this post was submitted on 13 Aug 2023
61 points (87.7% liked)

No Stupid Questions

35931 readers
933 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS
 

The company I work in switched to a new building, and we have those stupid doors with RFID cards on them. I'd be damned if I'm going walk with that I'm-working-in-hightech-company-card dangling of my belt. I wonder if there is a way for me to use my phone for credentials. I tried searching for it, and all I could find is ways for me to use the phone in order to copy the info from one card to another.

So is it somehow possible?

all 32 comments
sorted by: hot top controversial new old
[–] [email protected] 36 points 1 year ago

Nfc in your phone is not RFID.

What one pen tester did was plant a RFID chip in his hand so when he clones a card he can use his hand instead of the card. He walks around the building with a regular card on display buy his hand has a security guard code allowing him access anywhere on a job site.

"Summer hacker camp" is on at the moment in Las Vegas ( Defcon and blackhat), you can keep an those conferences for any emerging tools for this kind of thing.

[–] [email protected] 28 points 1 year ago (1 children)

If no one is making you wear the card on a lanyard then don't. Pockets exist. I used to just keep mine in my wallet and tap that.

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago)

Mine was on a card, but most of the card was just extra material with the company logo. I cut only the part that it needs and made it into a dongle on my keys.

Probably won't recommend it if you aren't friendly with IT like I am who ok'd it.

[–] [email protected] 19 points 1 year ago (1 children)

I've looked into this before, and it really depends on the type of RFID they use. Older versions have been cracked, but newer ones can't be copied over (easily or at all).

If your company is serious about security, you will not be able to put the content of the card on your phone. What newer, more secure versions of RFID do is receive a code from the reader system, replies to it internally, and then sends back the answer. Even if you try to copy this over, you will not be able to open the doors of your facility.

I think the first step should be to use one of these apps that can read RFID and see what protocol your card uses. If it's an unsecure one (i.e., only pushes out a code and checks it in their database that it's yours), you could probably try to copy it over. However, if it's not, you could also just dissolve the card with some acetone and place the resulting wires in your phone's case, near the bottom. Like that, it shouldn't interfere with your phone's NFC, as that one is usually next to the top area of your phone.

[–] [email protected] 5 points 1 year ago (1 children)

I'll reply here also to @[email protected] - the building security is a joke. The company rents some offices in these share-space buildings. And there is no real security beyond that (OK, fine, also some cameras). I suspect that they use this system just to keep costumers happy, feeling like there is some security system in place. I'll try the RFID ring and see if it works.

But my "real" question here is how come I didn't find any app/instruction for making my phone itself an RFID keycard. As I type this I realize that this might be due to needing a specific frequency that the phone cannot produce(?)

That's the technology they use: https://nfc-tools.github.io/resources/standards/iso14443A/

[–] jscummy 3 points 1 year ago

My company sells systems like this. It depends on the system manufacturer and reader type. Bluetooth/mobile credentials might be available. I've never seen a system use a phone as RFID, but they do operate on the same frequency

[–] [email protected] 14 points 1 year ago (2 children)

Most of the companies have a policy that requires you to wear the card visible to others. That it has rfid is just a bonus to get trough doors without hiring a guard to let personel in.

Believe me, it's not so bad when they allow you to wear it from your belt. (You can even put it in your pocket and give a feeble excuse when they ask you about it) At the company I'm at, I run the risk of getting shot for not wearing the badge. That makes me a tad less rebelous. (But I still refuse to wear the badge around my neck)

[–] [email protected] 6 points 1 year ago (1 children)

risk of getting shot for not wearing the badge.

How many of these badges are you wearing around your whole body?

[–] [email protected] 2 points 1 year ago (1 children)

Just one. The defense business is a tad strict on security.

[–] [email protected] 3 points 1 year ago

Hmmmm.... So when they see you from behind, and they cannot see your badge from behind, then what are they going to do from behind?

;-)

[–] [email protected] 1 points 1 year ago

It's a shared office space, so I'm not really concerend about security. And they didn't say anything about the card, just gave it to me. I discovered yesterday that one of the door is not even locked. As I said in another post, I think that the door thing is mostly for show and not for actual security.

About why not putting it on the belt, well, it's not about (dis)comfort as much as refusing to make my job a part of what defines me. And this tag is related to the job.

