually all RFID tags are no more than passive memory devices, they are thoroughly unsuitable for any security critical application - as is all unencrypted wireless technology by the way. On the other hand, the important upside of digital keys of all sorts is that unlike in mechanical keys, each key is different and can be invalidated easily if lost. There are actually three solutions to this proplem: One, have a second factor like a pin that is needed to access the secure resource, or two, use cryptographic tags like DESFire instead of the cheapest option or three, use a secure-by-design reader that requires you to insert the key fob into an electromagnetically shielded slot to open
This method is pretty similar to taking a picture of someone's keys, only the range is occluded by metal rather than opaque things. So, if you just store your RFID tags in an RFID blocking container, then you'll actually be about as secure as regular keys since the range should be similar.
You don't need a fancy reader to clone these kind of tags, as long as your phones has NFC capabilities you can use free apps for this (RFID tools for example)
You can get enough security with RFID. First you need to choose between failsafe and failsecure lock options, and second You need to read hidden data or request processing, not only read the tag designator.
You could incorporate these readers to example water bottle machines or something like that. Giving free water when ppl are using their access cards is diabolic plan to get huge amount of useful card/ numbers. I have found that free stuff makes ppl do strange things 😁 S/O from another physical pen tester
hey neat, that RFID reader with the keypad is the one they used in better call saul as a jaguar key fob clone. they took the case off but left the keypad on the PCB
As someone who has been designing RFID readers for the last 8 years, let me point some things: - The 125kHz systems (often called EMARINE) usually works on one of the EM41xx standards. It was developed decades ago, back when microchips were not that common. This standard, while widely used, is outdated, and shouldn’t be used for a security purposes. They are so widespread because they are extremely cheap. And they work great for some stuff, like if you have a lunch ordering system or a digital timeclock. You can get ISO datasheets with detailed descriptions of those cards and readers if you look up EM4000 or EM4002. - Readers which work with 125kHz frequency use near field because the wavelength is about 2.4km. Reader with the most range that I’ve seen, and which is commercially available, has about 1m range. The problem is in the fact that you have to power the tag from the antenna coil. Transmission of energy is not efficient at these low frequencies and antenna shape doesn't really help that much. It’s a good idea to make a simple circuit which measures the field strength. Just make a small coil (like the tag), connect a capacitor for 125kHz resonance, rectifier, divider and another capacitor. You can measure the output directly with a multimeter. - Making a long-range spoofer should be possible. Just make an 125kHz receiver and detect the signal from the reader itself. Since you don’t have to energize the tag (it’s already energized by the reader), you should be able to catch the communication. Using some digital filters to process the output, you should be able to get at least 10m range. The only downside is, that you can capture the communication only when the tag is being used, but that can be solved by leaving that device somewhere near the reader and recording tags as they come. - More secure standards usually use 13.56MHz frequency (f.e. your credit card) and they have a two-way communication between the reader and tag. Many standards support advanced encryption (look up Mifare Desfire or Legic).
Hello! I'm also looking into the field of RFID technologies now, and wanted some advice. How would you identify what type of infrastructure your RFID system uses? More specifically, what is the cheapest way to scan/copy RFIDs, without investment into expensive technologies such as proxmark 3? Is it possible to copy/identify/read/write to RFID for cheaper? Also, I'm interested in the idea you brought up about "intercepting" the authentication key while the tag is being actively used. I've done a decent amount of research, but have not seen anyone brought this up yet. Is this all theoretical, or have you seen something similar being used in reality? Any advice helps. Thank you!
@@SongSteel Well, the best way to identify type of RFID system is to get a multitag reader, which supports good ammount of both 125kHz and 13,56MHz tags. I use TWN4 from Austrian company elatec, but we buy them in bulk and price for end customer is probably higher. There are many options if you are willing to buy from China, but I can't really recommend anything as I don't have experience with them. The most basic way how to tell what kind of RFID system you have is to get an oscilloscope and connect one channel to a coil. You can then scan the communication between tags and reader. The most common 125kHz EM41xx tags can be coppied easily, all you need is a microcontroller and few components. Other tags are much harder to copy, especially if it uses some encryption (for example your debit/credid card). But again if you wanna try some cheap stuff, the best way is to look up experience with some chinese readers/writers. And to that last part, no, it's not just a theory. We've had an issue with one type of the long distance 125kHz readers, which is installed on a driveway of a warehouse. Sometimes, when the truck driver was leaving the warehouse, he unintentionally opened both gates with one card. After few hours of testing, I realized that the there was a specific place and if you put the RFID tag in that place, both readers could read it. They were 10m apart and their normal range is 1m. Second reader was picking up a signal boosted by the first reader. We had to change the software so it would ignore that second reading within few seconds.
Can you overwhelm an RFID lock by using a stun gun? IE: generating a high frequency random signal by sparking the gun near the reader? --- When trying to "break" security, you either try to get through in a normal way, or an alternate way. -- An alternate way in this case would be to cook the RFID read so everyone has to use the keypad and then note the numbers or dust the pad.
In the schematic at 7:45, play with the other part of the circuit also. Yes raise the voltage but also play with the receiving circuit, like the forward loss on D2 and also with the capacitance of C3, and at the end if you filter the noise down by playing with this part you can rise the gain of the OpAmp.
I think may be away is the bypass the keypad and put a large magnetic field where the solenoid is at the top of the door that way the magnetic electrical induction goes into the locking door solenoid and with enough power you could make the solenoid work through electrical induction, you would need a alternating current,, I think this is actually doable.
This just illustrates that when you make something wireless: encryption is even more necessary. Hell I remember back in the day with 900mhz cordless phones: I would be able to hear my neighbor's phone conversations unintentionally on my radio scanner. Back then cordless phones sent an entirely analog signal. No encryption at all.
Eh, since the control unit is basically just sending power to door latch to open the lock, it's easy to just smash it open and connect the wires that go to the door latch. So this is only barely better than a zip tie. Somewhat secure systems have an external panel with only the keypad and RFID plate, while the controller with the relays that control the door latches is internal. So even if you smash the external panel you can still just press the keypad buttons
Pretty sure you need something more than a larger coil to increase tbe distance. Think you need to increase the antenna's directionality gain (focusing the rf). Think pringles can or a yagi antenna
There is no real RF in those tags, they work with eddy current and the chip inside just shorts the coil briefly to transmit data, only the UHF tags have real radio in them.
