View RSS Feed

Fb1h2s aka Rahul Sasi's Blog

Hacking RFID Acces Door . Personal Diary #Non-Technical.

Rating: 8 votes, 4.25 average.
I stopped blogging when I realized that the articles I put up here could be turned into papers and I could use that to speak at conferences[#travel-the-world #meet-people ] . And therefore frequency of my blogging came down. Anyways this a real incident that happened to me yesterday, not much of technical content but a good read if you'r interested in physical security devices.

I Was trapped between two RFID doors for 5 long hrs without my access cards yesterday and I finally broke out. There was one CCTV cam recording the events , so thought of bloggin about how I dealt with the situation. I waited a day to get approval from the owner of the building to blog this as well as requested to share the CCTV videos, but due to some security issues I am not granted Video logs. Also I have censored|manipulated the portion having references to where this took place also the images added are not from the real EXCAT scene but definitely portraits the vulnerable Product . A video would have been better but am not in postion for one . Any references to the actual scen|location would be fictional.
I thank the authorities for letting me blog about this as well as the images.


Note On RFID Acces Doors.

These sort of doors that are used in offices for keyless building access . Basically doors that would only open if you show you'r access card. Well this blog would be on, one way I found to open them with out the cards .

The Background:

The building I was stuck had RFID controlled Doors and individual had their own RFID cards, which according to my convenience I used to keep it in my wallet . Since my wallet is one thing I carry along every where I would not forget my cards. Last day someone forgot to bring his card and I had to give him mine.

I am the last one to leave that building every day, there would be one thing or other I would be occupied with . So when the guy was about to leave he came to return the Access card, since I was working on something I asked him to keep the card on my table.

Once I was done with the work, I got up and rushed to the wash room. All the doors could be opened with out a card from inside by pressing a button except the front door, where you need swipe your card even to get out. So once I reached that door, I showed my wallet [which normally contains the Card] on the sensor|machine. Araggg it din't work , after trying a couple more tries I realized that I left my card inside.

Name:  1345094357-picsay.jpg
Views: 7049
Size:  29.7 KB

The Situation:

a) I am screwed and stuck in a room like a jackass.
b) My phone, Access card everything is in my cabin
c) The next day is a public holiday even if I stay back in that room , I won't get help the next day.
d) I can scream like a girl and call out for help, but don't think any one would be able to hear me, even if some one does and come forward, I don't remember any of my colleagues phone numbers .The only ph-nos I know is mine and my dads.

How RFID Doors Work.

The most of the basic electronic lock is a magnetic lock (commonly called a mag lock). A large electro-magnet is mounted on the door frame and a corresponding armature is mounted on the door. When the magnet is powered and the door is closed, the armature is held fast to the magnet. So basically an electromagnet is holding the Doors closed via a power source.

Name:  1345098369-picsay.jpg
Views: 6068
Size:  27.0 KB

Note: The thicker one is the Electro Magnet.

Failed Attempt 1: Brute force Attempts

The doors were running ESSl devices, I have worked wit ESSL finger print doors long time back
Penetration Testing Biometric System: Part 1 Local Attacks - Blogs - Garage4hackers Forum
Penetration Testing Biometric System: Part II:- Remotel Attacks - Blogs - Garage4hackers Forum
. And there is a card-less override on these machines , that means you can set it with a username and password on these systems and even if you don't have a card you would be able to login with those credentials and door would open.

But for setting those credentials you would need a card which obviously I don't have. Though I tried to login with few default userid's and password combination, it din't work since there were no accounts pre-set on it.

Failed Attempt 2: Trying to Kill the Power Source.
Since it's an electro magnet that is holding the doors together and the Electro Magnet is powered from the main electric power source, if I could some how shut down the main power then doors would open .

How can I shut down the power?
Short Circuit , all new building are equipped with a Circuit Breaker [Trip] .

A circuit breaker is an automatically operated electrical switch designed to protect an electrical circuit from damage caused by overload or short circuit. So if we short circuit some where the power source would get tripped and that might release the doors.

