Well, it is invisible once you put the reader back on, also the connection is never broken, therefore the system has no idea it was tempered with. It also takes just a minute or two for the complete installation. I can totally see someone installing the device on a companies entrance door whilst the security guard is taking a leak or checking the backdoor.
@@muh1h1 except, there's usually a camera near those places, so people are bound to notice... Unless they're extremely incompetent, which again, means you got more serious problems than a lock hahaha
@@lXlDarKSuoLlXl Well, whos gonna check hours worth of multiple cameras every day? Cameras are there to find out what happend after it happened, so if you installed that thing yesterday, chances are you can enter today and camerafootage isn't checked until tomarrow.
@@muh1h1 funny thing is, they don't, there's supposed to be someone checking the live feed, not the records, and again, if the lock gets tempered without anyone noticing, your most important problem, isn't the lock
The attacker was likely already behind the door where the wires are exposed, or likely worse the wires and devices are behind another locked area that only security has access to in a real facility. Also, in a real facility there's always 1 or more guards paid to watch the cameras and occasionally assess the grounds. If an attacker has enough time to non-destructively access sensitive wires and put in this attack, I wouldn't want to know what else is breached.
@@corpsiecorpsie_the_original a guy being haunted by a professional lockpicker in his house. No matter how many times he cjanges the locks, they will bw unlockwd the next night
He needed it to protect himself from exposing how vulnerable a lot of locks really are. And then also from videos like this. Someone is gonna get butthurt over it.
LPL in 10 years: To unlock the door, we first compromise the houses' internal wifi network via social engineering, giving us access to the keylock's API port, letting us run a known exploit on the unpatched firmware, letting us control it whenever we want. This was the most hacker-esque video on the channel I have seen. But still, fun, and good to point out the protocol weaknesses of these locks. Manufacturers should make the locks secure against digital attacks as much as physical, and is one of the reasons why I don't want a digital lock into our household.
@Evi1 M4chine You cannot connect to the router without already being on the internal network. And if the router has a public-facing root-enabled telnet console... Well... Then it belongs into the trash and nowhere else (:
LPL (outside my house): as you can see, this homeowner went with strictly mechanical and hardwired locks with cryptographic modules on the main entries. clearly, he's subscribed to my channel and doesn't trust technology
@@dercooney Yea, because lets be honest, how many of the "normie" users go, at any point in their day, and think "Hmm... I wonder if any of the smart stuff I have here has internal firmware update available... So that if someone pwn'd my wifi that I didn't change the password to since first setting it to the name of my son and his birthday, they wouldn't be able to take control of my whole household" -- None, till something huge explodes all over the news... And even better, what if the theoretical family went like "Hey! If I connect the lock to the internet, I can control it from wherever! So if my spous forgets her keys while I'm at work, I'll still be able to unlock the door for her!" And don't get me started on the trend to have all the smart crap connected to "The Cloud, wooooooo~" -- As if that was something to be desired. Then someone compromises /someone else's/ internet-connected servers, and boom, access to all the devices that are part of the "cloud" (Of idiocy)! ...I run a few smart devices at home... But have them strictly stuck on the LAN, with DNS blackholing so they will never connect to the bloody clouds...
It would be called Ocean’s lock-picking lawyer. It would go for 6 minutes, 4 minutes showing Ocean getting arrested, tried, convicted and put in jail. Then LPL would pick the locks on all the prison’s doors using chicken wire and a bubblegum wrapper (1 minute) and then 30 seconds to pick the bank vault with a toothpick and a 30 seconds of credits.
@@klannstyle and a seconds for a trademark statement like "...and that's all I have for you today..." as he leaves a business card for a shocked casino concierge on his way out the door. (face unseen of course)
D Maybe tack on an extra 2-3 minutes so LPL can explain how the locks were so easy to pick and then pick them all a couple more times to show us it wasn’t a fluke...
Video 1097: We are to show how ATM security is flawed by withdrawing 1 thousand dollars using a pair of tweezers and an old mobile phone. Seriously. LPL is becoming McGyver of real life. Keep up great work.
This is like how in Terminator 2 they have the scene where John Connor and his friend hack an ATM to get hundreds of dollars before heading off the arcade in the mall.
I mean using specially made electronic equipment to clone RFID signals isn't exactly analogous to MacGyver. If LPL had built this device from chewing gum and some paperclips, then yes.
@@gownerjones Compared to the cost of the system itself (ATM's I mean), and the amount of money to license and develop it, it might have as well been pocket lint and toothpaste.
You don't even need tweezers, human laziness is always the best exploit. Some years back ATMs have been compromised because none at the banks had bothered changing the default admin passwords (like so often on routers). A guy got hold of the installation manual and and realized that he could reprogram the ATM (from the user terminal) to think they were loaded with $1 bills instead of $20 bills. All he needed were prepaid debit cards to make withdrawals with a 20:1 return on investment that that couldn't be traced back to him. The guy behind the scheme had spotted dozens of ATM in his city he could compromise, but he needed help to hit all the ATMs in one night. He only got caught because the guy he approached for help was a FBI informant...
I think he was referring to smart cards/secure RFID tags that use public key cryptography for authentication or a one time code from pseudo rng. Like a emv card.
@@hhanh01 Actually, many card readers simply read the number assigned to the card and transmit it back with no encryption at all. He demonstrated that in the video, where the binary stream was just the 6 digit card number.
Yep. Many encrypted locks may as well not be, since they use a single hash rather than a procedurally generated one that is produced at the time of scanning. A good RFID system should be able to keep the code secure even everything passed between the controller and the reader is read. Both sides should have a synchronized pseudorandom hash produced by the same seed.
This device is legitimately used by penetration testers like Deviant Ollam, check it his channel. Gets paid by corporations and government to test their infrastructure's locks, doors, and security systems by casing the place, physically getting in, figuring out what sort of damage could be done by nefarious party with that level of access, and writing up a report on this and how to make the place harder to get into.
@THE DUDE technically you would have to attain someone else rfid info and reprogram your own chip to mimic it. As the credits would mostlikely be registered under the chips unique id tied to a bank account. Kinda like wave cards use to work.
I bought a cheaply made RFID reader for less than $20 for my apartment. I used it to run my deadbolt with a car door actuator, and it was really effective. Being a rented apartment I could not do much to modification to the door. I used existing holes, and kept all of the electronics behind the door. The RFID reader could read it through the door, and seemed more secure, but who am I kidding? The LockPickingLawyer would just look at my deadbolt, and the tumblers would set, the rotor would turn, and unlock itself as he came near out of respect.
You are my hero of the day, I live in apt and have been trying to rig something up because my bedroom door is old school, but I want to digitize it so leaving my key behind isn't a worry. The actuator is the missing piece to my puzzle. I'm not concerned about hacking this interior door is just for privacy from roommates, plus if they get door open I have a series of Cameras and motion detectors inside. It's just a lock for "keeping honest people honest" ie if I'm out and someone wants to take a curious peak in my room if door is open. If you have any details you're willing to share about your setup I'd appreciate but I understand if you don't want to give up your trade secrets.
@@shrimpboom8 It is. On the other hand, those cheap readers usually use basic EM4x02, which doesn't have any security. When this card gets into required magnetic field, it pretty much just screams the ID number in infinite loop. Device that would alow you to copy any card of this type is actually a nice weekend project.
@@Seedzification To give a little context I had the cameras and sensors at a normal deployment for a house, but when I moved the new roommates didn't want cameras in common areas so my security net got all bunched up in my room. If I didn't have the cameras/sensors when I moved in, I would have probably just bought one to snap a photo when I'm a way and someone enters. Most of it dies as soon as wifi drops so it's actually kinda poor.
@vladypunkyface Exactly, he didn't build this, program it, or even require much skill in operating the device in this presentation. But still a good video.
Maybe but I can get and do that. If I can do it.... It is a good demonstration for people so they find out more about the security products they pay for. Why pay for something easily defeated? Just because you may not understand how something works, doesn't mean those who steal stuff don't.
@@triskalion9627 i suppose if a guy is being done for something to do with locks if he can point out how easy it is to pick it can work in there favour.
So this is the equivalent of packet sniffing and then repeating captured packets? And being able to basically image what you capture as well? Honestly that's pretty damn slick.
@@NGC1433 well putting a chip in the wiring circuit is none other than sniffing and a bunch of consecutive bits is a packet so yeah packet sniffing seems appropriate
@@santiagobirkenstock No, it isn't. The difference is, that you have to actually know the communication protocol for packet sniffing. This reader has most likely just a Wiegand interface, which uses two lines, first one for ones and the second one for zeros. There are no "packets", just a direct serial bitstream.
Interesting! But there is a non-encryption solution for that too. Some of these readers housings have "sabotage contacts". So whenever you remove the housing or take the reader off the wall, to access the wires for the ESP Key, an alarm is created. Might not be as safe in the US, where every wall seems to be drywall ;-) But where i work you either create an alarm by manipulating the reader housing, or you alert everybody in the building by the noises resulting in trying to get to the wires through the concrete surrounding them.
Or using RFID keys that are challenge-response types. Doesn't matter if they're encrypted, a challenge is only valid once and only if you have the seed can you get the correct response consistently
@@PeterAuto1 ... technically it's part of a precursor for encryption, that being the establishing of a shared session key through a shared secret, but you're not actually encrypting any message with it, you stop just before that step with verifying that you indeed share a session key
Then we'll discover that the vaults in Fort Knox have been empty for decades, hence that the dollar is worth less than its weight in Bitcoins, and then the world economy will collapse overnight... xD
@@paulketner5077 Correct and US military and military bases around the world are the only insurance for that to going on and on. if the world decide to ditch $ as main current US collapse, that's why US instal us democracy in countries which foolish think that they can live without $
This video was uploaded on 28th of February 2020, and at 2:39 in the video the phone also says that the date is 28th Feb 2020, therefore, if the date is accurate, the time most likely is too. as it is connected to the internet and auto updates the time.
