Long Range RFID Theft

Published: January 6, 2025

Warning: This is a security research article. Always obtain proper authorisation before testing any access control systems. Unauthorised testing of physical security systems is illegal and unethical.

Introduction

Most times during physical engagements, the best way to achieve covert entry during the day or the night is by defeating physical access control systems - this usually involves cloning existing credentials. You could trick people into handing over their credentials under the guise of a fake "free coffee" booth, but that may take a lot of time and resources and comes with its own risks.

If only there was a way to steal credentials from a distance, in a covert way...

The answer is long range credential theft! Thanks to multiple vendors' efforts, readers with an effective range of up to 1m (3.2ft) are commercially available. It is entirely possible to buy one of these readers and make some tweaks to turn it into a vessel for credential theft.

The General Idea

A fully working physical access control system will consist of a barrier or door, an RFID reader, a door controller and a credential. On a basic level, a reader contains an inductive coil (to power tags in proximity), an RFID receiver to capture data transmitted by the tag, and circuitry to decode and transmit the received data over the wire. This received data would usually travel down the wires to the door controller, which in turn either opens or closes the door lock.

Instead of hooking up a reader to a door controller, what if we wire it to a device that simply logs and displays the received credentials? Enter the ESP Key, an inexpensive mini door controller and interception tool.

By wiring a long range reader to this device, we have essentially created a semi-portable closed reader environment - the reader will act as intended by the manufacturer, except any received and transmitted data can be accessed over an access point broadcasted by the ESP Key.

Note: This particular example of the ESP Key operates as an interception tool for the wiegand protocol. For this to work, the reader you are using must output data using wiegand, and not a different protocol like RS232 or RS485.

On a separate note, this tool is also designed to be implanted on readers in active use on target sites. Since it siphons power from the circuit, all it takes is a quick installation and tapping of the correct wires from the reader output and credential theft is possible.

Long Range Readers

Here is where your mileage will vary. In the UK, the most common credentials I have personally seen are HID Prox and EM410X (LF), and HID iCLASS and MIFARE (HF). Not all reader units support high or low frequencies, and not all reader units can interface with any tag family.

For this reason, you have to consider which reader you might need for your purpose. Read vendor datasheets to see what credentials are supported by what unit, and make an informed decision based on your reconnaissance efforts. The beauty of this build is that readers are made to be wired to door controllers, but readers also don't know the difference between an ESP key and a legitimate door controller. So if it supports wiegand, you can probably intercept it.

Below are some common choices for this application:

HID Proximity MaxiProx 5375 - For low frequency HID families (Proxcard II, ProxCard Plus, etc)
HID iCLASS SE R90 - For high frequency HID families (iCLASS, MIFARE, etc)
Generic long range EM reader - For low frequency EM410X families (EM4100, etc)

The Build

I'm going to walk through a build which used the HID MaxiProx 5375 unit.

Bill of Materials

HID Proximity MaxiProx 5375
ESP Key
Rechargeable 12V DC Lithium Ion Battery Pack
Pigtail Barrel Connectors (Rated at 12V DC)
Dupont Jumper Wires

Reader Prep

Warning: If you follow along with this build, be warned that you are tampering with an eletrical unit that contains high voltage components. The unit should be fully assembled and the induction coil enclosed in the case before any power is introduced to the device.

With the MaxiProx reader specifically, it is essential that you shunt the P2 pins in the correct way, otherwise you could damage your unit. These pins determine whether the unit should operate in 12V or 24V - since we are using a 12V power supply, we need to shunt pins 1 & 2.

In addition, the reader (by default) beeps and flashes an LED when a credential is detected. Referring to the documentation, this behaviour can be controlled by dip switches in the SW1 array.

Dip Switch 4: Default On (On - beep after valid card read. Off - no beep after valid card read.)
Dip Switch 5: Default Off (Off - flash after valid card read. On - no flash after valid card read.)

In several guides specific to this reader, it is recommended by some to desolder the speaker responsible for the beep (marked B1, top right of board) and switch it for a haptic motor. This should give a more subtle feedback similar to a vibrating mobile when credentials are captured successfully. In this case, you should leave dip switch 4 in the default on position.

Wiring

Wiring is pretty straightforward - you essentially just supply power to the reader and esp key, and then wire Data 1 and Data 0 from the reader to the ESP Key. Below is a wiring diagram to help you out: (credit to sh0ckSec)

For clarity, here are the connection points as labelled on the unit:

TB2-1: Data 0 -> ESP Key Data 0
TB2-2: Data 1 -> ESP Key Data 1
Positive (RED) PSU -> TB1-1 -> ESP Key +
Negative (BLACK) PSU -> TB1-3 -> ESP Key -

The unit has a nice opening in the center of the casing which you can route your pigtail barrel connector through to actually plug into the PSU outside of the case. I have also used some kapton tape on both the wiring and the ESP key itself to make sure nothing is jiggling about loose inside.

Now you are pretty much done - feel free to screw in the case and get the enclosure sealed. With this setup, I was getting reads from a generic HID Prox card (non clamshell format) at 50-60cm consistently.

