Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

  • Logged in as ikarus
  • Last visit: Today 11:22:42

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-08-29 19:31:13

patrikpatrik
Contributor
Registered: 2018-08-28
Posts: 3

Cracking Hotel Card

Hej,

I got a Proxmark3 and have been able to crack some card at home (including the tag to my Jale doorman) - https://www.youtube.com/watch?v=IsV5ryQsPO0
But the reason I bought the Proxmark was to have a litle fun with the hotel cards while traveling. However, I been completely unsicessfull - I get no keys when I run hf mf chk *1 ? t default_keys.dic or script run mfkeys
The key in the hotel I stay at to night is an Assa Abloy Hospitality. Is there some other way I can crack the card, or is the only way to sniff ?


On a personal not I am extremly upset that Assa Abloy has technology that I (a complete beginner) can crack, and they use that technology in consumer locks, while knowing that they have technology that at least a beginner that I can not crack.

Offline

#2 2018-08-29 20:50:01

jump
Contributor
Registered: 2015-04-29
Posts: 57

Re: Cracking Hotel Card

If I were you I would wait before being upset smile
Last time I looked at an Assa Abloy hotel key card using Mifare Classic, all the memory content was encrypted using AES and they rotate the key every 30 days. IIRC the door locks were synced with OOB signaling (802.15.4 radio or something in that line).

So, sure you can still clone the card but as an "attacker" you would first need to get access to the card for a minute or so. At that point, it's much easier and faster to do social engineering at the reception and claim for forgot/lost your key.

I'm much more concerned about hotels using Vingcard system because it allows you to turn your room card into a pass that opens all the doors. And that's a much more real security threat.
And Vingcard is also part of Assa Abloy group smile

Offline

#3 2018-09-19 15:07:12

patrikpatrik
Contributor
Registered: 2018-08-28
Posts: 3

Re: Cracking Hotel Card

I am not really interesting in haveing a clone of the card to the hotel, I am only interesting to check if I can clone it, just to have something to do during the traveling.

Now I am out traveling again, and had again met a card that give no keys using hf mf chk *1 ? t default_keys.dic. What can I do in order to clone this card?

Offline

#4 2018-09-21 15:40:19

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Cracking Hotel Card

Locks very rare connects to somewhere. Almost allways thy are standalone.
Algorithm very simple. The have key number in memory and when you bring to it card with number bigger...  it saves that number in memory and thats all
it opens if number on card is greater or equal with number in memory.
Ans because all card memory is encrypted by AES - you just can make a copy of a current key. And thats all.

Offline

#5 2019-03-02 10:27:34

mike
Member
Registered: 2018-10-11
Posts: 22

Re: Cracking Hotel Card

How can you make the master key?And not a clone thanks.

Offline

#6 2021-04-09 01:43:23

zeppi
Contributor
Registered: 2021-03-07
Posts: 36

Re: Cracking Hotel Card

mike wrote:

How can you make the master key?And not a clone thanks.

I would also be interested in that. F-secure did not give out info on that in their presentation, on purpose.
I know that iceman has a fork that is able to do it, it could be seen on some of the videos. So at least iceman knows how that works.

I guess it has not been merged into the public branches.

Anybody else here who knows how that works?

Offline

#7 2021-10-19 22:03:43

Akerw
Contributor
Registered: 2021-10-12
Posts: 8

Re: Cracking Hotel Card

...apparently not... sad  - it would be cool to know.

Offline

Quick reply

Write your message and submit

Board footer

Powered by FluxBB