You should look into this lecture a 'pen tester' gave about physical security. He discussed a device he carries in a laptop case that not only can read keys like this but very weak ones such as magnetic strip card keys. In the same case he has blank card keys and the machine to program it on the spot. This guy does it as a job to help companies improve security so hes not commiting a crime but its worth looking at if electronic lock security is a concern of yours.
Fantastic timing! I want a system with RFID to see which lawn mower is going for a recharge. This larger reader in the lawn and then an arduino telling which station it should go to. =)
The majority of RFID tags are very simple and only transmit a set code when energized. However, I worked for a number of years with "rolling code" RFID chips that change the code each time they are used. These are much more secure and extremely difficult to copy. If you are serious about security, look for a rolling code lock and matching tags.
Just configure that reader to work with PIN and CARD :) I am actually working in this field and must admit, i had a great laugh watching your video. A little knowledge is a dangerous thing and you present here just fractions of information, although the final conclusion sums it up: everyone can theoretically pick this lock. In theory everything is easy, on paper everything works :) There is way more technology in the current RFID tags then presented in the video, however you are right on the presented relay attack, is the Achilles tendon of most RFID based systems.
At work they have these RFID readers basically shaped like a metal detector you see at the airport. All you have to do is have your id badge somewhere on you, and walking thru it will read the tag. could be in your pocket, in your bag, or dangling from a lanyard under your coat, it will still read it as you walk through. I really wish they installed them at every entrance because it's really a pain to remove my id to hold it up to the close range readers, likely thousands of dollars cheaper and easier to maintain than the large format ones but still. So much more convenient. Should be no problem for the 70billion dollar company to swing but hey, the CEO needed a new house or boat or something...
When playing with RFID, you need a proxmark3. build your own custom antennas and build configs for them. not sure if this distance has been surpassed since though a while back, saw a tutorial on how to build a 2ft (~60cm) highjacking rig, all inconspicuously inside of a backpack. technically you could post up near the reader and just hijack 125khz rfid credentials (as PoC to educate the public) all day long. With facemasks still being viewed as socially acceptable, I can see a lot of downtown condos and corporate buildings being at risk for tresspassers just walking through the front door, nosus.
A proxmark with some kind of amplification could work. It can also crack vulnerable Mifare classic, or loaded with custom firmware for other kinds of automation like saving keys in the onboard memory for later retrieval.
Okay, I admit I haven't been over here for a little while and I feel bad about that. And yes, like all your other videos this one was super cool and informative. However, please put the old theme song back! I love that song with you building the LEDs.
3:31 From what I can see, your little power supply module has a "push button to activate" function via relay built-in to it and you confused that with the wires coming out of the bolt lock. In the PSU module, when energised, if you apply 12V to the "PUSH" terminal, it will trip the relay and the contacts COM/NC/NC will change accordingly. The bolt lock wiring has nothing to do with this function though. The manual shows that RED/BLACK are for 12/24V power source and the WHITE/YELLOW are for a "locked" contact for monitoring. Meaning if the bolt is out, you get a short (NC) between those two wires. When the bolt retracts you get an open circuit (NO). You would wire that to an input on the door controller so you can monitor if the lock is actually locked or if the bolt is stuck half-way out or something. In short, although the manual has many spelling mistakes, it showed the correct information regarding the four wires coming out of the lock.
bro when i saw the notification i tougth the video was from the lock picking lawer and when you said "this is not the lock picking lawer" i was like WHAT
Your penmanship is extraordinary! Wow, I am not kidding I am jealous, this is how i wish my hand printing would look. But it is so hard to change the way you write as an adult, I have tried but it seems like it is really hard to make changes. Also the video was really great, very interesting and I also like to watch the lock picking lawyers videos as well! By the way, does anyone have experience with trying to change/improve your handwriting as an adult? Is there a reason that this is difficult and is it just me or for anyone/everyone?
I've wind coils using a speed controlled motor too, been doing it for 30 years, you can use all kinds of motors even attach it to a portable drill, Cannot see how this can be patented, and don't forget if someone else wants to make winding machines and sell them you will find legal action too costly, to fight.
You could make a helical antenna for LF to be able to increase range. Normally this type of directional antenna isn’t used nor suggested for as low as 125Khz but it can be done. There’s some calculators online you can use to help design. You would be able to point in the direction of the transmitter and get a reading and also use it to send a signal to the reader thats connected to the interrogator that deciphers the signal. The polarization would still be the same with a Helical antenna but it’d be a tighter shot because of the distance increase.
How practical would such a system be? Because not only would the "scanner" need to be practical for reading information over long distances, it also needs to be semi-concealable. It would be quite suspicious to be lugging around lots of electrical components that take up a lot of space. If the helical antenna was somehow concealable, then maybe it would be practical for this type of application.
Wait, I clicked on this actually thinking it was an LPL video. The. The first thing I heard was your voice saying this isn’t the LPL 😂 blew my mind for a second
It should be possible to do a passive read from a distance when someone opens the door. With a proper directional antenna directed at the door lock, you could probably detect the communication between reader and tag and decode it.
A more secure approach is the unit to send an encrypted random code to the key, which then has to send back the correct corresponding code. Of course, the mechanical parts also have to be strong and secure.
Actually, sniffing works only for standards that do not use encryption or some standards, that use compromised security protocol such as Mifare Classic variants vulnerable for Nested and HardNested attacks. Sniffing is useless, for example, for Mifare Plus standard readers, that uses unique session key generation for encrypting data stream between reader and tag with AES-128. So, basically, sniffing would be efficient only for old RFID tag standards or for standards that not designed for to use in high security systems. Using outdated standards or standards that not designed for such purposes is only manufacturer fault. I assume, if you need secure something important with RFID locks, use only Mifare Plus or Mifare Ultralight-C reader variants and tags.