[–] [email protected] 10 points 1 year ago

Even if you can pull this off, it seems like a quick way to get fired or worse. You might consider whether there's an alternative means of affixing your badge that's less distracting/frustrating

[–] Mosfar 10 points 1 year ago (1 children)

If you use a case for your phone, just put the card between the case and the phone

[–] [email protected] 2 points 1 year ago (1 children)

Wouldn't that interfere with payment apps?

[–] [email protected] 5 points 1 year ago

Yes it does at least for the system my building uses

[–] [email protected] 9 points 1 year ago (1 children)

If it's company policy for you to have and display your card, yet you also want the RFID to work from your phone...

Maybe you could just get a clear phone case and slip your card inside the case behind the phone.

Just a thought, not sure what your supervisors or security would think about that though. 🤷‍♂️

[–] [email protected] 1 points 1 year ago

I think I should give more information about how security works in Israel. Unless you work in a really classified work (I mean NSA level of classified) noone is going to give a fuck about what you do (until something bad happens and then they'll come down on you). I'm not really concerned about that. I talked to my boss about it and he told me "hmm... it's worth trying".

[–] [email protected] 9 points 1 year ago

I am working on this for one of my customers. RFID, BLE and NFC are different technologies. If the company has a compatible reader, then they can purchase credentials for your smart phone. HID ands Schlage are the 2 large players in the market. There are other manufacturers, and some systems are already Bluetooth (BLE) only.

Some RFID cards can be cloned, but not all. Some readers push data to the cards, which are then pushed from the card to other readers.

[–] [email protected] 7 points 1 year ago (1 children)

Just put the card in your wallet and scan it like a metro pass card.

[–] [email protected] 5 points 1 year ago

You may be able to get your RFID in a different format. I asked for a keychain thing that's not much bigger than a watch battery that are on my car keys. Most people do just put it in their wallet though.

[–] CryptoKitten 4 points 1 year ago (2 children)

There may be phones that allow you to do this and there are also smart rings you may be able to use by cloning the card with a proxmark 3, a flipper 0 or other similar devices.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

I see that my phone should support encoding NFC tags. I'll order a cheep ring and see if it works. Thanks.

I'm still curious though, why cannot phones produce that signals on their own? Isn't this what they do with payment apps?

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

NFC ≠ RFID

Payment apps are NFC

[–] [email protected] -3 points 1 year ago (1 children)

True... I confused the term, but this makes my question even more relevant. Since I have to put the card on the reader, I guess that it is an NFC card, rather than RFID. Which means that I should be able to duplicate the signal with my phone. I think.

[–] [email protected] 0 points 1 year ago (1 children)

Then again, what protocol does it use ? MiFare Classic then yes easy to duplicate.

Other MiFares? It will be harder/impossible.

[–] [email protected] 1 points 1 year ago (1 children)

I scanned the card using an app "NFC tools" It sais that it is manufactured by NXP and the protocol is MiFares 1k. Guess this hould work.

[–] [email protected] 1 points 1 year ago (1 children)

It's doable. Read thoroughly and you'll be good to go

[–] [email protected] 1 points 1 year ago (1 children)

Do you have a starting place? All I've found is instructions for copying NFC tags.

[–] [email protected] 1 points 1 year ago

My phone with NFC died a year ago so... Take what I say with a pinch of salt.

If I remember correctly you can use NFC tools pro to emulate a NFC tag. It doesn't always work. I think it's in the write section then emulate.

There are however hardware limitations on emulation because of sector 0. Maybe try to copy your NFC card to a blank NFC tag (get it cheap on eBay) then if it succeeds go toward emulation.

[–] jscummy 1 points 1 year ago

Certain systems have clone card detection these days so you might run into issues

[–] [email protected] 3 points 1 year ago

My work uses mifare cards if I recall it correctly. Using a simple nfc emulator app on a rooted phone, I could just clone the card instantly and use my phone to enter anywhere the card could.

This had obvious big security repercussions. Someone with bad intentions could just walk past you and copy the card. So they added personalized pin codes to all cards, every poor sod in the company now has to touch their badge + give in a pincode for you pretty much all doors. They are currently in the progress of renewing the entire security system to upgrade the security of the cards. (at great cost :))

So depending on the type of card used, it might be possible. I've tried it with many different security cards, it only worked with the one from my company. So it really depends on the type of card used.

https://play.google.com/store/apps/details?id=com.wakdev.wdnfc

I think it was this app, but I'm not 100% positive. Haven't rooted my new phone due to other security reasons, so I haven't tinkered with it lately.