@THE DUDE it's not fiction noe. they are in fact experimenting that system in Holland, where everything in the shop is tagged and you get charged to the chip in your hand as you walk out of the door. The shoplifters will be the ones who've chopped off Thier hand. Easier to spot.lol
I can't wait until next week "This is the Lockpicking Lawyer and I'm in a Nuclear Submarine in the Atlantic, all I had to do was use this can opener and razor blade".
And here you can see the launch button normally this would be locked but if I just insert this wire you can see the missile is launched with no problems
Depending on the encryption method, it may still be possible to do a replay attack without being able to decrypt the data. If a time stamp is included in the encrypted data, and this was checked against a time window by the controller; that's one way of preventing an non-decrypting replay attack. Obviously, the cards used in the demo are also pretty dumb, and are a point of attack through a concealed rogue reader (backpacks carried units are common). Using smart chips raises the bar a lot higher though.
Was just about to say this; the cards should be nfc smart cards, not just dumb rfid. The controller should use an Incrementer, nonce or challenge response protocol so that it can verify the freshness of the attempt. Encrypting the traffic of a dumb protocol will not fix any of its flaws.
@@cabbageman Is it going to cost more money to have a reader that has this kind of capability? At the very least, assuming you have pretty powerful hardware, you still need a developer to develop all of software. I'm assuming saving a table of every RFID is way easier then saving the seed of every card and compare the rolling code every time.
@@Petertronic Good locks are only as good as the box they are protecting, if you have a house with a window the guy can still just break the window and get in
You had me worried, I thought you were going to show something like remotely scanning through all the RFID codes until one opened the door and I'd have to rethink the system I set up on my front door. However RFID will work through a wall panel, so you can set up with no exterior access. This is basically my setup, except for a small aperture for the fingerprint scanner pad; the RFID fobs work fine. For one of those RFID only units, you could embed a real unit in the wall and 3D print a hollow one to put on the outside so people know where to hold their cards. I'd love to see the reaction of a hacker who pried it off!
Anyone can still mount a sniffer to the outside of your wall, picking up the RF transmissions from the card. If you want to be secure you need to use something like desfire which encrypts the wireless communication.
Scanning all rfid codes is easily prevented by a30 second delay between successive reads. That is implemented in residential staircase door lock systems even from post soviet nineties, for both button key and entering code on a keypad. It even beeps cheerfully for 20 seconds after an unsuccessful attempt.
@Evi1 M4chine you can mount the sniffer a few feet away from the reader on the same wall, or on the roof above the reader. It does not matter how thick the wall is since the signal is not passing through it, you are sniffing on the outside where the user with a valid card is standing.
@@mrfrenzy. you need to get really close to actually power an RFID card, besides if you had something powerful enough to power a card from a few feet it cause any other RFID cards to also broadcast. That's why you can't hold your wallet to a reader with more than one card in it. Also all modern cards are encrypted so you wouldn't be able to decode the data anyway
@Evi1 M4chine The door and doorframe are usually made from RFID transparent materials. But making a fake reader box won't be done when commercially installing a combined keypad and reader that can be set to require the pin code of the legitimate card holder to ostensibly protect from stolen or cloned cards (and that's the readers usually installed even if nobody ever turns on the pin code feature).
"It's some James Bond level stuff..." "An attacker can compromise the system with very little effort..." Conclusion: LPL considers James Bond level difficulty to be "very little effort."
Lately I've been much more choosy when buying wireless tech, making sure security is tough and with out gaps. I hate when I'm shopping for (as example) a wireless mouse and they won't say if there's any encryption.
1:42am, while we’re all up in the middle of the night watching his videos he is up in the middle of the night making the videos, this is some meta shit right here
Encryption should be between the card and the controller inside the "secure" area. DESFire EV2 for example, the crypto happens on the card, there is no way to "clone" it, as the private key never leaves the card.
To elaborate for others: the card itself has a processor and a key saved. The reader sends the card some data that the card transforms using it's key. This data is always different. The transformed data gets sent back. Because the input is always different, sending back the same output twice does not work. And thanks to nice cryptography, you cannot get the key, even if you capture input and output.
It baffles me that even though we have readily available cryptography like this companies still manage to manufacture systems that don't include it. How?!
@@justin.booth. Money. It costs a lot less for a simple card lock system. I have a friend that works at a nursing home with a basic reader. The doors are to keep dementia patients from wandering out. Nobody is going to hack in to steal old people.
@@ShadowTigerKing thing is - it doesnt anymore. The algorithms are already there and freely available, that aint any issue. Cards with the necessary computing power dont need to be any more expensive than the simpler ones by now and also the processors to use inside of the control box are cheap.
"I'm going to step on old cellphone because I enjoy the weird crunching noise it makes on the decorative floor plates. Now, I'm going to bend the......"
Great job. I know most software for these systems have the option to encrypt the data stream so this will show users for these systems how important it is to ensure the system is fully configured, locked down. Thanks for the video!
@@NGC1433 it does matter if the encryption is resistant to replay attacks. Such as having a 10 second window before new encryption is created. Or even just embedding a time sensitive piece of information, such as every request must come with encrypted date/time and if the date time is off by 5 seconds it is rejected.
More specifically: The communication should be secured between the controller and the RFID card, not just the reader (which would have to hold the communication secret, which in turn could be extracted by an attacker). Then, of course, you could no longer use the el-cheapo cards...
Agree. These RFID systems are very vulnerable to cloning. Even the handshake ones would be vulnerable to mitm relay attacks though that obviously involves more effort.
That's why the industry is pushing for people to use their phones, with public private key handshakes. google OSDP. It's what HID global is trying to make the new standard
Imagine hearing late at night: (MUFFLED) "This is the LockPickingLawyer, this RFID system looks, secure, but has a serious flaw; we're going to gain access using that serious flaw." [RFID reader makes beeping noise, door opens] (Voice no longer muffled) "and just like that we're in"
Imagine writing someone else's comment, word-for-word, in the hopes of boosting your self-esteem by amassing a fundamentally-useless collection of likes? 🙄
hey I'm a cybersecurity student so I just wanted to comment on one of the things you mentioned. you stated that if the signal was encrypted then this wouldnt work, but one of the failures of many low budget security companies is that they constantly use the same encryption software every time. this makes it so if the attacker took it one step further and tried to decrypt the signal with commonly used software's they are more than likely to find a match
That's precisely why seamless security is so important. For instance, the connections should be routed in such a way that accessing it is at least as difficult as breaking down the door would be. Also a system like that would have to include one or more tamper-sensing mechanisms which block the system entirely when the accessible part is tampered with.
"This is the lockpicking lawyer and today we are going to hijack a russian MIRV with my grandmother's parabola antennae and this programmable TV remote."
First of all, that's some very dedicated setup, nicely done! For most use cases that replay attack is more dangerous than the encryption. But this is depending on the building, if you can protect the housing and the wires, then it is fine. First is that replay attack, it should never be possible to re-issue authentication, it should be one time use before that specific bits of data expires. This is widely known and ways to counter it. Second is that encryption, I get that they think "its inside the wall, should be fine with unecrypted", but that is a very naive mindset, those wires could be hundreds of meters long in business buildings. Which could be intercepted and read at any point.
I love this channel and all it's videos. If there's anything I've learned its that all locks are supposed to just slow someone down long enough for them to either give up or get caught.
If I'm remembering correctly there's an easier way, the 'keys' always transmit their RFID data. Myth-busters did an episode on why the new RFID bank cards (the ones with the little 'gold' chip in the corner) are a horrible idea but they weren't allowed to air it because the 'banks' (they didn't specify) wouldn't allow it. All you'd need to do is place a very small RFID reader with a sensitive enough receiver (depending on the distance from the legitimate card reader) within any area where the card will likely be in - in the case of an elevator, all the more easier, as you'd just place it in a corner or on the roof - and have any data the reader receives sent off, no need to fiddle with any wires and can be done incredibly discreetly. Alternatively you can swipe a card reader by someone you know who has a key (and know where it is on them), as long as it isn't held in a lead wallet, the RFID will be stolen. It doesn't matter if the card's data is encrypted or not as a duplicate card will just be able to send the same signal, just because you don't know what the encrypted data says doesn't mean it isn't duplicatable. If the encryption employs some sort of sudo-random cycling system (as all cards will have to have the encryption 'key' cycle identically, so it can't be true random) then that doesn't stop it either, it just makes it take longer before the cycle is broken and even then the duplicate keys will work until cycled. Even if a multi-level cycling system is used, where each cycle is cycled each day/month/e.c.t. the same method can be used. The best way to stop it from happening? Don't let anyone but authorized people anywhere near the sensor - which obviously means guards, almost entirely defeating the entire point in the system to begin with when it comes to securing rooms. This exact same method can be applied to the RFID chip on bank cards too, but I don't know enough about its security to know if the same method would actually work or not *anymore* . But what I do know is that this is essentially the same tactic used for stealing credit cards via creating 'hidden caps' that go over the legitimate ones and look identical, they don't read the RFID (because bank cards didn't always have them) but all of the cards information. A little tug on the hubcap will instantly pop the fake one off, though, so they're easy to check for.
The same thing is true for credit cards, except that there cannot be encryption due to the way rfid credit cards are used. There cannot be a standard encryption for an infinite number of readers that an attacker can’t get access to. To make this even worse, the cards don’t use a rfid version of the cycling chip that is read at the card provider, it just transmits the credit card number and security code in plaintext.
Are the bolts open or closed when the power goes out. It would be more secure to be closed, but I've a feeling fire regulations might require them to be open. ...what happens if you forget about codes entirely and try to kill the controller on the other side- pump a stiff 100v through those wires. Does it fail open? Or maybe just taking a security light off the wall and using it to trip the breaker...hmm
I have worked a place where the simple solution to this was simply having two doors side by side. One door for exiting which couldn't be opened from the outside, and was opened mechanically from the inside. And the other door for entrance only, opening electrically from the outside. But a much better solution would just be to be able to override the bolt from the inside manually, and having it be normally locked.
