Citywide RFID Master House Key? Already Broken
- By John Borland
- 2:29 PM
(Updated by Endah)
HAMBURG – In the bad old days, city apartment buildings often allowed entry to postal or emergency workers with a single master key, which was easily copied or sold on the black market.
Many buildings are today switching to RFID-based key cards, citing an advance in security. Yet this claim is certainly suspect. Speaking at the Chaos Communication Congress (CCC) here, security researcher Adrian Dabrowski said a reverse-engineering project had let him open more than 90 percent of the electronically locked apartment doors in his home city of Vienna.
The CCC picks locks of all kinds — digital, physical, or Lego.
“When the key system was installed in my building, I was like: challenge accepted,” he told conference attendees Sunday. “Customers should not expect any significantly higher security from the new system than with the old system.”
The use of RFID cards for master building locks is a particularly sensitive topic, as residents themselves generally lack access to the keys themselves, and are dependent on house managers to create a safe environment.
Yet some entry system is needed for services such as garbage pickup, postal delivery and emergency personnel. Many of Vienna’s property developers have thus elected to use locks produced by a company called Begeh Schließsysteme, which as of last year had been installed at more than 9,000 sites across the city.
The manufacturer advertises its key card as being uncloneable, and touts features such as the ability to blacklist stolen or revoked cards.
Needing a unit to test, Dabrowski managed to persuade a wholesaler to sell him a Begeh lock system by pretending to be from an approved distributor. In tandem, he bought an inexpensive RFID reader, and built a card simulator device himself.
With this in place, he needed cards – or at least their output – to test. For this purpose, he bought a mid-range RFID reader able to scan nearby cards, attaching a small external memory and battery to it. He then sent this to himself in a small parcel, which while in transit recorded all nearby RFID signals, including those associated with the postal-service key unlocking his own building’s door.
“I thought that if someone opened it or found it, they’d think it was a terrorist or something. So I put a small note in the parcel saying it was an experiment, with my phone number,” he said. “But nobody did.”
Armed with that key-card information, he was able to construct a simulation of a master card that worked with his test unit. He found the hardware standards to be similar to a leftover ski-area smart card he had on hand, and reprogrammed this to simulate a Begeh apartment-lock key.
This wasn’t a perfect solution – it only opened 43 percent of the 110 apartment doors he subsequently tried. But 93 percent of the Begeh-locked doors tested proved vulnerable to his card emulator device, which he said he had constructed from materials costing less than €20 overall.
Conclusion? This master door lock, at least, was no safer than the old mechanical keys. Worse, he said, there was no way to update the new lock systems once the security had been broken.
Dabrowski said he had indirectly notified the company responsible for the locks (which accused him of working for a competitor). But he said the most important lesson was that future customers should ask questions before investing in a long-term security device.
“Whenever you have a security solution, you are in kind of an arms race with the dark side of the world, so you need some kind of update path,” he said. “People who buy this system should be aware – they should ask about the support lifetime, and about ways to upgrade, because no security system lasts forever.”