20$ secure NFC door lock controller

https://www.youtube.com/watch?v=YDe2o5Jo0Wg

This is my latest project. A NFC Door Lock Controller that works with many different ident-media. e.g: Yubikeys, Tesla Key Cards, Tesla Phone Key via NFC, DESFire EV - Series with AES Encryption, probably more can be implemented. What !!!expressly not!!! implemented is - a simple UUID-Check, so Mifare-classic cards will never be able to open a door with my unit for security reason.

What is working:

  • Yubikey OATH on a single credential slot (w or w/o PIN-protection (hardcoded to a fixed PIN yet))
  • Yubikey challenge-response with eighter slot1 or slot2 HMAC-Key
  • every OATH credential is valid to a single yubikey only, so even you let your credential qr-code unattended and someone else scans this code, this will not work with a 2nd yubikey.
  • DESFire EV-Series NFC cards / tokens with AES128 protected APP installed
  • Blacklisting DESFire or Yubikeys via https-update
  • Tesla Key Cards / Fobs / Phone-key via NFC (Android only) when whitelisted
  • Whitelisting Tesla Cards via https-update
  • Firmware update via https for both back- / frontend triggered via a “master-key”-token

Replay attacks are probably impossibe. DESFIRE and YUBIKEY works with NONCES. Every YUBIKEY in OATH-Mode has its own HMAC-Key. For Tesla-keys and cards every swipe will generate a random ECDH-Key-pair at the backend-unit and a random challenge for authentication. DESFIRE and Yubikeys can be blacklisted via https-update, every tesla card has to be whitelisted to work.

ToDo:

  • change key generation code for DESFIRE-Cards so every DESFIRE card has its own AES-Key
  • add a I2C Touch-Keypad at the Frontend for entering a numerical PIN for OATH-App unlocking
  • maybe DESFIRE-Personalization via a master-token at the frontend
  • some other working token (U2F) (dindn’t understood the protocol yet)
  • suggestions???

Regards
Peppy.

8 Likes

This looks really interesting.
While i’m not a fan of using ESPs as a backend, i’m sure this would be portable to something that can run on other platforms

Yep, i have a wifi version too. The backend runs on a raspberry pi and triggers a wifi relay. This one is a stand alone door lock without wifi and much less power consumption than running some server + wifi.

1 Like

Looks interesting. What board are you using as a reader? Hows the read distance for implants? Are you planning on open sourcing any of it?

1 Like

Hi. The reader is a pn532 with an ESP32-s3 mini backpack. The reading distance for normal cards and transponders aare between 1 and 4 cm. I don’t have an implant, so i can’t say what the reading distance might be. I plan to open source anything, when it is finish…

3 Likes