This is really cool. For consumer/commercial level systems. Will not be breaking into to many high security installations. As readers are encrypted too. With a site specific key. Also the use of entry and exit readers, prevent cloned cards being used. Without security being alerted. About 1 second after you present duplicate card..
Extremely important to connect the tamper switch on the pad to the central alarm so you know if a physical attack was performed. Indoor wire should be inaccessible in wall or in metal conduit for an inside job.
@@MrRusell86 the compressed air attack is for doors that open automatically on exit using infrared sensors : the decompression cools down the air quite a lot compared to the ambient temperature and the airflow can travel far enough to trip the system.
I have no idea why your lock picking videos have been constantly appearing on my RUclips, but finally decided to watch one and now I'm strangely hooked.
Thank you so much for this video! I used to write spy stories but gave up when I got too busy to research them. This video is like a hand delivered info dump 💙
@@TMGMedia73 true, but no lock is unpickable as LPL clearly proves. It's why insurance is important along with locks that meet their levels of adequacy.
About fifteen years ago I worked for a company that issued an RFID card key to each employee. I noticed that as you exited the building there was an infrared motion detector that caused the door to be unlocked as you were about to push the push bar to open the door and leave. There was a double glass door entrance with a flap that would automatically close over the gap between the doors when they were closed. But it kept getting jammed so they removed it. One Sunday I came to work when no one else was there. I unbent a coat hanger and attached a flattened soup can to the end. I heated the soup can with a propane torch. I slipped this thing that looked like a flag through the gap between the doors and waved it around. In a matter of seconds I heard a loud click and was able to open the door and walk in without using my card key and without setting off the alarm. The next day I told the facilities manager what I had done. He didn’t believe me until I demonstrated it to him.
I have one of these locks at the base of the stairs to the communal car park, a more unorthodox method of putting your shoulder through the door seems to work pretty effectively for someone, as they have definitely busted through!
In the early 1980's I was working for what was then one of the largest computer companies in the world. My task was to prepare a computer for the market, integrate it with the operating system. I worked with about a dozen other people. All of us had access to a lab with the prototype. Anyone unauthorized, even an employee could do a lot of harm simply by seeing how far along we were. At first there was a key pad. The entry code was the project code name for the computer. This received some criticism and demonstrative pranks. Then they put in a key card, same problem as you identified. More pranks and criticism. Since the lab was filled with computers, intercepting the wiring was especially easy too. Other facilities I worked in were semi-conductor development labs. Those had a "Roach motel" entry. a phone booth sized thing would rotate 90 degrees. If someone inside did not approve, you would be rotated back out politely or left to wait for security. That was pretty intimidating. I never found out what would have happened if there was a fire.
I have a huge interest in RFID hacking since I used to have to deal with access control at work, thank you for a very interesting and educational video I’ll be makeing sure to talk to put IT guys to make sure the tamper alarm is installed 😂
..or putting either side readers in? Onece you're in, you need to swipe out, as the system knows you're already in? Make emergency egress a break glass override.
Reader tamper alarms would not be 100% reliable since this device punches through the wires, the connection is never interrupted so you wouldn't see any tamper alarms in your access control software's log, unless... the attacker had no way to access the wiring conduit directly, and had to unmount the card reader, that would definitely trip either a mechanical or photosensitive sensor. Two lessons here: 1) make sure your card reader counts with a tamper feature and 2) (probably the most important one lol) keep your wiring conduits safe and absolutely out of reach.
Everyone rushing to exclaim that "that wouldn't work in ..." needs to remember that LPL doesn't build his own boards. He uses equipment available on the market. I bet that RFID system in the video is a pretty commonly used one, and as he said, is actually better than many.
@Alexander Supertramp and you have to wait after installing the unit until someone uses the reader you installed it on...... easy, but not convienient if you are trying to get in NOW....
I think you kinda miss his goal, as well as those of most people with a similar mindset. The entire idea behind the types of videos LPL makes, and really teaching people how to pick locks in general, is to educate people and thereby equip them to implement better security. I mean, think about it. Before the internet only locksmiths and criminals knew how bad Masterlock was and they made a fortune shilling their terrible products, but today they're starting to lose sales to the likes of Paclock thanks to the efforts of LPL, Bosnianbill, Deviant Ollam, and all the other security minded folks teaching anyone who'll listen about security.
Randomly got re-recommended this video after two years. my jaw still hits the ground when I see this. The future is NOT more secure from those that are well-informed. unreal
Some systems, while still being unencrypted, have an "anti-pass-back" mode which is designed to prevent a user from passing the card to someone else over a turnstile for example. The card must be seen "badging out" before it can be used to "badge in" again. This would probably go a long way toward preventing the replay attack.
well - you do need to get to the cable to do this "man in the middle" attack. Which usually means you have to have had time inside the building unobserved.
And also you must leave the ESP work until someone uses the right card to open the door. And also you must know the wiring (which ones are data lines and power lines).
No, you do not need *any* time inside first. That reader box has to be mounted on the outside. It should not be too difficult to get into it, connect the ESPKey module to the wires, and close it again, avoiding visible damage. The wiring scheme is no problem to work out, and will often be publicly available.
@@JohnnieHougaardNielsen seems like a really poor design, then. I'd have the control unit pass through the wall completely, with the access panel on the inside wall.
@@JonathanSchattke Seems like a cheap design. Unless you want to cut holes into the wall next to every door. And then you would still need to buy phisically tough readers anyway to prevent access. Something will always be on the outside and you need to secure it
@@JonathanSchattke Yeah, not at all a good design when such a simple replay attack can work. Starting from the point of a standard setup with a wall and a door opening, it would make the lock much harder to sell if making a big hole in the wall was required. Of course, if the doorway from the start is designed to accommodate this, it can work reasonably well. To me, the solution suggested by LPL seems more practical, encrypted communication from the reader to the control unit behind the door. The reader+encryption should be a sealed module, having no wires or soldering points with unencrypted data. A good design should hinder an intruder from just replacing the outside reader with a hacked one. Ideally, the RFID tag should also be updated each time, to ward off replay attacks. Of course, any setup with a passive RFID reader has a vulnerability if someone is able to hide an extra RFID reader very close to the existing one, but this is harder to make invisible.
Hello, very interesting video! I've some thoughts: 1. Removing reader from the wall is often protected by some sort of system, i.e. light sensor, which triggers 'sabotage' alarm. 2. wires will often be buried inside a wall and accesing them might not be that easy 3. If it can read signal can't it be upgraded, so it could repeat any stored data? You wouldn't need to encode the card anymore, just click 'repeat' on the phone.
Hi Marcin - I specialise in access control and security. Just wanted to answer your questions. 1) Often low cost readers do not have a dedicated tamper connection and because the comms used here are wiegand and uni-directional, it’s often hard to get a tamper alert to the system if the reader is removed. Not all access systems are properly monitored either, so tamper alarms are useless anyway in this case. Using OSDPv2 encrypted comms (bi-directional) a tamper alarm is easier to achieve. The bigger threat here is an unsavoury installer adding these devices on installation without the customer knowing and then returning months later to utilise them and get access to do criminal activity. 2. As per point 1, can be done on install and later directly at reader. 3. You can build different firmware for these devices. We built one using BluetoothLE and could store as many card numbers as needed and playback at anytime, no cloning of cards needed. However the LPL makes a great point that you are only secure as your weakest link, in that the card technology is as important than encrypted comms. In summary, if you are installing a high security access control system use OSDPv2 encrypted comms and a secure smart card with encryption such as DESfire EV3 with diversified keys or iClass SEOS. HID Prox, EM Prox, Mifare classic, Mifare sector, iClass legacy, DESfire UID’s can all be easily copied.
@@Ricky-ln6rt I mean, in this case, he could have just not worried about the device and wrote some code to loop through numbers until the lock opened (based on the assumption that there seems to be an unlimited number of attempts and the codes are numerical). Definitely would be faster than trying to wire in a device and worrying about tamper alerts.
Hi @@jasonsumpter1641 not quite, when you take into account most modern systems are 128 bit systems, that would take quite a long time. Cloning the actual card number and replaying it back to the reader in seconds is much more efficient. But this is rather here nor there, if this is a secure entryway it should be two or three factor ensuring the attack you speak of is mitigated easily.
Only if 3 wrong codes don't lock you out for 24 hours, 3 wrong pins in an ATM causes it to swallow your card ! Inercepting the wires in the example given only works if you know which one is which, no one reputable is going to use red and black for power ! These cables typicaly have 8 wires with over 4000 combinations, 8 x 7 x 6 x 5 x 4 x 3 x 2 x 1 !
Make a security system that powers it's readers via supercapacitor or/and rechargeable battery within the device. It'll pulse voltage for a few seconds at a shot just to top the battery off, and have no line voltage otherwise. That makes it impossible to use an inline device unless it also has it's own power. Or just frickin' shield or pot your wiring... can't clip into what you can't access without being obvious or breaking things.
…’with very little effort.’ News Flash: If someone can do what the LPL just did, they’re getting in, encryption or not. No, they may not clone a card, but they’ll summon the mother ship, use the miniaturization gun on themselves, and just walk under the door.