@@johndododoe1411 this is question of price, actually. Produce rate for Mifare Plus is millions for readers and billions for tags and they use optimized chip topology and provides great capabilities in security, actually it is used all over the world in banking applications. To launch a new simple tag you would have to invest starting from 200k$ only to produce lithography at outsource factory (and this is only starting prices). And also you need to pay engineers who would create tag topology for you. More logic on tag - price increases. Universal tags with strong security are really expensive to launch as a product and I suppose, best solution for RFID locks manufacturers is to use well known mass market non compromised standards, because this is a question of cost efficiency. Also, well designed products would not give a chance to bypass security system without vandalism. Usually, the only way to unlock the lock in good designed system is to physically get to open\close electrical lock pins, however, you can bring a little more efforts and instead of usage simple locks, you can add controller to lock and encrypt signal between lock and reader controller, so it wouldn't be enough to send simple open signal to lock pins.
RFID readers have been known to get up to 50 feet. In Canada a company did that to ID where every worker was on the plant site. So reading and detecting RFID at great distance is very possible.
Make a short range rfid listener. Not a reader, just something that listens. Stick it into a nice looking box with a small circuit that stores read values and sends them to you via a simcard. Stick a battery in it and stick it with a sticky tape underneath the reader. Low chance that anyone will think anything of it.
It really comes down to use case tho. If you are worried about "random bad guy" dropping by, then tag copying isn't really a concern. The "random bad guy" is unlikely to bother making sure they get close enough to you to copy the tag. I see you thought about that a bit, with your 30cm range requirement. But I still think that's not the random bad guy who is hanging around most neighborhoods. So you are right, yeah, RFID isn't the best if you are worried about a targeted attack. But I don't think that is the use case for these devices.
Maybe it's been mentioned, but you know you can use your phones NFC to read write those. I used to pick tossed ski day use passes with RFID and repurpose them with my OnePlus
How did you get started with this/what are the limitations of your system? I'm experimenting with reading/writing to RFID right now with different infrastructures. Does the phone require anything special to work? How did you learn how to set up everything correctly?
@@SongSteel if I remember correctly the Google cardboard VR had a RFID to initiate the VR app. Setting this up made me play with RFID. I got some different apps and played a bit with different possibilities. Just a short experience with them...
Type 1 is unsafe. That’s the 125 KHz one. The type 2 is bi-directional and have updatable data in the chip. It’s the 2 MHz+ one. Implementation becomes the key factor.
I want to build a home with a fake front door. Imagine having a normal looking residential home where the front door is actually a dummy door. From the exterior it looks like a normal door but its actually bolted in placed on all edges. To get through the door you would need to remove the wall around it because its secured in place so well. Instead you would have 2 actual doorways (to satisfy fire safety code) somewhere else but those doorways are hidden from exterior view.
It's the credit card/password problem where the obfuscation of a shared secret is just deemed sufficient even though anyone could just copy that secret and often wirelessly at a distance. We really need to move to a challenge response authentication but no one wants to invest in such as they consider the lack of security to be an acceptable loss and an opportunity to blame the customers and hence offset indemnifications to the consumer. This won't change without regulation.
Thanks
to Morning Brew for my daily news briefing - sign up for free here: morningbrewdaily.com/greatscott
this is not the lock picking lawyer
Video idea: Make a cellular signal amplifier
How the heck he commented this 10 days ago when he only posted it just now?
@@Chocoffee_battery I was thinking the same thing, maybe it was unlisted 10 days ago? idk
@@Chocoffee_battery among us
When I was building an RFID door lock for my mum when she developed Alzheimer's, the hardest bit was getting a good range. I ended up getting a huge (and resin potted!) reader unit and using it with the long range cards. (The keyfob circuit but with a wider coil in a plastic card.) I got a decent range from it. It also greatly improved the range of the common keyfobs too.
There does seem to be quite a precise science to reading the keyfobs accurately. I did a lot of experimentation with adding wider coils too.
Great minds think alike! That's why they follow Bigclive and Great Scott!
I wonder if antenna design would be better at increasing range, or active noise cancelation.
@@absalomdraconis For all intents and purposes the coil is the antenna in these systems
@@absalomdraconis
See Rodin Coil antennas
That could work, but you might have more luck by agitating the rf signal. You can do that just by shaking the tag a little. I deal with uhf systems and even on these high powered systems I have to move the tag around or the reader in a paint brush pattern
I got one of those readers...got about 45 reads off random people in just one day! In my own building I can now get to 14 additional floors. Honestly, rfid on elevator control might provide some security, but the stairwell doors have no security. This is an important lesson here, security is usually only theatre;a show.
Could you explain how you would do such a thing? I'm looking into copying RFID tags as well, and progress is slow. How did you learn how to set up a reader, and where did you get your necessary supplies off the internet? Any advice is helpful. Thank you very much!
congratulations, you have unlocked new level with the device DLC
But you’re talking only about uncrypted RFID right ?
Some at IBM asked me how I got into a secure room at their facility. I was in the building trade.
@@CapitaineBleuten clone is a clone
As LPL has proven so many times, that "lock" can be defeated with just a strong magnet - provided that it contains a relay to operate external circuits..
Haha true ;-)
@@greatscottlab Though what about with a solid state relay, surely that would mitigate that attack
@@KahruSuomiPerkele I have a HID brand 125Khz stand-alone reader that uses a relay and can be opened with a magnet.
@@LeePorte they also need to be shielded, as such locks are also prone to EMF attacks
That's why when I made my own DIY smartlock, I used solid state relay
When my mother started to develop dementia, I added such a key fob to her wrist band, build such a reader using ESP8266 to command the electronic lock "Keymatic" to open the doors. So, she could continue to live in her home instead of a nursing home. That was really very helpful.
I did that too. A GPS tracker was also added to find her when she went on one of her long walks. It made life a lot easier for us all and took away a lot of the worry.
I hope you're also added GPS-tracker to second wrist band after that
Seems like a pretty topic. I’d like to see more „security research“ videos from you!
Noted!
I am also waiting
Lockpickinglawyer Electrical Engineer Edition.
@@greatscottlab A good place to start with this research would be to look into a penetration testing tool called the Proxmark, and also one called an ESPkey. These combined with a long range reader (for reading at a distance of a couple feet/30-60cm) can be very powerful. Also check out some of the penetration testing videos on UA-cam such as Deviant Ollam's channel, or his many talks. Good Luck!