Deployment

Once wiring is done and you have neatened everything up, we can talk about how you might take this out in the field. When you interface a reader with a card, one of the key factors in success is parallel alignment - the reader and card should be facing each other to ensure that the coils can couple effectively. For this reason, the best option I can think of is a simple large laptop bag with a shoulder strap - just make sure the dimensions will fit the entire unit. This option offers good manoeuvrability and flexible adjustment at an appropriate height. All you need to do is find an excuse to get in close proximity with someone - a smoking area, a lift or even just overtaking somebody on a pavement.

Another option is to create an official looking unit and place it somewhere with high foot traffic, or close to a legitimate reader. The RFID Gooseneck by sh0ckSec does exactly this, and is well documented should you go down this route. You could also simply mount the system to an external wall near an entrance using double sided adhesive tape.

Interfacing With the ESP Key

Because the ESP Key broadcasts its own wireless access point, all we need to do is connect via WiFi (default "ESP-RFID-Tool") and navigate to http://192.168.1.1/ to interact with it.

You should definitely change some settings under "Configure Settings" - at the very least the SSID to something unsuspecting, protected by a strong password to avoid exposing client data. The default credentials (which you should also change) are "admin" and "rfidtool" - you will be prompted to enter these upon changing settings.

To access your captured credentials, head to "List Exfiltrated Data", where you will see a list of log files.

Here you can view/download or delete your log files that will store captured credentials.

So let's dissect the output format. You can't just copy the hex in the output because this isn't the card UID - this is the raw data transmitted by the card including the idle / framing bits, and activity before the card is actually read (sometimes referred to as the "preamble").

The actual 26 bit wiegand frame containing the card UID is in the second set of binary data just before the hex section. If we take this binary number, remove the first and last digits in the sequence (trailing and parity bits), and plug it into a binary to hexidecimal converter we can derive the card's UID. In our case, the appropriate format would be "001100000101000001011001".

If we read the card with a flipper zero and have a look at the hex field, we can see that the hex codes match perfectly.

Copying this value to a new card is as simple as grabbing a T5577 (capable of emulating most LF) and adding a HID H10301 or Generic HID Prox credential manually in the flipper. It is also entirely possible to use a proxmark3 using the raw hex output from the ESP Key, as demonstrated below:

[usb] pm3 --> lf hid clone -r 200460A0B3
[=] Preparing to clone HID tag using raw 200460A0B3
[+] Done!
[?] Hint: Try `lf hid reader` to verify

[usb] pm3 --> lf hid reader
[+] [H10301  ] HID H10301 26-bit                FC: 48  CN: 20569  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC: 773  CN: 89  parity ( ok )
[=] found 2 matching 26-bit formats

[=] Trying with a preamble bit...
[+] [ind27   ] Indala 27-bit                    FC: 4482  CN: 8371
[+] [indasc27] Indala ASC 27-bit                FC: 2881  CN: 8294
[+] [Tecom27 ] Tecom 27-bit                     FC: 576  CN: 42087
[=] found 3 matching 27-bit formats

[=] raw: 00000000000000200460a0b3

What's also interesting is you can use the proxmark3's wiegand command to decode raw binary as well - without removing the parity and trailing bits, the proxmark3 should be able to give us the card format it thinks the binary data is, as well as the facility code and card number. These are the two numbers printed on the card's back, as shown in the above image. This gives us a nice demonstration of the wiegand credential format (or UID as I referred to it as) for HID Prox.

[usb] pm3 --> wiegand decode -b 00011000001010000010110011
[=] #bits... 26

[=] ------------------------- Wiegand ---------------------------
[+] [H10301  ] HID H10301 26-bit                FC: 48  CN: 20569  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC: 773  CN: 89  parity ( ok )
[=] found 2 matching 26-bit formats

Conclusion

In total, assembly of the device took all of 20 minutes, and was relatively uncomplicated. The most difficult part of this project was acquiring a long range reader for a good price - I got mine on eBay for roughly £250. This tool is a great addition to your credential theft arsenal, and gives you more options during physical engagements.

Limitations

As previously noted, if you want to read a specific family of credential with this solution, you need an appropriate reader. This means that you will need one for HID LF, EM LF, Indala LF, and so on. This requires a certain amount of reconnaissance ahead of your engagement so you know what to build or bring along with you.

Another limitation is the restriction to intercepting the wiegand protocol only. There may be solutions out there for intercepting other protocols that I am unaware of, but the majority of readers support wiegand anyway. Nevertheless, you are pretty much restricted to only gathering card UIDs - which is great for LF applications, as LF readers tend only to rely on this for authentication. When you stray into HF territory, you start getting into encrypted card contents and challenge/response architecture, making this solution only useful for misconfigured HF environments that neglect to use the full security offered by the technology and instead only rely on UIDs.

References

Mike Kelly's Original Wiegotcha RFID Thief
sh0ckSec's RFID Gooseneck
ESP RFID Tool Documentation
HID Proximity MaxiProx 5375 Documentation