This also works for most car remotes. I made a record/replay device using an Arduino and a simple cheap 315MHz RF receiver, a 315MHz RF transmitter, and a similar 433MHz pair. I wrote a program to record every received signal after pushing a button, and replay it after pushing another button. It worked for every car I tried it on! I think it may not work on high-end two-way remotes on expensive high-end cars like Lamborghinis. Although I'm not sure about that ;-)
It's basically a skimmer. I did some "security research" back in college that involved defeating their magstripe locks with a similar approach, only the skimmer and associated data-dumping electronics were designed from scratch and buried within the card reader body. There's a fair amount of space inside and hiding an extra MCU is easy. Some of the readers had tamper switches but of course none of them were wired. Then there was a card emulator that went into the card slot and could simulate a swipe of an arbitrary card, which isn't difficult to build if you have some basic embedded knowledge and know how the tracks are laid out. But most systems use only one track, and tend to follow the one published standard. We wrote a paper on it and they issued everyone new cards, but it got a bit messy (there's more to the story and it gets a lot worse) and in the end they recalled all the new cards and erased/rewrote them (correctly this time). Based on where you live, you may have actually heard about this one
Mag data has always been easy to dupe, many universities introduced cards with dual stripes at the back to make it harder. (As you can only program one at a time, two tape heads quickly sorted that) Still, many had infinite free photocopies and laser prints ;-)
@@BleughBleugh my school was smart enough to tie each photocopy card to a unique ID, and do bookkeeping "in the cloud" which effectively thwarts card shenanigans unless you can predict another card's ID. But the key cards? Hoooo boy. I've seen some university cards use dual tracks, but this tends to be for compatibility with point-of-sale terminals at quasi-affiliated vendors who set up shop on campus. The vast majority of campus key card readers are knockoffs / rebrands of the MR5 model from Mercury Security, and are single-track. You'll be lucky if it's an MR10 model, and if the tamper switch even goes anywhere. Fun fact- the card reader is entirely agnostic to the track position (the head is movable via set screw), the track format, or even the swipe direction. It outputs a raw bitstream, regardless if it's Track1 (7-bit alpha) or Track2/3 data (5-bit numeric). If you swipe the card backwards, the data comes out backwards. The decoding (and reverse correction) is entirely up to the controller that sits upstream of the card reader.
@@evil-wombat you know your stuff :-) Back in the early 2000’s the most fun (and profit) was had ‘reprogramming’ store loyalty cards Was hilarious presenting a store card programmed with my own credit card details and having it work!!! Then they had to introduce chip and pin and spoil it for everyone with a mag swipe encoder (or hacked tape deck) I’m still amazed that stores incremented loyalty card numbers by 1 each time…naughty people would have unlimited points with a card programmer
@@BleughBleugh oh man, I hadn't thought of trying that. I kind of expected all the loyalty points to be tracked server-side, but I guess the early 2000s were kind of full of bad design. I "may or may not" have used a library photocopy card for my meal plan at one point, and "might" have been the only one with a functional "new" student id card (that is, after they were mailed out but before they were activated). Had to make sure I read that like, ten times, before wiping it. Good times.......
![[568] "Pick Proof" GunBlocker AR-15 Lock Picked](http://i.ytimg.com/vi/d9w_QknjTe0/mqdefault.jpg)
![[1591] The Replicant: Pocket Key Casting Perfected!](http://i.ytimg.com/vi/L5Fus7qbRZM/mqdefault.jpg)
He’s becoming too powerful
What do we do Master of Master Locks? Eliminate? Disintegrate?
He must be stopped, for the sake of -Humanity- Lockanity
Joining the dark side, he will...
Yes but how will we ever 'lock him up'?
@@skygh in a fully sealed concrete box
Imagine if you're a bond villain and behind your steel door you hear "4 is binding"
jimmy gatron good one
@@Yahmommaahouse 5 is in a false gate.
@@Yahmommaahouse nice little click out of 4
Why would you be hiding behind a steel door if you were a bond villain?
In this case you should just lock yourself behind the True safe, like im PayDay 2
If an attacker has enough time to get into the internals and install middleware attacks, you've probably got more problems than door access.
Well, it is invisible once you put the reader back on, also the connection is never broken, therefore the system has no idea it was tempered with. It also takes just a minute or two for the complete installation. I can totally see someone installing the device on a companies entrance door whilst the security guard is taking a leak or checking the backdoor.
@@muh1h1 except, there's usually a camera near those places, so people are bound to notice... Unless they're extremely incompetent, which again, means you got more serious problems than a lock hahaha
@@lXlDarKSuoLlXl Well, whos gonna check hours worth of multiple cameras every day? Cameras are there to find out what happend after it happened, so if you installed that thing yesterday, chances are you can enter today and camerafootage isn't checked until tomarrow.
@@muh1h1 funny thing is, they don't, there's supposed to be someone checking the live feed, not the records, and again, if the lock gets tempered without anyone noticing, your most important problem, isn't the lock
The attacker was likely already behind the door where the wires are exposed, or likely worse the wires and devices are behind another locked area that only security has access to in a real facility. Also, in a real facility there's always 1 or more guards paid to watch the cameras and occasionally assess the grounds. If an attacker has enough time to non-destructively access sensitive wires and put in this attack, I wouldn't want to know what else is breached.
Imagine sleeping in your room and being woken up by “as you can see, this window lock is very easy to pick without breaking the window”
Key & Peele could do a mini horror flic about LPL
@@corpsiecorpsie_the_original a guy being haunted by a professional lockpicker in his house. No matter how many times he cjanges the locks, they will bw unlockwd the next night
@@lukalaa1764 - "Bosnian Bill! Bosnian Bill!" screamed the man to the detective as he was whisked away into the sanitarium.
Good thing he's also a lawyer
There's a LPL ASMR but with sleep paralysis
I can't help but to think that the whole "lawyer" thing might not have been your highest calling...
He needed it to protect himself from exposing how vulnerable a lot of locks really are.
And then also from videos like this. Someone is gonna get butthurt over it.
@thisguy "Your honor, if I were really guilty, why would these handcuffs be... unlocked?"
thisguy that’s cus he would pick his way out of jail
@@Iverath Bold of you to assume he would even make it to the courtroom, he can pick open the police car door with his hands cuffed behind his back
the lawyer thing is just to fend off manufacturers thinking of lawsuits
LPL in 10 years: To unlock the door, we first compromise the houses' internal wifi network via social engineering, giving us access to the keylock's API port, letting us run a known exploit on the unpatched firmware, letting us control it whenever we want.
This was the most hacker-esque video on the channel I have seen. But still, fun, and good to point out the protocol weaknesses of these locks. Manufacturers should make the locks secure against digital attacks as much as physical, and is one of the reasons why I don't want a digital lock into our household.
A kid from 2040: that's how we did it in the past
@Evi1 M4chine You cannot connect to the router without already being on the internal network. And if the router has a public-facing root-enabled telnet console... Well... Then it belongs into the trash and nowhere else (:
I appreciate the accurate steps you gave in your joke, makes it funnier IMO - 'unpatched firmware' was my fav. So true.
LPL (outside my house): as you can see, this homeowner went with strictly mechanical and hardwired locks with cryptographic modules on the main entries. clearly, he's subscribed to my channel and doesn't trust technology
@@dercooney Yea, because lets be honest, how many of the "normie" users go, at any point in their day, and think "Hmm... I wonder if any of the smart stuff I have here has internal firmware update available... So that if someone pwn'd my wifi that I didn't change the password to since first setting it to the name of my son and his birthday, they wouldn't be able to take control of my whole household" -- None, till something huge explodes all over the news...
And even better, what if the theoretical family went like "Hey! If I connect the lock to the internet, I can control it from wherever! So if my spous forgets her keys while I'm at work, I'll still be able to unlock the door for her!"
And don't get me started on the trend to have all the smart crap connected to "The Cloud, wooooooo~" -- As if that was something to be desired. Then someone compromises /someone else's/ internet-connected servers, and boom, access to all the devices that are part of the "cloud" (Of idiocy)!
...I run a few smart devices at home... But have them strictly stuck on the LAN, with DNS blackholing so they will never connect to the bloody clouds...
He's evolving guys, we're doomed
The Andromeda Strain Lawyer
I thought I saw a lady in a red dress walk by..... Wait, there she is again.
First scene of Tron (1982)
Lol you're right!
During a physical whitehat exercise this exact method was used by a team I used to work with. That was around 3 years ago.
This channel going from breaking into 20 dollar locks to Ocean’s 14
It would be called Ocean’s lock-picking lawyer. It would go for 6 minutes, 4 minutes showing Ocean getting arrested, tried, convicted and put in jail. Then LPL would pick the locks on all the prison’s doors using chicken wire and a bubblegum wrapper (1 minute) and then 30 seconds to pick the bank vault with a toothpick and a 30 seconds of credits.
Oceans 2: LPL and BosnianBill
@@user-wu7ug4ly3v Hahaaa, you forgot to put the party time, another 20-30 sec 😁
But LPL can manage to cut from unlocking time with ease.
@@klannstyle and a seconds for a trademark statement like "...and that's all I have for you today..." as he leaves a business card for a shocked casino concierge on his way out the door. (face unseen of course)
D Maybe tack on an extra 2-3 minutes so LPL can explain how the locks were so easy to pick and then pick them all a couple more times to show us it wasn’t a fluke...
Video 1097: We are to show how ATM security is flawed by withdrawing 1 thousand dollars using a pair of tweezers and an old mobile phone.
Seriously. LPL is becoming McGyver of real life. Keep up great work.
This is like how in Terminator 2 they have the scene where John Connor and his friend hack an ATM to get hundreds of dollars before heading off the arcade in the mall.
I mean using specially made electronic equipment to clone RFID signals isn't exactly analogous to MacGyver. If LPL had built this device from chewing gum and some paperclips, then yes.
@@gownerjones Compared to the cost of the system itself (ATM's I mean), and the amount of money to license and develop it, it might have as well been pocket lint and toothpaste.
