Unlocking NFC deadbolts with Androids
At Shmoocon this last year, there was a vendor who caught my eye with the Samsung SHS-3121 Digital Keypad Keyless Deadbolt “EZon” Lock. They endorsed the lock for the unique digital keypad, which randomly displays two extra digits that must entered before pressing the actual unlock code. A fairly nice way to ensure extra smudge prints on the keypad and even wearing. What got my attention though was the NFC cards which could also be used to unlock the deadbolt. At Shmoocon, I scanned the sample card with my Galaxy Nexusand realized it was a Mifare Classic card… with no protected sectors or data on it (not that it would have mattered too much since the Mifare Classic encryptioncan be fairly easily broken at this point). We ordered one for the office to play with even though there were some warnings that the RFID side of things might not have the best security.
I don’t want to turn this into a full product review (or video overview), but I’ll just focus on the NFC side of things. The lock ships with 5 branded “Access Cards” which are Mifare Classics. The lock only appears to be checking the 4 byte UIDof the card and if the UID has been previously registered with the lock, it allows access. The UID is like a unique serial number for each card and should be impossible to change after the card is manufactured. None of the cards that are shipped with the lock are pre-registered, thus they must be manually added for access.
One thought of attack would be to similar to the HID card enumeration attacks (where if you know the ID from one card, it makes it pretty easy to find other values). Scanning the cards that were sent with the lock, the UIDs are not within close numerical range although some parts a similar (the UIDs were: 3e8700b1, be37feb0, eed2ffb0, fe2701b1, and… oops, I lost the last card). Additionally, the lock ships with brute-force detection enabled, which is refereed to as “prank” detection in the manual. Scan five invalid NFC cards in a row, the lock sounds an alarm and requires an administrator to unlock the device (or the door to be unlocked form the inside). Thumbs up for shipping with brute-force protection turned on by default. Unfortunately, we also noticed there’s a reset button hidden on the outside of the lock, so bring a paper clip and reset it after four attempts to avoid triggering the brute-force alarm and time-out.
That said, brute-forcing UIDs right now is a bit complicated. We haven’t seen a way to do this directly on a mobile device yet. A great whitepaper (PDF) on the current state of things was done by Michael Roland a few months ago. So while we can’t do this directly on our devices yet, we were able to purchase a knock-off “Mifare Classic” card from a contact in China which allows us to set the UID on a physical card using a non-standard command. At EUSecWest 2012, Max and I demonstrated using a Nexus S to read the UID off someone’s access card, then program onto this KIRF card in order to unlock the EZon.
So if you use one of these locks, you might want to keep your card in a shieldwhen it’s not needed. However, you could also enroll your mobile phone to be your access key. This would then allow you to control when your card is active and when it is not. If you have an Android device that supports Google Wallet, you’re all set. The trick is to have Google Wallet installed with at least one “Loyalty Card” setup in the wallet, then make sure the card is enabled. Doing this enables NFC card emulation on your device which will present a UID to the EZon when it is within range. This type of card emulation is different from your payment information (so you don’t have to worry about the lock charging your bank account each time you unlock it). You can then enroll your phone just like a physical access card to the EZon and use your phone to unlock the device. The added benefit is that when your phone’s screen is turned off, card emulation is off as well which makes things a lot harder to tap and then clone.
Published date:  22 September 2012
Written by:  benn