True that.
I meant mostly in the generic sense, about “how hard is it to sniff an applet’s protocol”.
No matter how good that lock seems to be, it’s still targeted to the market. so I doubt they would sacrifice that much usability in favour of security.
the discussion is getting too wild for me… hehe
I understand that it will be impossible to just copy and paste from the lock or the NFC tag
sucks but no harm 
thanks for the help everyone!
Unfortunately that’s exactly how security works…
You don’t need to make a lock that no one will ever break/hack. (not that it would even be possible)
All you got to do is something which is so much of a pain in the ass to hack that it isn’t worth it anymore.
So I thought I would chime in on this thread.
I bought one on the tags. Pretty sure it’s a java applet job.
Here’s what NXPtaginfo gets on a clean card. I’m going to order a compatible lock soon™ I’ll update when that gets in.
Yep looks like an ST smartcard chip with mifare emulation turned on.
What is the implication of that. If it’s emulating mifare would a normal mifare be possible then aswell( of course the correct version) or is the mifare emulation done afterwards.
How can I best think about the ST cards.
Think of it like apps on your phone. There’s a mifare app and Photoshop and a Bitcoin wallet. If the access system only cares about Photoshop, then presenting it with a Bitcoin wallet is not going to do anything. It really just depends on what the application wants to do with the chip. Is it looking for a mifare transponder? If not, then the existence of the mifare emulation mode on the chip is coincidental and does not apply to this particular application or use of this transponder in this application.
Java Card secure elements allow for multiple applications to exist on the chip that run as actual software applications under an AID or application identifier. Chances are, if the transponder being sold and used with this particular system run java Card applications, then there is a Java card application on the chip that the system uses. These chips are considerably more expensive than a simple legacy mifare chip so there would be no marketable reason to use a secure element chip unless you were intending to use a secure java card application on that chip.
Very clear explanation, thanks for that.
I presume using my proxmark to sniff what’s happening when enrolling the badge would be the way to go. Or are there other vectors to consider.
It’s very likely that sniffing will do you no good simply because the entire purpose of a secure element is to run secure applications… and I’m pretty sure they are going to consider the RF channel an insecure medium for data transfer. Whatever is implemented between door lock and chip is likely secured against sniffing, replay attacks, etc.
Of course, I’ve seen pretty stupid things in the past… It could just be that someone went through all the trouble of creating a Java card application and then just like not implementing any actual security? Maybe?
Sales: “We use a secure Java Card application to authenticate.”
Reality: “We have a Java Card application that returns ‘Swordfish’ to the lock.”
(Ok, if each card can only authenticate to a single lock, then it also returns the lock id.)
Edited to add: having read the definition of EAL you could easily develop such an application to meet EAL 7, and “various smart card platforms meet EAL 5”. So they could just be claiming that they are using an EAL 5 smart card, and use the MiFare simulator on it. It would be a case of spending extra money to get a higher security classification. I have already heard other lock companies state that they use “more secure” cards when they are just reading the ID from a more capable card.
Yes absolutely… they could indeed just be using the ID of the emulator hahaha. That would be pretty easy to test for the proxmark in emulation mode or just cloning the ID to an xM1 one or magic card.
So I guess, do the sniffing and we’ll see what the lock does. If it doesn’t even attempt to select an AID then yeah it’s just using the iso14443a ID and someone needs to be taken out back and shot.
I would love to be proven wrong. But I am too cynical.
Haha I mean, if it’s so stupid that you shouldn’t do it. Someone probably already has done it somewhere.
I’ll definitely give it a shot with one of my magic mifares aswell.