You don't even need tweezers, human laziness is always the best exploit. Some years back ATMs have been compromised because none at the banks had bothered changing the default admin passwords (like so often on routers). A guy got hold of the installation manual and and realized that he could reprogram the ATM (from the user terminal) to think they were loaded with $1 bills instead of $20 bills. All he needed were prepaid debit cards to make withdrawals with a 20:1 return on investment that that couldn't be traced back to him. The guy behind the scheme had spotted dozens of ATM in his city he could compromise, but he needed help to hit all the ATMs in one night. He only got caught because the guy he approached for help was a FBI informant...
was possible and might still be possible cut power to atm machine for a minute and use test password used by maintenance to whit draw money
Not just encryption, the encryption used must be resistant to "replay attacks" (which not every encryption method is).
I think he was referring to smart cards/secure RFID tags that use public key cryptography for authentication or a one time code from pseudo rng. Like a emv card.
I was thinking the same. As see from many keyless carsystems you can also just clone or forward the encrypted communication and get access granted
@@hhanh01 Actually, many card readers simply read the number assigned to the card and transmit it back with no encryption at all. He demonstrated that in the video, where the binary stream was just the 6 digit card number.
Yep. Many encrypted locks may as well not be, since they use a single hash rather than a procedurally generated one that is produced at the time of scanning.
A good RFID system should be able to keep the code secure even everything passed between the controller and the reader is read. Both sides should have a synchronized pseudorandom hash produced by the same seed.
@@OtakuUnitedStudio what sorts of places would for sure have proper security. Typical college campus?
When the government doesn't pay you enough for your spy job so you make youtube videos instead
This device is legitimately used by penetration testers like Deviant Ollam, check it his channel. Gets paid by corporations and government to test their infrastructure's locks, doors, and security systems by casing the place, physically getting in, figuring out what sort of damage could be done by nefarious party with that level of access, and writing up a report on this and how to make the place harder to get into.
SideNote 😂👍
@THE DUDE technically you would have to attain someone else rfid info and reprogram your own chip to mimic it. As the credits would mostlikely be registered under the chips unique id tied to a bank account. Kinda like wave cards use to work.
@THE DUDE LOOOL
Bosnian Bill is the retired spy.
I bought a cheaply made RFID reader for less than $20 for my apartment. I used it to run my deadbolt with a car door actuator, and it was really effective. Being a rented apartment I could not do much to modification to the door. I used existing holes, and kept all of the electronics behind the door. The RFID reader could read it through the door, and seemed more secure, but who am I kidding? The LockPickingLawyer would just look at my deadbolt, and the tumblers would set, the rotor would turn, and unlock itself as he came near out of respect.
You are my hero of the day, I live in apt and have been trying to rig something up because my bedroom door is old school, but I want to digitize it so leaving my key behind isn't a worry. The actuator is the missing piece to my puzzle. I'm not concerned about hacking this interior door is just for privacy from roommates, plus if they get door open I have a series of Cameras and motion detectors inside. It's just a lock for "keeping honest people honest" ie if I'm out and someone wants to take a curious peak in my room if door is open. If you have any details you're willing to share about your setup I'd appreciate but I understand if you don't want to give up your trade secrets.
Reading through the wall sounds like a great solution for physical access to the system.
@@shrimpboom8 It is. On the other hand, those cheap readers usually use basic EM4x02, which doesn't have any security. When this card gets into required magnetic field, it pretty much just screams the ID number in infinite loop. Device that would alow you to copy any card of this type is actually a nice weekend project.
@@peterkwolek2265 damn that's a lot of security for a bedroom...
@@Seedzification To give a little context I had the cameras and sensors at a normal deployment for a house, but when I moved the new roommates didn't want cameras in common areas so my security net got all bunched up in my room. If I didn't have the cameras/sensors when I moved in, I would have probably just bought one to snap a photo when I'm a way and someone enters. Most of it dies as soon as wifi drops so it's actually kinda poor.
Welcome to lock picking lawyer after today I'm going to show you how to access the US Nuclear Arsenal using a microwave and set of chopsticks.
don't need to do that..... all you need is delivery guy's uniform and some luck.
@@shlokjagushte1839 sauce!!?
That reminds me I need to look for a good deal on a microwave for my kitchen.
Comment of the day. 🤣
It's not fair posting this comment on one of the rare videos where he actually uses high tech tools !
"Its some real James Bond Level stuff"
Still nothing compared to real LockPickingLawyer stuff
I’d love it if LPL did a bond-debunking video or an Ocean’s 11 debunk.
@vladypunkyface jame bond opening door using wifi
I beg your pardon.
@vladypunkyface Exactly, he didn't build this, program it, or even require much skill in operating the device in this presentation. But still a good video.
Wait until the Bosnianbill and LPL version is out
I appreciate that you are doing some really high level stuff here that's beyond the regular mechanical lock picking.
Maybe but I can get and do that. If I can do it....
It is a good demonstration for people so they find out more about the security products they pay for. Why pay for something easily defeated?
Just because you may not understand how something works, doesn't mean those who steal stuff don't.
And remember, this is his HOBBY
Justin R. that’s what he wants you to think.
Imagine how good he is at his real job
@@triskalion9627 i suppose if a guy is being done for something to do with locks if he can point out how easy it is to pick it can work in there favour.
Actually its his job. He is getting paid for it.
And now its OURS
So this is the equivalent of packet sniffing and then repeating captured packets? And being able to basically image what you capture as well? Honestly that's pretty damn slick.
burpsuite irl lol
except there's no packet or sniffing. It's plain binary hi-low signal containing a number.
Yeah, same principle as a man-in-the-middle attack.
@@NGC1433 well putting a chip in the wiring circuit is none other than sniffing and a bunch of consecutive bits is a packet so yeah packet sniffing seems appropriate
@@santiagobirkenstock No, it isn't. The difference is, that you have to actually know the communication protocol for packet sniffing. This reader has most likely just a Wiegand interface, which uses two lines, first one for ones and the second one for zeros. There are no "packets", just a direct serial bitstream.
"This is the LockHackingLawyer"
LPL: "...have a nice day."
Lock manufacturers: "we were having a nice day until you posted this!"
Lock Manufacturers: Welp, back to the drawing board!
@@davidkidd2961 *Next video comes out*
Lock Manufacturers: Welp, time to get a new drawing board!
Interesting! But there is a non-encryption solution for that too. Some of these readers housings have "sabotage contacts". So whenever you remove the housing or take the reader off the wall, to access the wires for the ESP Key, an alarm is created. Might not be as safe in the US, where every wall seems to be drywall ;-) But where i work you either create an alarm by manipulating the reader housing, or you alert everybody in the building by the noises resulting in trying to get to the wires through the concrete surrounding them.
I’ve seen those in readers, but not seen them connected to the alarm system.
Often those are disconnected or easily negated just with the proper tool.
Or using RFID keys that are challenge-response types. Doesn't matter if they're encrypted, a challenge is only valid once and only if you have the seed can you get the correct response consistently
@@insu_na that one is basically encrypted.
@@PeterAuto1 ... technically it's part of a precursor for encryption, that being the establishing of a shared session key through a shared secret, but you're not actually encrypting any message with it, you stop just before that step with verifying that you indeed share a session key
This is the lock picking lawyer and today we're going to be breaking into fort knox.
(4 minute video)
Then we'll discover that the vaults in Fort Knox have been empty for decades, hence that the dollar is worth less than its weight in Bitcoins, and then the world economy will collapse overnight... xD
@@kabochaVA The US has been using fiat money for decades
@@paulketner5077
Correct and US military and military bases around the world are the only insurance for that to going on and on.
if the world decide to ditch $ as main current US collapse, that's why US instal us democracy in countries which foolish think that they can live without $
3.10 minutes dedicated to show the lock, just 40 secs for picking it lol
Area 51 solo raid
soon:
[1520] Breaking into NASA with a hair clip
That's not very soon
[1420] Breaking into Master Lock's headquarters with a tampon
@@coffeemakerbottomcracked Yes xd
* NSA
@@coffeemakerbottomcracked hell it's master lock, the door probably falls off the hinges if you shake it
I love how he recorded this at 1:40 in the morning and sounds like he’s had a full 9 hours of sleep. This man is a beast.
you serious? pls tell me no..
@@jonathanwieringa8808 Phone says 1:42 when he brings it out to scan.
@@Fiyazai good eyes
Maybe it's an old phone he doesn't use anymore, so that he won't accidentally expose any personal information, and he didn't bother to change the time
This video was uploaded on 28th of February 2020, and at 2:39 in the video the phone also says that the date is 28th Feb 2020, therefore, if the date is accurate, the time most likely is too. as it is connected to the internet and auto updates the time.
"Its some real James Bond Level Stuff, nothing compared to James Bond's spoon, or sliver of orange juice container, but cool none the less!"
Hehe
More like MacGyver tho
Wave Rake, shaken not stirred
Thank you, mate.
@THE DUDE it's not fiction noe. they are in fact experimenting that system in Holland, where everything in the shop is tagged and you get charged to the chip in your hand as you walk out of the door. The shoplifters will be the ones who've chopped off Thier hand. Easier to spot.lol
I can't wait until next week "This is the Lockpicking Lawyer and I'm in a Nuclear Submarine in the Atlantic, all I had to do was use this can opener and razor blade".
OMG he is MacGyver
Thankfully there need to be 2 people
And here you can see the launch button normally this would be locked but if I just insert this wire you can see the missile is launched with no problems
@@generalduck1684 and let me do that again to show that it wasn't a fluke.
@@jeffmoberley550 why I'm all ready this the way he talk ?
Depending on the encryption method, it may still be possible to do a replay attack without being able to decrypt the data. If a time stamp is included in the encrypted data, and this was checked against a time window by the controller; that's one way of preventing an non-decrypting replay attack.
Obviously, the cards used in the demo are also pretty dumb, and are a point of attack through a concealed rogue reader (backpacks carried units are common). Using smart chips raises the bar a lot higher though.
I was gonna ask about this but you just answered my question! Thanks
You sir... know things...
Was just about to say this; the cards should be nfc smart cards, not just dumb rfid. The controller should use an Incrementer, nonce or challenge response protocol so that it can verify the freshness of the attempt. Encrypting the traffic of a dumb protocol will not fix any of its flaws.
