Chip compatibility with systems and devices

We often get asked which of our products would be the best one to use with access control system X or product Y. The answer can be a little complicated. We do have a running list of products that we need your help keeping up to date, but there are so many systems out there, I figured this write-up would be the best way to go about explaining things.

Basically, using our products with some system or reader comes down to two major things… chip compatibility and magnetic coupling.

Chip Compatibility

I’m going to focus on access control systems to start, because they are the most common application thus far for our products. Access control systems work by reading an RFID tag (which may or may not also be NFC compliant, but that’s really irrelevant in this context) and determining if that tag is allowed access to something (typically a door). The RFID tag will typically have a unique identifier (UID) which some call a serial number. Some RFID tags also have additional memory space to write custom application-specific data to, and some tags even have additional security features to protect access to that data.

The simplest form of access control system only cares about the UID. It will read the UID from a tag and ignore everything else. For most RFID tags, there is no way to secure the UID, it can be read by anyone. This is obviously a huge security hole, but it’s just the way things are for many types of access control or “security” systems. More advanced systems will use more advanced RFID tags and leverage the programmable memory and security features to further secure the system. The way this do this depends on the tags being used and any vulnerabilities discovered in the way those tags implement their security features.

So, with that in mind, we have four terms to discuss - enrollment, cloning, emulation, and cracking.

Enrollment is the act of adding your implant’s unique ID (serial number) to a security or access control system. This works by going to HR or IT or whoever runs your access control system and either 1) reading and giving them your ID bytes, or 2) scanning your implant on an enrollment reader. Some systems use printed ID strings on their cards that do no match the ID bytes, but use a kind of obfuscation system so the security terminal asking for that printed string will “decrypt” the string into actual ID bytes and store those bytes in the system. Figuring out this method of converting bytes to that printed string can be infuriating. With luck, your access control system will simply have an enrollment reader that will read the UID bytes directly from your implant and you’ll be in the system.

Cloning is the act of reading a UID (and possibly memory contents) and copying that bit for bit to another target chip. You create an exact copy of the source chip to another passive chip. This process is similar to copying a traditional metal key by a locksmith. You end up with one or more identical copies.

Emulation is the act of actively reading a source chip into an actively powered microprocessor and the microprocessor will dynamically emulate or “play back” that source tag’s content to a reader. The device is typically battery powered and can store and replay one or more tags.

Cracking is the act of circumventing or reverse engineering the security features of a tag to access protected memory content without properly authenticating. For example, the legacy chip from NXP called the “Mifare Classic 1k” (MFIC1S50) was one of the first chips to attempt securing memory contents with a complex and proprietary access control scheme called “Crypto1”. It has been shown to be vulnerable to multiple types of attack and it is possible to crack the security on these chips and get the security keys, which then allows you to access the memory content.

With those terms in mind, I will now go over our most popular product lines and explain what is possible:

xEM – you can use the xEM with systems that can read and use 125khz EM41xx or 125khz HID ProxCard II chip IDs because you can clone your existing access card ID to the xEM and off you go.

xNT / flexNT – you will need to find a system that reads 13.56mhz ISO14443A tags, but only bothers with reading the 4 and/or 7 byte UID from the tag. It must not use any of the chip’s other memory or “security” features. You cannot change the UID of the NTAG216 chip inside these the xNT or flexNT, so you cannot clone cards to them. You must be able to enroll your implant with the system in question.

xM1+ - This tag emulates a “Mifare Classic 1k” chip which, as explained above, is a legacy ISO14443A chip that uses Crypto1 – a scheme with known vulnerabilities that enable cracking its security keys. The xM1+ uses a special chip that has a “Chinese magic backdoor” … uh… feature? I guess it’s a feature… anyway, you can crack and clone these legacy Mifare Classic 1k cards and clone the entire contents (including the UID) to the xM1+, though depending on the system, you might be able to enroll the xM1+ into the system without needing to crack or clone anything.

flexDF – This is for newer secure systems that use the DESFire EV1 chip in their cards. The DESFire EV1 chip works by defining one or more secure applications on the chip, so you will not be able to crack or clone those applications to the flexDF, but you might be able to enroll the flexDF into the system. Beware though, enrollment of a DESFire EV1 would mean the access control system might greedily hog the entire chip’s memory space with its secure application… one you cannot remove… essentially dedicating your implant to that one application with that one system.

Magnetic Coupling

The other major aspect of an implant’s ability to work with a given system is the reader’s ability to communicate with the implant. This is done through magnetic coupling, where the reader will create a small magnetic field with its antenna. The implant must be able to draw enough energy from this field to power up and modulate the field in order to communicate with the reader. The shape and size of the antenna in the reader and tag work together to allow for good coupling and communication. The problem is, most readers are designed to talk to cards with large rectangular antennas inside. Still, most readers designed this way will be able to talk to our implants at reduced range, but some just cannot. You won’t be able to tell for sure until you test with an actual implant, but the xLED product might help you determine if there’s even a chance of it working before you buy an x-series implant. The flex series is designed to couple much better than our x-series, but there is still no guarantee until it’s been tested.