EAL5+ NFC chip dupping

hello hello!
I have a door lock that supports a very specific type of NFC card and on the product page it says its using EAL5+ security, was wondering is it possible to duplicate an empty card on to a fresh implant and add it to the lock as a new card? or even clonning a preconfigured NFC card aliexpress link

I also have a cheap nfc sticker which the lock didnt even react to…

thank you thank you!

Hmm honestly not sure on this one may be that it’s using a desfire chip or some other app based card maybe even java card. Or maybe its just all marketing bullshit :sweat_smile:

What I’m trying to say is without testing one and the cards there’s not really any way to know.

Reading your post you have actually got one of the locks if so does you phone supports nfc?

If so can you install tag info and scan one of the functional cards, that should tell us something about what we are dealing with.

1 Like

EAL ratings are like IP ratings: under a certain value, it’s probably just the marketing department adding yet another impressive-looking acronym that really only means “designed to be better than the cheapest, cheaper than the best, and able withstand normal usage conditions”. And if there’s a plus sign after the acronym that’s not part of the standardized scale, then you can be extra-sure it’s bullshit :slight_smile:

Also, it’s sold on Aliexpress. That should tell you something.

3 Likes

To add to what @Rosco is saying… EAL means the chip might be rated for that but that doesn’t mean the lock is using any of those features. For example the Apex will be common criteria and EAL rated but things that just the UID for “security” will definitely not be using any features related to those ratings. China listings are 99% search engine catch-alls and 1% accurate content. They lie a lot.

2 Likes

Ignoring the fact it’s Chinese, is it possible to fake an EAL5+ standard?

Also thank you everyone for your 2 cents :smile:

1 Like

I have a galaxy s6 which I use for testing and an iPhone as a main driver, I will test in the morning scanning the tag which app do you recommend?

Wish I could pin that reply, @Rosco! :rofl:
Spot on, Informative and hilarious!!

Not sure if I should be more scares about the Plus sign added or the fact it sells on Aliexpress! :laughing:

TagInfo by NXP

I scanned it, all I get is “empty” with no format and no content saying no NDEF detected…
@Rosco @Eyeux

Edit: scanned it with an iPhone and I get a stack error from the reader app won’t even forward

Reading here it’s a common thing to add a plus at the end

@amal the lock won’t accept a pre written card such a credit card or a bus card, even a cheap sticker from aliexpress won’t be paired only the one in the link I shared

I assume that is the key card you have.

“no NDEF detected” might be misleading: Can mean “no NDEF capabilities”, or “No NDEF files present”. The later means it can hold NDEF, is just empty.

Regardless of the meaning, though, this points out to one of 2 options:

  • Only the card ID is being used
  • a Javacard applet is being used

Even if the system only uses the ID it might still only accept a specific card type. (i.e. It might need a 7 bit pin from a type 2 card only. etc…)

  • To test this you would need to make sure you have another card from the exact same model, where you can modify the UID to match your key card.

If it uses a Javacard app to communicate a password securely, though, then cloning it is a much bigger challenge.

  • To verify if a card has any Javacard applets you just need to check

    1. it’s type (i.e. does it have Javacard capabilities?)
    2. It’s free memory (i.e. does it have any applet installed?)

If it has a Javacard installed, then the means to clone it are far too complicated and won’t be worth your pain (IF it is possible for this particular card) :disappointed:

2 Likes

Is it possible to send one of those cards to Amal and have it made injectable?:o
Also what does it say about the overall security?
Being Chinese and all “AQARA” is one of the Chinese companies that gained my trust fully:o

1 Like

That one is with @amal to answer. :wink:
Although he does have a “card conversion service”, I wouldn’t be sure about that one card.

Well… most likely all the cards/readers/chips around are “Chinese” anyway.

My security concerns flare out when you take a “finished” product designed for aliexpress or wish, and use it out of the box.
But even one of such products can be tinkered to become properly secure anyway.

1 Like

There are 3 kinds of Chinese products:

1/ Genuinely good Chinese-branded Chinese-made products: not very many of those available outside of China, but there are more and more every day. The problem is telling them and those of group 3/ below apart when you don’t speak Chinese.

2/ China-made products sold under a western brand: everything is made in China anyway, and many excellent things are designed in China also. But you’ll usually find good Chinese products under a well-known western brand-name outside of China, that’ll vouch for quality and reassure western buyers. The archetypal example of this is Apple.

3/ Chinese-“designed” (or badly copied), Chinese-built (more like thrown together) products that are shoddy through and through, 1970’s-stylee, targeted squarely at western suckers. Still plenty of those around. Look no further than Aliexpress to get those.

I bought qute a few purely Chinese products on Aliexpress - mainly because I couldn’t find an equivalent elsewhere. While it’s true that I did find a gem here and there, most of the products I received were truly appalling - and at least in 2 cases, I was lucky they didn’t set my house on fire. Really!

1 Like

True that!
Can’t stress enough how much I loved my Blackview phone! I only had to charge that damn thing once a week! And it worked as a power bank strong enough to keep my raspberry Pi (2) running!

Anyhow, I digress!

Also, it’s a really good (and comical as always) split you got there, @Rosco!

It’s unfortunate my BV9800 Pro is incapable of scanning my Flex One.

1 Like

It’s not a standard in the way… it’s a certification. You can “fake” it just by saying it. It’s like saying yes this product has CE mark and they just print the ce logo on it… it’s a lie.

Maybe. Did you post a photo of it already? Is it a standard card?

1 Like

I posted a link where u can buy them in the opening post titled “aliexpress”

Checked the link.

Looks like a javacard applet job to me.

Made by Xiaomi, if we can sniff the protocol we can probably build an applet.

I’m up for it, assuming the price is right for me to get a lock and card set. It seems more secure than 90% of door locks at this point, if it isn’t lying.

Edit: Not liking the pricing on the lock itself, but I will order a card to have a look at.

If we can get someone to sniff the protocol enough, we will likely be in business.

1 Like

That’s the problem with most good phones… they lack a good NFC module.
I’m thinking on how to make a proper “NFC case” for my Pine Phone. I can run even a proxmark from it, but quite unpractical. :sweat_smile:

Now back on track…

Oh, I totally missed the when I first read!
But judging by @BaRaD’s description, it does look like an applet job to me as well.

As long as it does not implement a tokenized timed encryption, shouldn’t be too hard to sniff out the protocol if you know what you’re doing. But that damn thing is too pricey for a novelty project imho.

(I obviously trust @fraggersparks for that. the emphasis is to reiterate my previous
comment that sniffing applets it is often more work than it’s worth it.)

One thing to consider is they won’t have rolled their own. It’s “public key” encryption so it’s either RSA or ECC. It says the chip binds to a single door lock. My guess is it’s Diffie Hellman with the lock, and the two store the generated key for future use.

1 Like