If the RFID is sending the same data to the reader every time, a replay attack pretty much always works, right?
@@cabbageman Is it going to cost more money to have a reader that has this kind of capability? At the very least, assuming you have pretty powerful hardware, you still need a developer to develop all of software. I'm assuming saving a table of every RFID is way easier then saving the seed of every card and compare the rolling code every time.
LPL is making me feel less and less safe as I watch more videos.
He's just exposing the bad locks that are out there. Good locks are still good locks.
tbf he test lock on his table.
generally your decent lock that hung on the door will still ok.
Locks are deterrent for honest people ( a symbolic barrier) or for criminals who don’t want the hassle of defeating them.
@@Petertronic Good locks are only as good as the box they are protecting, if you have a house with a window the guy can still just break the window and get in
Locks won't make you safe.Friends, family, community keeps everyone safe.
interviewer : "could you tell me how would you protect yourself from against your own clone?"
LPL : "guns... lots and lots of guns...."
😂😂
You'd better not to lock 'em up!
Bowley Locks
Maybe a gLOCK
I would connect the lock to the mains. If that fails... well, it was a good shot
You had me worried, I thought you were going to show something like remotely scanning through all the RFID codes until one opened the door and I'd have to rethink the system I set up on my front door. However RFID will work through a wall panel, so you can set up with no exterior access. This is basically my setup, except for a small aperture for the fingerprint scanner pad; the RFID fobs work fine.
For one of those RFID only units, you could embed a real unit in the wall and 3D print a hollow one to put on the outside so people know where to hold their cards. I'd love to see the reaction of a hacker who pried it off!
Anyone can still mount a sniffer to the outside of your wall, picking up the RF transmissions from the card. If you want to be secure you need to use something like desfire which encrypts the wireless communication.
Scanning all rfid codes is easily prevented by a30 second delay between successive reads. That is implemented in residential staircase door lock systems even from post soviet nineties, for both button key and entering code on a keypad. It even beeps cheerfully for 20 seconds after an unsuccessful attempt.
@Evi1 M4chine you can mount the sniffer a few feet away from the reader on the same wall, or on the roof above the reader. It does not matter how thick the wall is since the signal is not passing through it, you are sniffing on the outside where the user with a valid card is standing.
@@mrfrenzy. you need to get really close to actually power an RFID card, besides if you had something powerful enough to power a card from a few feet it cause any other RFID cards to also broadcast. That's why you can't hold your wallet to a reader with more than one card in it. Also all modern cards are encrypted so you wouldn't be able to decode the data anyway
@Evi1 M4chine The door and doorframe are usually made from RFID transparent materials. But making a fake reader box won't be done when commercially installing a combined keypad and reader that can be set to require the pin code of the legitimate card holder to ostensibly protect from stolen or cloned cards (and that's the readers usually installed even if nobody ever turns on the pin code feature).
old video: picking open a lock
2020 video: HACKING RFID SYSTEM
@vladypunkyface it sounds new and that's all that matters
Much like with lock picking, hacking RFID systems is way easier than most people think it is.
The FBI had a page some time ago for a day or two before it got pulled about how terrible RFID is and they wouldn't be using it. NFC is just as bad.
"It's some James Bond level stuff..."
"An attacker can compromise the system with very little effort..."
Conclusion: LPL considers James Bond level difficulty to be "very little effort."
Well considering how much alcohol the character drank in the book, that's probably an accurate rating.
Yea ok. Believe everything u see on the internet lol
Because James Bond makes it look easy.
No this is some watch dogs stuff
In his defense, James Bond makes it look easy, too.
People should know that UL listing is important.
UL 294 requires encryption between card readers and controller.
Does UL294 say anything about using non repetitive coding ?
Lately I've been much more choosy when buying wireless tech, making sure security is tough and with out gaps. I hate when I'm shopping for (as example) a wireless mouse and they won't say if there's any encryption.
1:42am, while we’re all up in the middle of the night watching his videos he is up in the middle of the night making the videos, this is some meta shit right here
Its 16:00 hours here when he posted 😁
Encryption should be between the card and the controller inside the "secure" area.
DESFire EV2 for example, the crypto happens on the card, there is no way to "clone" it, as the private key never leaves the card.
To elaborate for others: the card itself has a processor and a key saved. The reader sends the card some data that the card transforms using it's key. This data is always different. The transformed data gets sent back. Because the input is always different, sending back the same output twice does not work. And thanks to nice cryptography, you cannot get the key, even if you capture input and output.
It baffles me that even though we have readily available cryptography like this companies still manage to manufacture systems that don't include it. How?!
@@justin.booth. Money. It costs a lot less for a simple card lock system. I have a friend that works at a nursing home with a basic reader. The doors are to keep dementia patients from wandering out. Nobody is going to hack in to steal old people.
@@justin.booth. Cost
@@ShadowTigerKing thing is - it doesnt anymore. The algorithms are already there and freely available, that aint any issue. Cards with the necessary computing power dont need to be any more expensive than the simpler ones by now and also the processors to use inside of the control box are cheap.
I’m someone who has a vested interest in technology & this absolutely fascinates me. Thank you LPL for making such amazing & informative videos.
Future: "This is the LockPickingLawyer and today I'm going to show you how to break into Ft. Knox with a paper clip and an old cell phone."
"I'm going to step on old cellphone because I enjoy the weird crunching noise it makes on the decorative floor plates. Now, I'm going to bend the......"
"This is the lock picking lawyer, and what I have for you today is the gate codes for Area 51"
Great job. I know most software for these systems have the option to encrypt the data stream so this will show users for these systems how important it is to ensure the system is fully configured, locked down. Thanks for the video!
Except it changes exactly nothing if you are replaying same message, be it encrypted or not.
@@NGC1433 it does matter if the encryption is resistant to replay attacks. Such as having a 10 second window before new encryption is created. Or even just embedding a time sensitive piece of information, such as every request must come with encrypted date/time and if the date time is off by 5 seconds it is rejected.
You’ve now taught me how to break into my old office at a place “that doesn’t exist”.
They use all of these same devices.
HAHAHAHAHAHAHAHH
Evil Wins:
*PICKALITY*
What place did you used to work at lol im genuinely curious or is it OPSEC?
@@swiftsmile He used to work for Tony Stark, now he's showing his true colours #Mysterio
@@PrinceKashyap. lmao
It's McDonald's. He just can't get enough of those big mac's! Can't blame him though! Lol
More specifically: The communication should be secured between the controller and the RFID card, not just the reader (which would have to hold the communication secret, which in turn could be extracted by an attacker). Then, of course, you could no longer use the el-cheapo cards...
Agree. These RFID systems are very vulnerable to cloning. Even the handshake ones would be vulnerable to mitm relay attacks though that obviously involves more effort.
Yeah I actually came here expecting him to use a MitM device to intercept the RFID signal.
That's why the industry is pushing for people to use their phones, with public private key handshakes. google OSDP. It's what HID global is trying to make the new standard
Imagine hearing late at night: (MUFFLED) "This is the LockPickingLawyer, this RFID system looks, secure, but has a serious flaw; we're going to gain access using that serious flaw." [RFID reader makes beeping noise, door opens] (Voice no longer muffled) "and just like that we're in"
I've been learning ESP chip programming, I've never though I would see LPL talking about it.
Imagine you just chillin in your house and you hear “one is binding, two is loose” outside your door
And this has been said in every video for the past 3 years.
@@hotrodhog2170 so say we all
@@hotrodhog2170 it's even worse on this video as there's no pins involved
Imagine writing someone else's comment, word-for-word, in the hopes of boosting your self-esteem by amassing a fundamentally-useless collection of likes? 🙄
hey I'm a cybersecurity student so I just wanted to comment on one of the things you mentioned. you stated that if the signal was encrypted then this wouldnt work, but one of the failures of many low budget security companies is that they constantly use the same encryption software every time. this makes it so if the attacker took it one step further and tried to decrypt the signal with commonly used software's they are more than likely to find a match
That's precisely why seamless security is so important. For instance, the connections should be routed in such a way that accessing it is at least as difficult as breaking down the door would be. Also a system like that would have to include one or more tamper-sensing mechanisms which block the system entirely when the accessible part is tampered with.
Now I have to change ALL the locks on my secret lair.
Come on guys, throw me a freakin bone here!
The best defense is posting push signs on the doors that pull out or pull on ones that push.
And lower the height of the freakin locks, OK? Because I'd hate for Mini-me to get trapped inside during an (air quotes --->) "emergency."
Excellent video. A visual demonstration of a "man in the middle" attack.
"This is the lockpicking lawyer and today we are going to hijack a russian MIRV with my grandmother's parabola antennae and this programmable TV remote."
Lawyer at firm: I forgot my key card, and keys to my office
LPL: I might know a guy that can help
Lawyer: Which one? Key card or door lock?
LPL: Yes
LPL: ...... Runs into phone booth, puts his underwear on the outside, reemerges and gains entry.
@@twotone3070 yesssssss
We have to binge watch and learn this to prep for the upcoming zombie apocalypse.
Q: "Now pay attention James, the latest from our boys in the lab is some real LockPickingLawyer stuff!"
"This is the hacking network layer and we have for you today". Love this channel
First of all, that's some very dedicated setup, nicely done!
For most use cases that replay attack is more dangerous than the encryption. But this is depending on the building, if you can protect the housing and the wires, then it is fine.
First is that replay attack, it should never be possible to re-issue authentication, it should be one time use before that specific bits of data expires. This is widely known and ways to counter it.
Second is that encryption, I get that they think "its inside the wall, should be fine with unecrypted", but that is a very naive mindset, those wires could be hundreds of meters long in business buildings. Which could be intercepted and read at any point.
I'm still waiting for him to pick a bank safe.