You can absolutely grab tags easily with off the shelf long range readers, adding a microcontroller with BT/wifi in line with the reader wiegand or rs485 data lines is also a good way to read/replay a code back to the controller.
but the long range ones are generally UHF around 900 mhz ish
Only mentioning the show because it uses real tech as part of the scenes, but Mr. Robot had a good scene showing this being done with an off the shelf reader placed into a bag. Maybe not as long range as your referring to, but a good example of how it can be done and mirrors talks I've seen at hacking conferences. You can purchase a device like a chameleon off aliexpress to do cloning and other attacks as well with replaceable antennas and is nice and compact.
DONT LIKE THIS COMMENT HAS 69 LIKES
There are no off the shelf long-range readers for 125kHz, the best have about 1m range (in best conditions). On the other hand, coppying an EM41xx tag is really easy and can be done without any encoding. You can even use a very simple circuitry and a phone, because the data frequency is within audio range. Simple AM demodulation into mic input, record it in WAW and play it back - boom.
I feel like the easiest way to "pick" that lock is to just pull the reader off the wall and short the appropriate pins to trigger the latch. That's why these systems usually use a separate controller - so there's nothing you can do to the external components to trigger the latch.
It might have a button wich gets released when pulled from wall and trigger an alarm
This particular lock uses a relay, it's easier to just place a neodymium magnet on it and it will open
Came here to make the same comment.
Don’t get a product that has the relay inside the same housing as the reader.
Also don’t use 125KHz technology, get MIFARE DESFire. Much more secure.
No. The easiest way to pick that lock is using strong magnet to manipulate relay inside.
@@nirodper Or modify the antenna coil to be an electromagnet instead... (since Scott is an electric engineer) 😉
I once worked at a place where access to the parking lot was controlled with a large RFID reader. I would stick my arm out the window with my card in hand and slow down to just the right speed for the card to be read and the gate to go up just barely in time. The terrified looks I got from some security guards were priceless. 😂
off topic but this reminded me of the deck-hand on a Sydney ferry, as the ferry was reversing from the wharf, the deckhand would just casually flick the rope loop off the bollard.
@@darylcheshire1618 @AlyssaNguyen damn, seems like you two got quite comfortable with the ins and outs of your jobs
Security is more a game of deterrence than anything else, and so you weigh everything from the value to bad actors to the (in)convenience for the valid users and find a solution that is sufficient for the scenario.
I think the biggest takeaway should be “just because it has a computer in it doesn’t mean it’s automatically more secure than other options”, and that is something we would all do well to remember.
And sometimes the computer is what invites hackers to attempt to find exploits and vulnerabilities.
I love how the Lockpickinglawyer has essentially become a meme on any lock-related video
Free advertisements for him
About 15 years ago, I was the developer of a production tracking system. At one point we started implementing controls of what leaves the production floor to be loaded into trucks. So we added an RFID tracking system. The system began printing RFID labels (yes, just like any other thin sticker) on our Zebra printers.
If you think that product from Amazon is a lot, the reader we had installed on top of the exist door was over 3 meters high and could read the labels of all boxes in a pallet before they gotten directly under it. And they were passive and not active tags, as the cost of those would make the solution unviable. So you have an idea of what's possible.
Now, If you want to maximize the range of your reader, I'd look on content for metal detector designs. Seeing how simplistic you design was if compared to the ones I saw for metal detectors, I know there is a lot of room to increase that range with some freely available designs.
I am working towards building a metal detector and it is way more complicated than I was hoping for when I had this terrible idea. So it's going to take a while 😂.
But I think you'd probably be able to adapt them in no time.
Mount the reader on the inside of the door for more security, the tag can be read through the door if its thin enough and not metal lined. Plus nobody knows it's there 👍🏻
You would lose out on the code option though... but not the worst idea, it would require the reader to have atleast 5-6cm of reading distance.
Long Range RFID system use UHF 433MHz & 928 MHz Transmitter along with sensitive receivers that can detect a fraction of change in the transmitted wave. If we increase the operating frequency of RFID system then the power required for transmission is decreased and improve the sensitivity also. Another way is modify the 125khz coil circuit with high speed switching transistor and adjust the gain of opamp at detector end with optimal level with pot...I think it works ✌️
It seems to me that the chip in each 125 kHz tag (close range) is precisely bounded to that frequency, isn't it?
@@OgbondSandvol Yes It's Resonance frequency
Never been so early! love your channel!, You have single handedly inspired my love for electronics for the past 4 years!
Glad to hear that :-)
9:45 You might want to consider using a smith chart, it will make it a lot easier to calculate the impedance matching networks.I do the same thing however in my work a capacitor is usually just a thicker PCB trace and an inductor a thinner PCB trace :)
Nah. Smith chart is pretty much useless for 125kHz matching, because it's just a very simple LC tank.
@@mrkv4k Smith charts will work at any frequency, his method works great too! And nothing is purely a simple LC tank, everything has parasitics. The parasitics in this case are fortunately (mostly) negligible. I just mentioned it because smith charts are fun!
@@linuxguy1199 Smith chart is not usefull for this, because it all works on one frequency.
@@linuxguy1199 It's not usefull, because it's more complicated than having simple 1/(L*w^2) formula in excel (which is what I do). They way how you'd calculate the capacitance on a smith chart would be
1. Calculate the inductor impedance.
2. Make a point on a smith chart
3. Make a straight line and measure new point.
5. Take the new value and convert it back into capacitance.
All this is pretty useless, because the impedance of antenna coil for 125kHz systems is usually somewhere in 380i+30 range and you don't have to bother with the resistive part. Just compute what capacitance would have the -380i impedance (which is what you're doing with that formula). There is no advanced matching needed, because the frequency is low and the coil can be energized by one transistor fed by a square wave signal. Plus it's usually a serial resonant circuit.
Smith charts are very usefull if you are computing antennas for 13.56MHz systems, but that's a different story.
@@mrkv4k You're missing the point, It would be cool if he made a video using them! :P
Also, smith charts can and are very commonly used for multiple frequencies (by tracing an impedence curve from your start to stop frequency, then doing each operation on two points of the curve). For simple stuff like this they aren't practical, they become far more practical when doing higher frequency stuff where the impedance matching is far more critical (RF filters, FET RF amplifiers, crystal detectors, crystal filters,, etc).
