As a have a few RS232 and Wiegand readers on order and I intend to use them to log into my personal and work computers (login, screensaver unlocking and general PAM authentication under Linux), I decided to prepare my machines to handle those readers. I figured this might be of interested to some of you also.
Serial readers are “dumb” in the sense that, unlike PC/SC or CCID readers, they only report the UIDs of whatever chip they happen to be able to read. You can’t use them to do anything smarter.
Usually that’s good enough for cheesy unencrypted UID-based authentication (think door reader), and that’s why there are so many of these things on the market. For the purpose of logging in and unlocking screensavers with my implants on my computers in low-security environments, they’re good enough too.
There are two kind of serial readers: those that send the UID once when a chip is presented, and those that send the UID repeatedly as long as the chip is in the RF field.
The first kind is okay for isolated authentication events or for recording UIDs, but they can’t be used to assess the presence or absence of a chip on the reader continuously. So you can’t use them if you want to keep your session up only as long as the chip is present, and lock it up as soon as it disappears. You can’t use them to trigger events based on how long a chip stays on the reader either - for instance, I lock my session by presenting my implant to the reader for more than 5 seconds.
The second kind is clearly better, and since the devices I ordered work like that, that’s what I concentrated on.
So, how to determine if your reader is one-shot or repeating?
On Windows, find out what real or virtual COM port the reader sits at, fire up a serial terminal (like Putty), open the COM port at the right baudrate and format (usually 9600/8N1) and bring a chip close to the reader. If it outputs the same UID over and over as long as you keep the chip on the reader, it’s a repeating device, and that’s what you want:
On Linux, do the same thing: determine what device file corresponds to your serial reader, open a terminal and cat it:
- Using a repeating serial reader on Linux
A while ago, I coded a set of utilities to handle simple UID-based authentication with PC/SC-compatible readers, such as the ubiquitous ACR122U and many others. There’s a PAM module, a Gnome screesaver locker / unlocker, and a couple of other minor toys.
I added a small background service to watch the output of a serial reader, and extended the other scripts to handle the UIDs coming from the serial reader as well as from PC/SC readers.
You can find it here: https://github.com/Giraut/nfcutils
It’s a bit rough on the edges: the code is clean and works well, and the documentation is complete, but it’s all in in the headers of the scripts, and you kind of need to know your way around a Linux system to install and configure things. At some point I really should make a proper package, but… well, I’m lazy. Sorry…
However, if you want to volunteer to package it up, submit it to Debian and Fedora and maintain it (which bores me no end), you’re welcome to chip in. Hint hint
- Using a repeating serial reader on Windows
After some experimening, it turns out my old friend Rohos Logon Key also handles dumb serial readers. Yes, I know, I keep harping on about that thing, but what can I say… again, it does the job
So after installing it, go to
Options and select
Despite the long list, there’s nothing special about those readers: they’re all dumb serial readers that send a stream of hex-encoded, CR- or LF-terminated transponder UIDs. Any other reader that does the same thing will work equally well. The entry should really just be called “Generic serial RFID reader”.
Setup authentication key, if your reader isn’t on COM1, Rohos Logon Key will complain:
Just click OK, then select the setup icon thingy on the right, then the correct COM port, and you’re all set:
The software should tell you it sees a reader (it doesn’t see anything really, it was simply able to open the COM port), then you’ll be able to set your Windows password when you present your implant to the reader - and keep it there, which is awkward to type at the same time.
I hope this will help you get going with serial readers.