Conventional access control systems are often replaced by RFID based systems because of the great flexibility of this systems. If a key is lost or requires more or less access privileges conventional systems fail while RFID based systems can accomodate such requirements.

At the same time the user expects the access control system to be very secure and to prevent unauthorized access to the building and rooms.

If low-frequency transponder (125kHz) are used, the security depends very much on the actual transponder. While some 125kHz transponders support crypto algorithms, we have not found a single secure transponder, yet. All crypto algorithms by the low frequency transponders currently available are or may be easily broken. Many transponders commonly used in access control systems do not even support such crypto mechanisms.

Even if the vendor stores its own information on the transponders using current state of the art crypto algorithms like AES an attacker can always emulate such insecure transponders.

If the vendor stores the access privileges on the transponder and does not encrypt the information securely these access privileges may even be modified resulting in keys which could open any door.

If the access privileges are not stored on the transponder most often only the UID of the transponder is evaluated by the access control system. In such cases often the emulation of this UID is sufficient to spoof the access control system.

To discuss an actual transponder we use the example of the Hitag-S transponder. The attack is done in several steps, because the Hitag-S does support a cryptographic authentication scheme. First the attacker requires access to the transponder token to retrieve the UID. This UID is then used to emulate the transponder. The emulated transponder is used on an access control lock. The communication between the lock and the token is eavesdropped. The lock will try to communicate with the transponder using encrypted messages. These eavesdropped messages are used to calculate the encryption key.

The calculated encryption key is then used to access the original transponder again. The attacker may then retrieve the full content of the original transponder and can emulate the full transponder resulting in the same access control privileges.

These findings were presented at the 32c3. We published several advisories as well. A compiled table summarizes our experiences with different transponders. If a specific transponder is not included in this table or you need further information or a demonstration of the attack, please contact us.

We have published two videos on youtube showing the attack on access control systems using either the EM4102 or the EM4x50 Transponder. Numerous access control systems still use these transponders today.