You can get commercial long distance RFID readers and reverse engineer how they work… they are used in tolling and parking entrances to read rfid tags on cars as they drive in
Please continue! The Mythbusters were looking into this years ago and were discouraged from looking further. It would be very interesting to see what you could pull off!
Well, if they can't blow it up, or drop it from a great height, they aren't exactly intelligent guys to come up with anything else.
Nice video!
A good idea for future video is to explain how NFC works and differences with RFID. And of course why it is more secure.
The LPL hack with the magnet to the relay was more fun :) (I think a general good indication: if you connect the lock contacts to the outside device it’s not safe)
BTW the „better“ RFID systems go a long way to document that they should not be used as access control :)
Only rfid Chips with smart card function can do challenge/response and are (partially, think relay attacks) safe.
all the designers need to do is place a hall effect sensor near the realy, so that if you bring a magnet near it, it will just sound the alarm, but then again a seperate control units makes much more sense
They could just follow you in, which is what they do in my building works fine. I don't know all my neighbors and don't want to go to war with any of the more touchy ones.
alternatively bring a very strong magnet close to it
sometimes they will directly pull the bolt open
sometimes they will trip a solenoid that opens the bold
sometimes they will crash the software which then resets and defaults to open
Good thing you looked over the instryctions
We used to make coils that where rectangular about 1meter x 1 meter in size and where build to be hidden in concrete floors to read tags in prison buildings. Not used for opening doors but for tracking people, so nobody could escape because rfid is indeed a bad idea for locking doors. We could read tags up to about 3 meters. The electronics for this was made in house as well. Had a sizeable amplifier for driving the coil i remember, can't remember what exactly we did to get the range it had something to do with waveforms and filtering.
I haven't been on UA-cam as much as I use to, but I love the new intro. It is cool that you kept the premise the same. The artist did a very good job.
Interesting stuff. Always wondered how easy it was to NFC at a distance. Realistically from a home security perspective this is no worse than most door locks. Average door? Easy to pick/rake/bump. A thief will probably just break something (like the window next to the door) instead.
Once RFID door locks become popular, then it's probably not a far stretch to imagine read made hacking devices showing up on Aliexpress for a few dollars. We are basically at this point with car locks now.
@@andreasu.3546 with older cars that works, you cant use SDR based spoofing with newer cars, as the key is randomly generated by an algorithm
@@ShahZahid Even rolling codes can be tricked, e.g. with RF repeaters that forward signals between the keyfob and the car, even if both are a significant distance apart.
@@andreasu.3546hmm intresting, but wouldn't you have to press a button on the keyfob to activate it, cuz it cant be pinging to the car all the time, that would absolutely kill the battery life
NFC =/= RFID. There's encryption method required. NFC tags carry an ic capable to solve specific key challenge that the reader gives out when it gets in range. Most would have write-once memory that the reader sets to 'pair' the tag the first time it is used. RFID at its simplest form like shown here just carries its own id. That's why it is usually only used to, well, identify things in warehouses.
LF tags are ideal for implanting into pets as they are about the size of a grain of rice so don't cause irritation and the read range and security are not a problem. HF is still used, especially its NFC variant where security is more important and the slightly better read range is useful. In industry UHF is the most common standard now as it has a much better read range (even small hand held devices can read a few metres) and multiple tags can be read at once.
Well GreatScott turned into Kevin Mitnick real quick
To me this kind of lock would be used where you just want to keep unwanted walk ins out, but not for securing it for locking up and keeping your items safe from thieves. Kind of like a staff only area and you don't want to keep having to use an actual key to get in and out all the time.
Yeah, it's not bad for example coffee rooms for staff, it will keep stragglers out fine, and can probably use just a code instead of a tag.
It's not too shabby for an apt building front door either, as you can get those open usually just by randomly buzzing people.
So radio is simply electromagnetic waves pulsing through the electromagnetic field because the a radio transmitter’s antenna is constantly an electromagnet that continuously oscillates between polarities?
this is why at the pharmaceutical factory i worked security at for 15 years i insisted that all the card readers also require a pin (which only some doors had). after cloning a fewer people higher access rfid cards i showed them how easy it was to clone a card. I had to compromise as set up a anti pass back system to prevent the same card from entering a door twice with out scanning out.
In the early days of WiFi I used to design corporate WiFi networks and the first thing I need to do was check or set the access points output to 25mW because pda’s weren’t that powerful.
People thought it was counterintuitive to place more individual AP’s in stead of one big antenna at 100mW at the center of a room. What they forgot was that it’s a half-duplex communication and just turning up the WiFi amp is like SHOUTING REALLY LOUD whilst putting fingers in your ears. Changing the op-amp in this video reminded me of this. And it reminded me of a time before lithium ion and that pda’s were a thing…
You the best GreatScott! So quality content here! Thank you :)
Great video and idea, I just wanted to add up by looking at the internal circuit of the lock ( 3:57 ) that this lock uses a regular relay (almost certain to trigger the lock to open) which makes me sure you can open it just by using a powerful magnet (say neodymium) on the side of the lock, which is a known venerability to most cheap and even some premium security systems.
So the magnet cause the relay to close, instead of the electro magnet inside the relay?
You had me glued to the screen with this. I'm working on an RFID product using Gen2 tags (~900MHz). I have read tags over 2m and I have a more powerful reader I haven't tried yet. I assumed that lock tags would perform some kind of encryption, or at least use a unique number that can't be easily copied. Gen2 tags include a permanent, unique identifier as far as I know. I'm shocked that those tags can just be copied and work.
yes this is exactly what i was thinking about as well, the long range rfid readers are mostly of UHF which is around 900mhz. the 125khz ones are just horrible in terms of protection, heck even the 13.5mhz ones have ton of exploits due to security flaws
The HID maxiprox 5375 rfid readers at garages can read up to 3 feet away (~90cm), That is obviously much farther than the 30cm goal you want, but the coil wrapped in there is roughly 30cm x 30cm
your videos must be shown in schools!
they are so good and informative!
Glad you think so!
