Here at BHIS we are always on the lookout for new toys. Especially if we can use them during a pentest. As a pentester, we all have a complimentary tool set in our jump bags that we have grown accustomed to using. Tools such as the Rubber Ducky, Konboot, Lan Turtle, proxmark3, crowbar (try getting that past TSA), etc are utilized in certain capacities depending on the situation we find ourselves in during a physical assessment. Like a group of little kids when we find something exciting we share it with everyone and of course everyone wants one as well.
I was chatting with Brian Fehrman several mouths back and he was telling me about this new Kickstarter campaign called Keysy by TINYLABS. I immediately went and checked it out and ended up backing the project. Keysy is described as a device that can store, replay and clone RFID key cards and key fobs from one device. I had actually forgot about it until I received them earlier this week. Therefore lets do a quick review blog post about it.
When I signed up to back the project I choose the $40.00 option at the time and by doing so I would receive two devices. The devices came packaged together in one box and each had their own retail like packaging.
Packaging Front and Back
I noticed that on the back of the packaging it states that the device is compatible with most 125kHz RFID. Therefore, this device will work only with Low Frequency RFID cards. High, Ultra High and Microwave Frequency cards operate at higher frequencies.
Here is a breakdown of the types of cards and their frequencies:
- Low Frequency (LF): 120-1355 KHz (HID Prox, EM, Nedap NeXS)
- High Frequency (HF): 13.56MHz (MIFARE Classic, DESfire, HID iCLASS, Legic)
- Ultra High Frequency (UHF): 860-980 MHz (RAIN RFID/EPC Gen 2)
- Microwave: 2.45 GHz + (Nedap TRANSIT)
Included in each package was the Keysy device along with instructions, a note and a rewritable RFID fob.
Contents of Keysy Package
The note reads:
“Due to inconsistencies between different RFID readers as well as the small geometry of the Keysy antenna it is not possible for Keysy tag emulation to work with every reader. Keysy tag emulation as been tested and works well with the majority of commercial readers. In the cases where Keysy emulation doesn’t work, Keysy and the included rewritable RFID tag can still be used to make a duplicate copy of the original tag. Please see instructions for additional information on cloning tags.”
I followed the instructions by first trying to read an iCLASS card into Keysy. As I had expected the card was not able to be read by Keysy. This is because iCLASS cards operate at a frequency outside of Keysy’s intended use.
iCLASS Card Read Failure
I then grabbed my local recreation center card, which is a HID Prox card and attempted to read that with the Keysy device.
HID Prox Card Successful Read
The card was read successfully with the indication of the green light. The instructions also stated that to confirm you got a successful capture you can push the button on the remote and a the green LED should turn on. I did as instructed and got the green LED.
The following are observations that I found during reading the card with the Keysy device:
- To copy an RFID card into the device you have to have Keysy in very close proximity to the card. I tested to see how far Keysy could be away from the card to get a successful read. By my observations I had to hold Keysy within an inch of the card to get a successful read.
- It takes about 17 to 20 seconds to read the RFID card.
I also successfully wrote the captured data to the included RFID fob. The instructions said to hold Keysy against the fob and press the button that I programmed the card into 5 times sequentially. The clone was found to be successful by observing the Keysy LED flash three times
Keysy Write to Key Fob Successful
Now it was time to try it out at my local recreation center. First, I attempted to use the Keysy to replay the RFID card and found that it was successful. I had to play with it a little to point it in the sweet spot of the reader. I found that it worked best if you held it at a slight angle as shown below.
Keysy Angle to Reader
I then utilized the cloned key fob and found that it worked just as a regular card would.
I could definitely see this being utilized during a pentest to capture or clone a card but due to how close you must be and the time it takes to read the card it might not fit every situation as other devices might.
Evaluating this device from a blue team prospective I can see issues with individuals being able to clone or make copies of their cards. I have listed them below:
- Someone clones the card for a friend and also is able to make a copy for themselves.
- Someone clones their own card(s) and loses one of them or the original without informing the security staff.
- Someone with access to your Keysy can make a copy if they have a writable card or fob.
From my testing I found Keysy to be a very cool device for what it is intended for. It seems to be solid and works as advertised. I could see myself using this if I had several RFID cards that were compatible. In fact, I will probably just utilize my RFID fob for access to my recreation center since I can just put it on my keyring.
I think that it might be preemptive for the personnel in charge of low frequency building access controls to start educating employees and creating policies and procedures around duplication or RFID cards or utilization of devices like Keysy.