At the 30th edition of the Chaos Communication Congress, security researcher Adrian Dabrowski has demonstrated how radio-frequency identification (RFID) master key cards used for city apartment buildings can be cracked.
Master key cards are designed to allow emergency personnel, postal services and garbage pickup workers to gain access to a building
According to Wired, the expert has used locks from Begeh Schließsysteme in his experiment. This vendor’s products have been installed in over 9,000 locations across Vienna, the capital city of Austria. The company says its products cannot be cloned, and it claims to have the ability to blacklist revoked or stolen cards.
Dabrowski started his experiment after convincing a wholesaler to provide him with a lock system. He then acquired an RFID reader and built a card simulator device.
In order to collect data from cards, he used a clever method. He sent himself a package containing a mid-range RFID reader that scanned all signals in its radius. When the postal service worker carried the package, the device recorded the signals from the card used to unlock the door of his apartment building.
To make sure that he wouldn’t get in trouble, he placed a note inside the package in which he explained that the device was part of an experiment, just in case someone found the parcel suspicious and decided to open it. However, the package made it back to him without being opened.
Once he obtained the card information, he reprogrammed an old smart card he had. With it, Dabrowski managed to open 43% of the 110 doors he tried. However, his success rate with Begeh lock was much higher – 93%.
The expert has attempted to indirectly notify the vendor. However, he didn’t get any credit for his work. Instead, he was accused of working for a competitor.
The moral of the story, according to the expert, is that you should always make sure that security system vendors offer ways to upgrade their products and, more importantly, lifetime support.