There's a lot more to rfid systems than these simple readers use. This one only reads the serial number of the tag. A secure system would use read and write keys for the rfid tag, preventing anyone without the key from reading anything other than the SN, and those readers would be looking for the data stored on it, rather than the SN. You can easily clone a mifare classic serial number, but getting the secured data is far more difficult (not going to go into the ways to do so here).
This video does a good job of showing you why you don't want to use one of these cheap readers though, not including the fact you can just pull it off and jump connections with a paperclip to open the lock.
that quite a motor on a fancy bench for winding :) Always good to watch your videos!
In india we have Some thing called "Fast Tag" this is a long distance RF ID reading solution (i believe). Used in car to detect the vehicle details to deduct tool charges on High ways. Maybe some things you will like to see and I'll also like to watch 😉
yea we have one too, but those are encrypted, if they weren't secure someone could have changes the id and some poor guy would have to pay for the tool charges, also on a side note its kind of illegal to tamper with those tho i wonder what frequency those operate at probably UHF
What you try there is one of the original flaws of RFID systems that has been known pretty much since the beginning. The communication between the reader and tag can be eavesdropped on from up to 20x the effective working distance for an actual tag - more with the right equipment. Since virtually all RFID tags are no more than passive memory devices, they are thoroughly unsuitable for any security critical application - as is all unencrypted wireless technology by the way.
On the other hand, the important upside of digital keys of all sorts is that unlike in mechanical keys, each key is different and can be invalidated easily if lost.
There are actually three solutions to this proplem: One, have a second factor like a pin that is needed to access the secure resource, or two, use cryptographic tags like DESFire instead of the cheapest option or three, use a secure-by-design reader that requires you to insert the key fob into an electromagnetically shielded slot to open
This method is pretty similar to taking a picture of someone's keys, only the range is occluded by metal rather than opaque things.
So, if you just store your RFID tags in an RFID blocking container, then you'll actually be about as secure as regular keys since the range should be similar.
Normally you've got an encrypted rolling code. Something like mayfair desfire ev2. As an antenna you could maybe use a retail shop gate.
Spannendes Video. War Thema meiner Diplomarbeit 2007 bei Braun...
I built one of these after seeing this idea on the Lockpicking Lawyers channel.
You don't need a fancy reader to clone these kind of tags, as long as your phones has NFC capabilities you can use free apps for this (RFID tools for example)
So ein Teil baut man nicht wegen der Sicherheit, sondern wegen der Bequemlichkeit. ❤❤❤
This was a most excellent lesson. Very inspiring, it makes me want to learn more about this subject.
You can get enough security with RFID. First you need to choose between failsafe and failsecure lock options, and second You need to read hidden data or request processing, not only read the tag designator.
The Intro is already legend!
You could incorporate these readers to example water bottle machines or something like that. Giving free water when ppl are using their access cards is diabolic plan to get huge amount of useful card/ numbers. I have found that free stuff makes ppl do strange things 😁 S/O from another physical pen tester
hey neat, that RFID reader with the keypad is the one they used in better call saul as a jaguar key fob clone. they took the case off but left the keypad on the PCB
As someone who has been designing RFID readers for the last 8 years, let me point some things:
- The 125kHz systems (often called EMARINE) usually works on one of the EM41xx standards. It was developed decades ago, back when microchips were not that common. This standard, while widely used, is outdated, and shouldn’t be used for a security purposes. They are so widespread because they are extremely cheap. And they work great for some stuff, like if you have a lunch ordering system or a digital timeclock. You can get ISO datasheets with detailed descriptions of those cards and readers if you look up EM4000 or EM4002.
- Readers which work with 125kHz frequency use near field because the wavelength is about 2.4km. Reader with the most range that I’ve seen, and which is commercially available, has about 1m range. The problem is in the fact that you have to power the tag from the antenna coil. Transmission of energy is not efficient at these low frequencies and antenna shape doesn't really help that much. It’s a good idea to make a simple circuit which measures the field strength. Just make a small coil (like the tag), connect a capacitor for 125kHz resonance, rectifier, divider and another capacitor. You can measure the output directly with a multimeter.
- Making a long-range spoofer should be possible. Just make an 125kHz receiver and detect the signal from the reader itself. Since you don’t have to energize the tag (it’s already energized by the reader), you should be able to catch the communication. Using some digital filters to process the output, you should be able to get at least 10m range. The only downside is, that you can capture the communication only when the tag is being used, but that can be solved by leaving that device somewhere near the reader and recording tags as they come.
- More secure standards usually use 13.56MHz frequency (f.e. your credit card) and they have a two-way communication between the reader and tag. Many standards support advanced encryption (look up Mifare Desfire or Legic).
Hello! I'm also looking into the field of RFID technologies now, and wanted some advice. How would you identify what type of infrastructure your RFID system uses? More specifically, what is the cheapest way to scan/copy RFIDs, without investment into expensive technologies such as proxmark 3? Is it possible to copy/identify/read/write to RFID for cheaper?
Also, I'm interested in the idea you brought up about "intercepting" the authentication key while the tag is being actively used. I've done a decent amount of research, but have not seen anyone brought this up yet. Is this all theoretical, or have you seen something similar being used in reality? Any advice helps. Thank you!
@@SongSteel Well, the best way to identify type of RFID system is to get a multitag reader, which supports good ammount of both 125kHz and 13,56MHz tags. I use TWN4 from Austrian company elatec, but we buy them in bulk and price for end customer is probably higher. There are many options if you are willing to buy from China, but I can't really recommend anything as I don't have experience with them. The most basic way how to tell what kind of RFID system you have is to get an oscilloscope and connect one channel to a coil. You can then scan the communication between tags and reader.
The most common 125kHz EM41xx tags can be coppied easily, all you need is a microcontroller and few components. Other tags are much harder to copy, especially if it uses some encryption (for example your debit/credid card). But again if you wanna try some cheap stuff, the best way is to look up experience with some chinese readers/writers.
And to that last part, no, it's not just a theory. We've had an issue with one type of the long distance 125kHz readers, which is installed on a driveway of a warehouse. Sometimes, when the truck driver was leaving the warehouse, he unintentionally opened both gates with one card. After few hours of testing, I realized that the there was a specific place and if you put the RFID tag in that place, both readers could read it. They were 10m apart and their normal range is 1m. Second reader was picking up a signal boosted by the first reader. We had to change the software so it would ignore that second reading within few seconds.
