Most Hotels use NFC keycards. NFC stands for near field communication. It is used in a wide variety of products, from tags to keycards. Most smartphones today have NFC functions built in. Today we will go over how to clone a common hotel NFC keycard with an android phone.
Equipment:
Android Phone — Should have NFC capability and be able to read MIFARE Classic cards, a list of known incompatible phones here
Hotel Room Keycard — Hopefully a MIFARE classic card
MIFAREClassic 1k or 4k card — We will be writing the copied data here
Optional: external NFC reader
Software:
MIFARE Classic tool — Used to read and write cards
Optional: kali nethunter for external NFC reader
Taking Data from the Hotel Keycard
In this demonstration, I will be using a Nexus 5X running kali nethunter (stock android is ok). We’ll start by extracting the data we need from the key we want to clone. In the MIFARE Classic Tool app, select the Read Tag option.
In the Read menu only select std.keys. Once std.keys is selected press the Start Mapping And Read Tag button.
If it works you’ll see a page with a bunch of numbers and letters. This is the data stored in the card. You may have to try multiple times to get a good read depending on your phone. If you are unable to get anything try the extended keys option.
Once you have completed the steps above you should have the data needed to unlock the door.
Creating the Clone
Take the blank MIFARE Classic card and place it near your phone. In the app, select the write option. In the menu, select the Write Dump (clone) option. Select the dump you got from the previous step. There will be a popup asking for which sectors to copy. Typically only the first sector is needed but occasionally hotels will write to multiple sectors.
Once you have selected the sectors a menu similar to the read menu will show up. Once again select std.keys or the extended version. The writing process may take multiple tries.
Once the writing process is finished you can try the cloned keycard on the lock. If everything went well then the lock will open. If it doesn’t work then something must have gone wrong during the reading or writing process.
mfcuk and mfoc
If std.keys and the extended version don’t work then use these tools. Mfcuk and mfoc both require Linux and an external NFC reader. To use these tools on an android phone, kali nethunter and a custom kernel will be required.
I will not go over these tools in this article but you can find information on mfcuk here and mfoc here.
Conclusion
NFC keycards are a great security tool. However, a prepared attacker can quickly defeat its security if the card is set up incorrectly. MIFARE Classic cards are especially vulnerable as they have been extensively researched and are commonly used. The best mitigations to the attacks described above are to change the default keys on the card and to prevent the original card from being read.
Happy Hacking~!
Leave a Reply
You must be logged in to post a comment.