Practical Attacks on a Prox Card

`Proximity cards' are commonly used as high-tech replacements for magstripe cards or metal keys: you hold the card within a few inches of the reader, and the door clicks open. They are interesting because they are routinely used to control access to property or services. These cards contain electronic circuitry that authenticates them to the reader using a radio link.

Many such systems are designed with no security at all. This means that the only barrier to entry is the complexity of the protocol spoken over the air. Commercial prox cards use full-custom ICs that represent millions of dollars in development costs. I will describe the protocol used by the Motorola Flexpass cards, and then I will explain how to build a device capable of `cloning' such a card for under a hundred dollars. This is the same idea as taking a wax impression of a key, but you can do it over a distance of inches or feet, without removing the card from its owner's wallet.

Techniques to fix this are obvious and will only be mentioned briefly. A proximity card is really just a particular type of passive RFID tag. applications of these attacks to other kinds of RFID tags will also be discussed. Some knowledge of communications theory would be useful but is not required.


Jonathan Westhues is an undergraduate student in electrical engineering at the University of Waterloo. He has experience in a number of fields relating to wireless communications, embedded software, and electronic design.