There was a power socket in that room, and all I needed to do was find a needle, iron piece to put it into the power socket and power would be gone.
a) The best place to look for a conducing metal are those flower vase, we had those decorative artificial flowers that would be having a metal rode.

Any way I worked out this plan ,"Duup" power went but the doors were still locked .

Seems like the backup UPS| Inverter came in role and now doors were powered by UPS. Even though it dint't work it was a relief , since once the UPS drains out I might be able to leave the room[probably by next day noon].

Failed Attempt 3: Trying to open the RFID sensor and sending wrong signals.What I assumed was that ,

RFID reader General working:
[Reads Data] [Sends command to Magnet to release doors]
Sensor ----------------> Decision Making unit ------------------------------->

[Sensor] Reads input card :

if valid card[Check with Database]:

sent signal to electro magnetic circuit to unlock door

else if Invalid card:

Alert Invalid User

So if I can open the sensor and manipulate and send wrong signals I might be able to open the doors.

Name:  1345103014-picsay.jpg
Views: 5722
Size:  26.6 KB

There were couple of small keys lying around the reception table, I used them as my screw drivers and opened the RFID sensor at the exit . With lot of efforts I was able to unscrew the sensor cover . The sensor had some instruction on what individual wires did . Red wire was DC source, White and Green were marked D1 and D0 Black was [Ground] etc etc. But the sensor I opened was just the data reading part not the decision making unit, that means there is no use tampering with it. Though I tried different stuffs with those wires out of desperation .

Attempt 4: The W00t Woot

Remember the switch I mentioned about , that will let you open the doors from inside with out a card. That switch is connected to the Electro magnetic circuit thats holding the doors . What it does is simply cuts the power to the elector magnet when it's pressed. So there has to be a place on the circuit board where these wires connect, and placing a conductor or completing that particular portion of the circuit board [ Electro Magnetic Circuit] would be equal to pressing the switch form other side.

Name:  Drawing1.png
Views: 6298
Size:  8.1 KB
So for Opening Highly secured RFID Doors You Don't need to
a) Do none of the stuffs I tried above
b) Do not need to Clone Fake other RFID cards.
c) No man in the middle of heavy cracking attempts.
b) No brain teasers .

Instead all you need, to open any RFID doors is a simple safety pin or any long conducting material "Surprised" !!.Yea you heard me !!.

Most of the devices out there are installed having the electro magnet facing the user side. All ESSL product have two tiny holes [dont know why] or almost all other RFID Electro magnetic holders have an LED sticking out of it.

Name:  1345094525-picsay.jpg
Views: 5760
Size:  29.4 KB

Note: You can see the Holes right after the screw holding the Device to the walls.

Simply push the LED inside open a way into the circuit or in my case those two holes , use the safety-pin or small thick wire piece , keep touching the circuit board till you touch the right junction on the board where the switch circuit completes. It needs some dedicated effort [it took some time for me]. Once you touch the right spot , the switch circuit closes and "TaDa" the doors would magically open for you .

Or the easy and destructive 1 minute job is, make a small hook using a small wire piece or anything , insert it into the any of the holes, and pull out the red wire [actually any wire would work] . This would permanently shut down the electro magnet and doors would remain permanently open. Now you can notice that the red light is off and door could be open.
Name:  1345103198-picsay.jpg
Views: 5750
Size:  24.2 KB

Security Give Away:

Note for Pentesters| Consultants if you ever have to audit Physical Security of a building or an Electric Door note that if you find the Electro Magnet Exposed to the Unauthenticated user side, that that would be security failure. I did take a look around other Electric doors in offices in an IT park today and majority of them had the "Magnets Exposed" on the wrong side.

Reach me at :


  1. "vinnu"'s Avatar

    You switch off the light or pull out the wiring anyhow, it will also demagnetise the lock and open the door.

    A very informative writeup, thanx and keep on writting..."vinnu"
  2. cipher's Avatar
    Awsome! Great writeup Keep hacking and keep posting fb1


Total Trackbacks 0
Trackback URL: