RFID / NFC tags, cloning, and emulation


#1

In the late 1990s, RFID tags rapidly grew in popularity and use around the world for supply chain management and animal identification (pets, livestock, lab animals, etc.), and bloomed again in the mid 2000s with the introduction of the NFC standard.

The primary use case for an RFID tag is usually always about identifying something… there are outliers, but it’s primarily an identity technology. How that identification is used depends on who’s using it… when it comes to industries like retail outlets or inventory management services, an RFID tag identifies inventory… how much of something and where it is at what time… if inventory is moving in a warehouse or on a shelf or shipped to another warehouse. The pet industry uses RFID tags to identify lost animals when they are captured and brought to a veterinarian or animal shelter, in hopes the animal’s owner has registered and kept up their current contact information.

The human use case

In the case of humans, RFID identification is typically used for various types of access control. Whether it’s a RFID card in your wallet, integrated into your work badge, or implanted inside of you… typically the primary purpose is to grant you access to your office, your computer, elevators, ride share cars, computer login, etc. How that identifier is stored, read, and used depends on the system and chip types involved. There are highly secure chips that use various levels of security and encryption and crypto-key lengths… but the overwhelming majority of RFID based access control systems deployed for decades and still sold today use the simple, insecure UID.

The UID

Most passive RFID tags have a UID (unique ID) number that is supposed to be unique. Present your card to the reader, and the card just spits out its UID. The reader compares that to an internal list, and doors open… elevators whirr into life… it’s that simple.

In the old days, before RFID chip makers were selling millions of chips a year that are made into cards, it was normal to consider a 32 bit ID (4 bytes) “unique”, but quickly as numbers ramped up and other companies got into the game, it was impossible to manage and duplicate IDs were quickly making their way into the general market. These types of short length ID numbers are called NUIDs (non-unique IDs) now.

Worse still, a protocol from the 1970s called Weigand rapidly became extremely popular (and still is)… only it supports a maximum ID length of just 26 bits! That means when a 32 bit ID is presented, 6 bits are truncated by the protocol, meaning a total of 64 completely different cards with completely different ID numbers would all read as the same 26 bits! Insane.

Eventually longer UIDs were created which are 7 bytes. These are designed to be globally unique, or at least carry an extremely low chance of two cards with the same ID being used in the same deployment… but it’s a losing game… especially with China being involved for the last few decades.

Read only UID vs writable UID

At first, even though RFID chip manufacturers were not coordinating their ID lists with each other… they at least understood it would be a good idea to make those IDs read-only and not changeable. If two people want to get into the same door, then each person should get a unique ID and access should be managed. If card IDs could be changed, people would inevitably think of and manage RFID cards like they would keys, and you’d have cards being copied like traditional keys are copied… and managing things would becomes a huge mess. Nobody would suggest everyone in a big corporate department share the same email account or network password, so why share keys when it’s so simple not to?

Well, of course, people gotta be people… and people started asking uninformed questions like “why can’t I copy my RFID card like I can copy my key?” … so the Chinese obliged and started producing… well I don’t want to say knock-off or counterfeit… but let’s just say they produced “compatible” RFID chips that also allowed the UID to be changed… and “cloning” tools that made copying tag IDs to these new chips a snap.

Cloning vs Emulation

The first step in cloning an RFID tag is to read the ID from the source tag. Reading the UID from a typical passive RFID tag is easy. These tags are designed to literally spit out their ID as soon as they receive enough power, or are simply asked for it (“selected”). Once you have the ID from your source tag, you can do two things with it… clone it to another tag, or emulate it. Cloning is simply the act of writing that ID to a target tag that allows its UID to be changed.

Emulating is similar to cloning, but how it works is much more advanced. When you read the ID out of the source tag, you are using an active device… a thing with a power supply which generates a resonant magnetic field that the passive RFID tag uses to induct power for itself and also acts as a medium for data transmission… the RFID tag and reader communicate with each other by manipulating the power drain on that magnetic field. It’s like the reader extended a rubber band out to the tag and the tag is yanking on it… sending a 1 means yanking hard while sending a 0 means yanking softly. An emulator uses it’s own active circuitry to “act” like a tag, yanking on that rubber band and sending whatever data it wants. So, an emulator pretend to be any number of different IDs by just sending whatever ID it wants to the reader.

Which products have a writable UID?

At the moment, Dangerous Things has two products with a writable UID; the xEM and the soon to be released xM1+.

The xEM is geared toward the most popular chip types in the 125khz market, including EM (em4102, em4200, etc.), HID ProxCard II, Indala, and others. Those chip types can typically be cloned to the xEM.

The xM1+ is a Mifare S50 1k “Classic” compatible chip with a “Chinese backdoor” feature (if you want to call it that) which allows all data on the chip to be completely writable, regardless of any memory sector security, A/B crypto1 key values, or access control bit settings.


How to discover card types?