Can you overwhelm an RFID lock by using a stun gun? IE: generating a high frequency random signal by sparking the gun near the reader? --- When trying to "break" security, you either try to get through in a normal way, or an alternate way. -- An alternate way in this case would be to cook the RFID read so everyone has to use the keypad and then note the numbers or dust the pad.
In the schematic at 7:45, play with the other part of the circuit also. Yes raise the voltage but also play with the receiving circuit, like the forward loss on D2 and also with the capacitance of C3, and at the end if you filter the noise down by playing with this part you can rise the gain of the OpAmp.
it works even easier.. depending of what model, all you need is a screwdriver and a 9V battery to open it.. ^^
I think may be away is the bypass the keypad and put a large magnetic field where the solenoid is at the top of the door that way the magnetic electrical induction goes into the locking door solenoid and with enough power you could make the solenoid work through electrical induction, you would need a alternating current,, I think this is actually doable.
I have an rfid chip in my hand that's encrypted and writable. Highly recommended for home assistant
Sounds useful :-)
@@greatscottlab Seemed like the natural progression end game for what you like to make
This just illustrates that when you make something wireless: encryption is even more necessary.
Hell I remember back in the day with 900mhz cordless phones: I would be able to hear my neighbor's phone conversations unintentionally on my radio scanner. Back then cordless phones sent an entirely analog signal. No encryption at all.
Eh, since the control unit is basically just sending power to door latch to open the lock, it's easy to just smash it open and connect the wires that go to the door latch. So this is only barely better than a zip tie.
Somewhat secure systems have an external panel with only the keypad and RFID plate, while the controller with the relays that control the door latches is internal. So even if you smash the external panel you can still just press the keypad buttons
Pretty sure you need something more than a larger coil to increase tbe distance.
Think you need to increase the antenna's directionality gain (focusing the rf). Think pringles can or a yagi antenna
Thanks for the feedback. Definitely worth considering for the maybe follow up video✌️
There is no real RF in those tags, they work with eddy current and the chip inside just shorts the coil briefly to transmit data, only the UHF tags have real radio in them.
You should look into this lecture a 'pen tester' gave about physical security. He discussed a device he carries in a laptop case that not only can read keys like this but very weak ones such as magnetic strip card keys. In the same case he has blank card keys and the machine to program it on the spot. This guy does it as a job to help companies improve security so hes not commiting a crime but its worth looking at if electronic lock security is a concern of yours.
Seven words into the video, you got a thumbs-up.
Fantastic timing! I want a system with RFID to see which lawn mower is going for a recharge. This larger reader in the lawn and then an arduino telling which station it should go to. =)
This is the Lock Picking Lawyer and what I have.... wait... GREAT SCOTT!
The majority of RFID tags are very simple and only transmit a set code when energized. However, I worked for a number of years with "rolling code" RFID chips that change the code each time they are used. These are much more secure and extremely difficult to copy. If you are serious about security, look for a rolling code lock and matching tags.
The general person wouldn't go through all that just to break in. The Avery person wants a quick and easy mark to hit.
Good video
Just configure that reader to work with PIN and CARD :) I am actually working in this field and must admit, i had a great laugh watching your video. A little knowledge is a dangerous thing and you present here just fractions of information, although the final conclusion sums it up: everyone can theoretically pick this lock. In theory everything is easy, on paper everything works :) There is way more technology in the current RFID tags then presented in the video, however you are right on the presented relay attack, is the Achilles tendon of most RFID based systems.
Skip cloning the tag with this kind of system. Just bring a magnet to bypass/trip the relay in the keypad. :)
In parking garages, they have UHF RFID readers to open gates that read from 20-40 feet away. Maybe look into those and see how they work.
As a simple more secure solutions there are also tags with a button on it you have to press in order to unlock the door
Hello, this is not the lock picking lawyer, and today we’ve got an rfid lock.
At work they have these RFID readers basically shaped like a metal detector you see at the airport. All you have to do is have your id badge somewhere on you, and walking thru it will read the tag. could be in your pocket, in your bag, or dangling from a lanyard under your coat, it will still read it as you walk through. I really wish they installed them at every entrance because it's really a pain to remove my id to hold it up to the close range readers, likely thousands of dollars cheaper and easier to maintain than the large format ones but still. So much more convenient. Should be no problem for the 70billion dollar company to swing but hey, the CEO needed a new house or boat or something...
Thanks for making this video, I watch the LPL video, and thought the exact same thing you did!
When playing with RFID, you need a proxmark3. build your own custom antennas and build configs for them. not sure if this distance has been surpassed since though a while back, saw a tutorial on how to build a 2ft (~60cm) highjacking rig, all inconspicuously inside of a backpack. technically you could post up near the reader and just hijack 125khz rfid credentials (as PoC to educate the public) all day long. With facemasks still being viewed as socially acceptable, I can see a lot of downtown condos and corporate buildings being at risk for tresspassers just walking through the front door, nosus.
This is exactly what I use for this type of work. Only I ordered one of those parking lot HID readers at the gates to exit
There is particular way in designing the receiving signal coil, which is called "loop antenna." It can received much longer distance.
A proxmark with some kind of amplification could work. It can also crack vulnerable Mifare classic, or loaded with custom firmware for other kinds of automation like saving keys in the onboard memory for later retrieval.
Okay, I admit I haven't been over here for a little while and I feel bad about that. And yes, like all your other videos this one was super cool and informative. However, please put the old theme song back! I love that song with you building the LEDs.
3:31 From what I can see, your little power supply module has a "push button to activate" function via relay built-in to it and you confused that with the wires coming out of the bolt lock. In the PSU module, when energised, if you apply 12V to the "PUSH" terminal, it will trip the relay and the contacts COM/NC/NC will change accordingly. The bolt lock wiring has nothing to do with this function though. The manual shows that RED/BLACK are for 12/24V power source and the WHITE/YELLOW are for a "locked" contact for monitoring. Meaning if the bolt is out, you get a short (NC) between those two wires. When the bolt retracts you get an open circuit (NO). You would wire that to an input on the door controller so you can monitor if the lock is actually locked or if the bolt is stuck half-way out or something. In short, although the manual has many spelling mistakes, it showed the correct information regarding the four wires coming out of the lock.
bro when i saw the notification i tougth the video was from the lock picking lawer and when you said "this is not the lock picking lawer" i was like WHAT
Your penmanship is extraordinary! Wow, I am not kidding I am jealous, this is how i wish my hand printing would look. But it is so hard to change the way you write as an adult, I have tried but it seems like it is really hard to make changes.