Asking for a friend
me too. wanna team up? i mean introduce your friend to my friend?
jose almeida what
@@masteryoda8829 i just want to introduce a friend of mine to a friend of his so they can do the "job"together. 😂😂😂
@@josealmeida5768 Alright Flowers By Irene, your cover's blown.
He already did that in a video, if I'm not mistaken. Unless it was Biosnianbill.
"The names L...LPL Licence to pick your locks"!
I love this channel and all it's videos. If there's anything I've learned its that all locks are supposed to just slow someone down long enough for them to either give up or get caught.
Imagine the FBI boss hearing outside his office door: "Click outta 1, number 2 is binding..." 😅
The proper way to do that is to be inside the director's office when he arrives at work. "Sir, we need to upgrade your office security."
ROFL... :D
Or inside the bureau of the security officer: "I just wanted to hand over my Job-Applikation."
If I'm remembering correctly there's an easier way, the 'keys' always transmit their RFID data. Myth-busters did an episode on why the new RFID bank cards (the ones with the little 'gold' chip in the corner) are a horrible idea but they weren't allowed to air it because the 'banks' (they didn't specify) wouldn't allow it.
All you'd need to do is place a very small RFID reader with a sensitive enough receiver (depending on the distance from the legitimate card reader) within any area where the card will likely be in - in the case of an elevator, all the more easier, as you'd just place it in a corner or on the roof - and have any data the reader receives sent off, no need to fiddle with any wires and can be done incredibly discreetly. Alternatively you can swipe a card reader by someone you know who has a key (and know where it is on them), as long as it isn't held in a lead wallet, the RFID will be stolen.
It doesn't matter if the card's data is encrypted or not as a duplicate card will just be able to send the same signal, just because you don't know what the encrypted data says doesn't mean it isn't duplicatable. If the encryption employs some sort of sudo-random cycling system (as all cards will have to have the encryption 'key' cycle identically, so it can't be true random) then that doesn't stop it either, it just makes it take longer before the cycle is broken and even then the duplicate keys will work until cycled. Even if a multi-level cycling system is used, where each cycle is cycled each day/month/e.c.t. the same method can be used.
The best way to stop it from happening? Don't let anyone but authorized people anywhere near the sensor - which obviously means guards, almost entirely defeating the entire point in the system to begin with when it comes to securing rooms.
This exact same method can be applied to the RFID chip on bank cards too, but I don't know enough about its security to know if the same method would actually work or not *anymore* . But what I do know is that this is essentially the same tactic used for stealing credit cards via creating 'hidden caps' that go over the legitimate ones and look identical, they don't read the RFID (because bank cards didn't always have them) but all of the cards information. A little tug on the hubcap will instantly pop the fake one off, though, so they're easy to check for.
I was thinking the same thing, you don't need to access any wires, just a valid card.
The same thing is true for credit cards, except that there cannot be encryption due to the way rfid credit cards are used. There cannot be a standard encryption for an infinite number of readers that an attacker can’t get access to. To make this even worse, the cards don’t use a rfid version of the cycling chip that is read at the card provider, it just transmits the credit card number and security code in plaintext.
That only works with cheap passive RFID. Active RFID can have secrets stored on the card that are not exposed to a reader.
The metal chip on bank cards is physical contact, not RFID. RFID has a small coiled wire in the card usually.
Guard: "Welcome to maximum security prison."
LPL: "I'll call you from my house in 20 minutes."
because it takes 18 to get there
"In any case, that's all i have for you today. Thank you for coming to my DEFCON talk"
Are the bolts open or closed when the power goes out.
It would be more secure to be closed, but I've a feeling fire regulations might require them to be open.
...what happens if you forget about codes entirely and try to kill the controller on the other side- pump a stiff 100v through those wires. Does it fail open?
Or maybe just taking a security light off the wall and using it to trip the breaker...hmm
I feel like it doesnt have internal battery so how the fuck does it open when power is out?
@@iare19 You have to provide "your own" uninterruptible power supply when installing this kind of access control system.
I have worked a place where the simple solution to this was simply having two doors side by side.
One door for exiting which couldn't be opened from the outside, and was opened mechanically from the inside.
And the other door for entrance only, opening electrically from the outside.
But a much better solution would just be to be able to override the bolt from the inside manually, and having it be normally locked.
@@psirvent8 If that's the case, i certainly don't hope the building is set on fire by a lightning, taking out the UPS.
Dylan Davies i’d rather use a lock and key
This is really cool. For consumer/commercial level systems.
Will not be breaking into to many high security installations. As readers are encrypted too. With a site specific key. Also the use of entry and exit readers, prevent cloned cards being used. Without security being alerted. About 1 second after you present duplicate card..
Extremely important to connect the tamper switch on the pad to the central alarm so you know if a physical attack was performed. Indoor wire should be inaccessible in wall or in metal conduit for an inside job.
In my experience there are very few "secure" doors in the field that can't be opened with a shim or a can of compressed air.
@@MrRusell86 the compressed air attack is for doors that open automatically on exit using infrared sensors : the decompression cools down the air quite a lot compared to the ambient temperature and the airflow can travel far enough to trip the system.
I have no idea why your lock picking videos have been constantly appearing on my RUclips, but finally decided to watch one and now I'm strangely hooked.
Thank you so much for this video! I used to write spy stories but gave up when I got too busy to research them. This video is like a hand delivered info dump 💙
You're amazing, you teach people how to better secure their valuables.
And at the same time, teaches thieves on how to get past security systems.
@@TMGMedia73 true, but no lock is unpickable as LPL clearly proves. It's why insurance is important along with locks that meet their levels of adequacy.
This has got to be one of the best videos you have. I'm also basically obsessed with electronics and how they work so there's a ton of bias here lol
This guy's content is great.
Anyone needing to deal with lock security on a small or large scale should follow him.
I'm getting more convinced by the day that the "lawyer" part of his name refers to the FBI
I LOVE your videos about electronics locks the most.
With the world going more digital, more "modern" buildings are also going electronic.
episode 5000: how to read people's minds
"Small click out of 3..."
when you've picked every lock that requires a "key" and need a better challenge
About fifteen years ago I worked for a company that issued an RFID card key to each employee. I noticed that as you exited the building there was an infrared motion detector that caused the door to be unlocked as you were about to push the push bar to open the door and leave. There was a double glass door entrance with a flap that would automatically close over the gap between the doors when they were closed. But it kept getting jammed so they removed it. One Sunday I came to work when no one else was there. I unbent a coat hanger and attached a flattened soup can to the end. I heated the soup can with a propane torch. I slipped this thing that looked like a flag through the gap between the doors and waved it around. In a matter of seconds I heard a loud click and was able to open the door and walk in without using my card key and without setting off the alarm. The next day I told the facilities manager what I had done. He didn’t believe me until I demonstrated it to him.
I'm wondering if it could be done by bouncing a laser pointer off of something reflective.
Awesome vid!
i love you Samy
"This is LPL and today we're at the Ft. Knox gold depository with a chewing gum wrapper, safety pin and some chopstick."
I have one of these locks at the base of the stairs to the communal car park, a more unorthodox method of putting your shoulder through the door seems to work pretty effectively for someone, as they have definitely busted through!
Somehow the knowledge that he's shooting this at 2 in the morning just feels right
Ahhh at 9:00 he uploads the perfect time to ignore my class
are you the "teacher"?
:-)
@@C...G... no
@@dragonsbreath389
lol i guess that's okay then!
:-D
You should study in school and pay attention to your classes, my friend!
@@qrqrqr0515 I'm ahead in my class anyway
In the early 1980's I was working for what was then one of the largest computer companies in the world. My task was to prepare a computer for the market, integrate it with the operating system. I worked with about a dozen other people. All of us had access to a lab with the prototype. Anyone unauthorized, even an employee could do a lot of harm simply by seeing how far along we were. At first there was a key pad. The entry code was the project code name for the computer. This received some criticism and demonstrative pranks. Then they put in a key card, same problem as you identified. More pranks and criticism. Since the lab was filled with computers, intercepting the wiring was especially easy too. Other facilities I worked in were semi-conductor development labs. Those had a "Roach motel" entry. a phone booth sized thing would rotate 90 degrees. If someone inside did not approve, you would be rotated back out politely or left to wait for security. That was pretty intimidating. I never found out what would have happened if there was a fire.
Sometime in the future...
"This is the Lock Picking Lawyer and today we're going to be opening this bank vault."
I have a huge interest in RFID hacking since I used to have to deal with access control at work, thank you for a very interesting and educational video I’ll be makeing sure to talk to put IT guys to make sure the tamper alarm is installed 😂
..or putting either side readers in? Onece you're in, you need to swipe out, as the system knows you're already in? Make emergency egress a break glass override.
Probably can't do that in a business. In my area, you have to be able to easily open the main door from the inside in case of fire.
@@chalion8399 emergency egress....break glass override...!!
Might want to hire new IT members if the current ones don't already know about this attack...
Reader tamper alarms would not be 100% reliable since this device punches through the wires, the connection is never interrupted so you wouldn't see any tamper alarms in your access control software's log, unless... the attacker had no way to access the wiring conduit directly, and had to unmount the card reader, that would definitely trip either a mechanical or photosensitive sensor. Two lessons here: 1) make sure your card reader counts with a tamper feature and 2) (probably the most important one lol) keep your wiring conduits safe and absolutely out of reach.
Everyone rushing to exclaim that "that wouldn't work in ..." needs to remember that LPL doesn't build his own boards. He uses equipment available on the market. I bet that RFID system in the video is a pretty commonly used one, and as he said, is actually better than many.
3:32 - otherwise an attacker can compromise the system WITH VERY LITTLE EFFORT.
Bruh.
@Alexander Supertramp you have to have physical access to the card reader long enough to install the device and get back out undetected.
@Alexander Supertramp and you have to wait after installing the unit until someone uses the reader you installed it on...... easy, but not convienient if you are trying to get in NOW....