Also the video was really great, very interesting and I also like to watch the lock picking lawyers videos as well!
By the way, does anyone have experience with trying to change/improve your handwriting as an adult? Is there a reason that this is difficult and is it just me or for anyone/everyone?
you can prevent rfid being copied if you wrap your card into some aluminum foil, there are wallets that sell with aluminum foil built into
I've wind coils using a speed controlled motor too, been doing it for 30 years, you can use all kinds of motors even attach it to a portable drill, Cannot see how this can be patented, and don't forget if someone else wants to make winding machines and sell them you will find legal action too costly, to fight.
You could make a helical antenna for LF to be able to increase range. Normally this type of directional antenna isn’t used nor suggested for as low as 125Khz but it can be done. There’s some calculators online you can use to help design. You would be able to point in the direction of the transmitter and get a reading and also use it to send a signal to the reader thats connected to the interrogator that deciphers the signal. The polarization would still be the same with a Helical antenna but it’d be a tighter shot because of the distance increase.
How practical would such a system be? Because not only would the "scanner" need to be practical for reading information over long distances, it also needs to be semi-concealable. It would be quite suspicious to be lugging around lots of electrical components that take up a lot of space. If the helical antenna was somehow concealable, then maybe it would be practical for this type of application.
Wait, I clicked on this actually thinking it was an LPL video. The. The first thing I heard was your voice saying this isn’t the LPL 😂 blew my mind for a second
It should be possible to do a passive read from a distance when someone opens the door. With a proper directional antenna directed at the door lock, you could probably detect the communication between reader and tag and decode it.
Yikes, 1970s style RF Communications! Good video!
A more secure approach is the unit to send an encrypted random code to the key, which then has to send back the correct corresponding code.
Of course, the mechanical parts also have to be strong and secure.
Actually, sniffing works only for standards that do not use encryption or some standards, that use compromised security protocol such as Mifare Classic variants vulnerable for Nested and HardNested attacks. Sniffing is useless, for example, for Mifare Plus standard readers, that uses unique session key generation for encrypting data stream between reader and tag with AES-128. So, basically, sniffing would be efficient only for old RFID tag standards or for standards that not designed for to use in high security systems. Using outdated standards or standards that not designed for such purposes is only manufacturer fault. I assume, if you need secure something important with RFID locks, use only Mifare Plus or Mifare Ultralight-C reader variants and tags.
@@johndododoe1411 this is question of price, actually. Produce rate for Mifare Plus is millions for readers and billions for tags and they use optimized chip topology and provides great capabilities in security, actually it is used all over the world in banking applications. To launch a new simple tag you would have to invest starting from 200k$ only to produce lithography at outsource factory (and this is only starting prices). And also you need to pay engineers who would create tag topology for you. More logic on tag - price increases. Universal tags with strong security are really expensive to launch as a product and I suppose, best solution for RFID locks manufacturers is to use well known mass market non compromised standards, because this is a question of cost efficiency.
Also, well designed products would not give a chance to bypass security system without vandalism. Usually, the only way to unlock the lock in good designed system is to physically get to open\close electrical lock pins, however, you can bring a little more efforts and instead of usage simple locks, you can add controller to lock and encrypt signal between lock and reader controller, so it wouldn't be enough to send simple open signal to lock pins.
I LOVE THE NEW INTRO
RFID readers have been known to get up to 50 feet. In Canada a company did that to ID where every worker was on the plant site.
So reading and detecting RFID at great distance is very possible.
It's also used for toll passes in commercial vehicles. Not sure about passenger.
You should try directing your magnetic field with half open pot cores. You can use femm for simulation.
Make a short range rfid listener. Not a reader, just something that listens. Stick it into a nice looking box with a small circuit that stores read values and sends them to you via a simcard. Stick a battery in it and stick it with a sticky tape underneath the reader.
Low chance that anyone will think anything of it.
Nice job. It's a pleasure to watch your videos.
Great intro, Scott!
Gutes video, wie immer. Gruss aus California
It really comes down to use case tho. If you are worried about "random bad guy" dropping by, then tag copying isn't really a concern. The "random bad guy" is unlikely to bother making sure they get close enough to you to copy the tag. I see you thought about that a bit, with your 30cm range requirement. But I still think that's not the random bad guy who is hanging around most neighborhoods.
So you are right, yeah, RFID isn't the best if you are worried about a targeted attack. But I don't think that is the use case for these devices.
Maybe it's been mentioned, but you know you can use your phones NFC to read write those. I used to pick tossed ski day use passes with RFID and repurpose them with my OnePlus
How did you get started with this/what are the limitations of your system? I'm experimenting with reading/writing to RFID right now with different infrastructures. Does the phone require anything special to work? How did you learn how to set up everything correctly?
@@SongSteel if I remember correctly the Google cardboard VR had a RFID to initiate the VR app. Setting this up made me play with RFID. I got some different apps and played a bit with different possibilities. Just a short experience with them...
Great video scott! Keep these videos coming!
Thanks! Will do!
Type 1 is unsafe. That’s the 125 KHz one. The type 2 is bi-directional and have updatable data in the chip. It’s the 2 MHz+ one. Implementation becomes the key factor.
I want to build a home with a fake front door. Imagine having a normal looking residential home where the front door is actually a dummy door. From the exterior it looks like a normal door but its actually bolted in placed on all edges. To get through the door you would need to remove the wall around it because its secured in place so well. Instead you would have 2 actual doorways (to satisfy fire safety code) somewhere else but those doorways are hidden from exterior view.
It's the credit card/password problem where the obfuscation of a shared secret is just deemed sufficient even though anyone could just copy that secret and often wirelessly at a distance. We really need to move to a challenge response authentication but no one wants to invest in such as they consider the lack of security to be an acceptable loss and an opportunity to blame the customers and hence offset indemnifications to the consumer. This won't change without regulation.