You remind me of Krieger from Archer.
OK I'm not getting paid enough so I'm going to sell information.
I think you kinda miss his goal, as well as those of most people with a similar mindset.
The entire idea behind the types of videos LPL makes, and really teaching people how to pick locks in general, is to educate people and thereby equip them to implement better security.
I mean, think about it. Before the internet only locksmiths and criminals knew how bad Masterlock was and they made a fortune shilling their terrible products, but today they're starting to lose sales to the likes of Paclock thanks to the efforts of LPL, Bosnianbill, Deviant Ollam, and all the other security minded folks teaching anyone who'll listen about security.
Fuck yes bro! 😂 I love Archer & I see the similarities as well haha
@@krissisk4163 underated comment
I love your videos. It alters my perception of security and how to improve my own home security. Thank you for all your hard work.
did you do this because modern rogue has been covering RFID with deviant ollam?
Next line of videos will be all about hacking locks. Master will still requiere only a chicken bone.
XD
Randomly got re-recommended this video after two years. my jaw still hits the ground when I see this. The future is NOT more secure from those that are well-informed. unreal
Some systems, while still being unencrypted, have an "anti-pass-back" mode which is designed to prevent a user from passing the card to someone else over a turnstile for example. The card must be seen "badging out" before it can be used to "badge in" again. This would probably go a long way toward preventing the replay attack.
Where I (normally) work, there is no 'badge out'. You just walk out the door.
well - you do need to get to the cable to do this "man in the middle" attack. Which usually means you have to have had time inside the building unobserved.
And also you must leave the ESP work until someone uses the right card to open the door.
And also you must know the wiring (which ones are data lines and power lines).
No, you do not need *any* time inside first. That reader box has to be mounted on the outside. It should not be too difficult to get into it, connect the ESPKey module to the wires, and close it again, avoiding visible damage. The wiring scheme is no problem to work out, and will often be publicly available.
@@JohnnieHougaardNielsen seems like a really poor design, then. I'd have the control unit pass through the wall completely, with the access panel on the inside wall.
@@JonathanSchattke Seems like a cheap design. Unless you want to cut holes into the wall next to every door. And then you would still need to buy phisically tough readers anyway to prevent access.
Something will always be on the outside and you need to secure it
@@JonathanSchattke Yeah, not at all a good design when such a simple replay attack can work.
Starting from the point of a standard setup with a wall and a door opening, it would make the lock much harder to sell if making a big hole in the wall was required. Of course, if the doorway from the start is designed to accommodate this, it can work reasonably well.
To me, the solution suggested by LPL seems more practical, encrypted communication from the reader to the control unit behind the door. The reader+encryption should be a sealed module, having no wires or soldering points with unencrypted data. A good design should hinder an intruder from just replacing the outside reader with a hacked one. Ideally, the RFID tag should also be updated each time, to ward off replay attacks.
Of course, any setup with a passive RFID reader has a vulnerability if someone is able to hide an extra RFID reader very close to the existing one, but this is harder to make invisible.
Every video is clean, neat, well thought out and perfectly executed 👍
Hello, very interesting video! I've some thoughts:
1. Removing reader from the wall is often protected by some sort of system, i.e. light sensor, which triggers 'sabotage' alarm.
2. wires will often be buried inside a wall and accesing them might not be that easy
3. If it can read signal can't it be upgraded, so it could repeat any stored data? You wouldn't need to encode the card anymore, just click 'repeat' on the phone.
Hi Marcin - I specialise in access control and security. Just wanted to answer your questions.
1) Often low cost readers do not have a dedicated tamper connection and because the comms used here are wiegand and uni-directional, it’s often hard to get a tamper alert to the system if the reader is removed. Not all access systems are properly monitored either, so tamper alarms are useless anyway in this case.
Using OSDPv2 encrypted comms (bi-directional) a tamper alarm is easier to achieve. The bigger threat here is an unsavoury installer adding these devices on installation without the customer knowing and then returning months later to utilise them and get access to do criminal activity.
2. As per point 1, can be done on install and later directly at reader.
3. You can build different firmware for these devices. We built one using BluetoothLE and could store as many card numbers as needed and playback at anytime, no cloning of cards needed. However the LPL makes a great point that you are only secure as your weakest link, in that the card technology is as important than encrypted comms.
In summary, if you are installing a high security access control system use OSDPv2 encrypted comms and a secure smart card with encryption such as DESfire EV3 with diversified keys or iClass SEOS.
HID Prox, EM Prox, Mifare classic, Mifare sector, iClass legacy, DESfire UID’s can all be easily copied.
@@Ricky-ln6rt Thank you for sharing your knowedgle! Very interesting post.
@@Ricky-ln6rt I mean, in this case, he could have just not worried about the device and wrote some code to loop through numbers until the lock opened (based on the assumption that there seems to be an unlimited number of attempts and the codes are numerical). Definitely would be faster than trying to wire in a device and worrying about tamper alerts.
Hi @@jasonsumpter1641 not quite, when you take into account most modern systems are 128 bit systems, that would take quite a long time.
Cloning the actual card number and replaying it back to the reader in seconds is much more efficient.
But this is rather here nor there, if this is a secure entryway it should be two or three factor ensuring the attack you speak of is mitigated easily.
"Don't worry, we're safe behind this door; it's a foot of solid steel with a state of the art lock."
"4 is binding."
"Sweet salty Christ no."
Only if 3 wrong codes don't lock you out for 24 hours, 3 wrong pins in an ATM causes it to swallow your card !
Inercepting the wires in the example given only works if you know which one is which, no one reputable is going to use red and black for power ! These cables typicaly have 8 wires with over 4000 combinations, 8 x 7 x 6 x 5 x 4 x 3 x 2 x 1 !
Just find a security system that runs on 24 volts and when the thief installs his ESPKey, it will blow it up since 18 volts is max on the ESP key.
You can make it 24 v
yup, making it 24v capable is super easy, barely an inconvenience.
If 24V security systems ever become a thing, you'll have 24V ESPKeys
Resistor: "Hi."
Super ghetto but it'll work.
Make a security system that powers it's readers via supercapacitor or/and rechargeable battery within the device. It'll pulse voltage for a few seconds at a shot just to top the battery off, and have no line voltage otherwise. That makes it impossible to use an inline device unless it also has it's own power.
Or just frickin' shield or pot your wiring... can't clip into what you can't access without being obvious or breaking things.
…’with very little effort.’
News Flash: If someone can do what the LPL just did, they’re getting in, encryption or not. No, they may not clone a card, but they’ll summon the mother ship, use the miniaturization gun on themselves, and just walk under the door.
With my education in tech, this is all stuff I'm familiar with.
This also works for most car remotes. I made a record/replay device using an Arduino and a simple cheap 315MHz RF receiver, a 315MHz RF transmitter, and a similar 433MHz pair. I wrote a program to record every received signal after pushing a button, and replay it after pushing another button. It worked for every car I tried it on! I think it may not work on high-end two-way remotes on expensive high-end cars like Lamborghinis. Although I'm not sure about that ;-)
“Today I will unlock Area 51’s front door, using a water bottle and a selfie-stick.”
Government be like “pay him all the moneys”
It's basically a skimmer. I did some "security research" back in college that involved defeating their magstripe locks with a similar approach, only the skimmer and associated data-dumping electronics were designed from scratch and buried within the card reader body. There's a fair amount of space inside and hiding an extra MCU is easy. Some of the readers had tamper switches but of course none of them were wired. Then there was a card emulator that went into the card slot and could simulate a swipe of an arbitrary card, which isn't difficult to build if you have some basic embedded knowledge and know how the tracks are laid out. But most systems use only one track, and tend to follow the one published standard. We wrote a paper on it and they issued everyone new cards, but it got a bit messy (there's more to the story and it gets a lot worse) and in the end they recalled all the new cards and erased/rewrote them (correctly this time). Based on where you live, you may have actually heard about this one
Mag data has always been easy to dupe, many universities introduced cards with dual stripes at the back to make it harder. (As you can only program one at a time, two tape heads quickly sorted that)
Still, many had infinite free photocopies and laser prints ;-)
@@BleughBleugh my school was smart enough to tie each photocopy card to a unique ID, and do bookkeeping "in the cloud" which effectively thwarts card shenanigans unless you can predict another card's ID. But the key cards? Hoooo boy. I've seen some university cards use dual tracks, but this tends to be for compatibility with point-of-sale terminals at quasi-affiliated vendors who set up shop on campus. The vast majority of campus key card readers are knockoffs / rebrands of the MR5 model from Mercury Security, and are single-track. You'll be lucky if it's an MR10 model, and if the tamper switch even goes anywhere. Fun fact- the card reader is entirely agnostic to the track position (the head is movable via set screw), the track format, or even the swipe direction. It outputs a raw bitstream, regardless if it's Track1 (7-bit alpha) or Track2/3 data (5-bit numeric). If you swipe the card backwards, the data comes out backwards. The decoding (and reverse correction) is entirely up to the controller that sits upstream of the card reader.
@@evil-wombat you know your stuff :-)
Back in the early 2000’s the most fun (and profit) was had ‘reprogramming’ store loyalty cards
Was hilarious presenting a store card programmed with my own credit card details and having it work!!!
Then they had to introduce chip and pin and spoil it for everyone with a mag swipe encoder (or hacked tape deck)
I’m still amazed that stores incremented loyalty card numbers by 1 each time…naughty people would have unlimited points with a card programmer
@@BleughBleugh oh man, I hadn't thought of trying that. I kind of expected all the loyalty points to be tracked server-side, but I guess the early 2000s were kind of full of bad design. I "may or may not" have used a library photocopy card for my meal plan at one point, and "might" have been the only one with a functional "new" student id card (that is, after they were mailed out but before they were activated). Had to make sure I read that like, ten times, before wiping it. Good times.......