Today, many businesses, government facilities and hotels use RFID/NFC access cards based on outdated, password protected, and in some cases company specific security algorithms. A recent drive-by of some NS Power and NS Health facilities revealed the continued use of Low Frequency (LF) HID card readers. Older security access systems open the door to exploitation. Additionally, the legacy Crypto-1 algorithm for the NXP Mifare Classic 1K NFC cards was hacked back in 2008/2009. Researchers (Wouters & Carroll) pointed out the vulnerabilities discovered in 2022 to Las Vegas hotels of the Mifare Classic based hotel room keys and associated card readers by Saflok/Dormakaba. The details were not revealed to the public until two years later in 2024 at the annual hackers’ convention in Las Vegas known as DEFCON 32 while further details were released at DEFCON 33 in 2025. Although international hotel personnel were advised of these vulnerabilities in 2022, a portion of the industry has been somewhat slow to roll out the appropriate patches and lock upgrades. The researchers estimated 13,000 properties in 131 countries with over 3 million hotel room locks globally requiring patches/upgrades. Not surprising, Mifare Classic and Mifare Ultralight EV1 readers/cards continue to be used today by many hotels, while pending updates. Hackers, hobbyists, and penetration testers have access to a variety of low-cost devices, including the Flipper Zero, Proxmark3, Chameleon Ultra, X7 XIXEI, and ACR122 that can be used to copy, clone, and emulate RFID/NFC cards including HID H10301 and Mifare Classic cards. There are over 30 hotels with a total of over 4,500 guest rooms adding up to over an estimated 900,000 new hotel RFID/NFC cards per year used in the HRM and surrounding area. The presentation will include short video clips of Ken opening hotel room doors in BC, Alberta and New Brunswick over the past year using the Flipper Zero. Highlights: - Basics of Radio Frequency Identification (RFID)/Near Field Comm (NFC) - Comparison Low Frequency (LF) versus High Frequency (HF) readers/cards - Intro to LF HID H10301 Wiegand protocol LF RFID cards - Man-in-the-middle attack on HID readers using ESP8266 “RFID-Tool” Access Point - Intro to NXP Mifare Classic, NTAG, Ultralight EV1 and Ultralight C cards - Discuss the capabilities of the Flipper Zero (FZ) and Proxmark 3 (PM3) - Briefly highlight external FZ modules used for Wi-Fi De-Auth and BadUSB - FZ examples using either LF T5577 or HF Mifare Classic “Magic” rewriteable cards - FZ example emulating hotel room password-based Mifare Ultralight EV1 card - FZ example of hotel Saflok Mifare Classic Level 12 / Grand Master Key FOB - Video examples of Ken entering hotel rooms in BC, Alberta, and NB using FZ
Those attending are encouraged to bring along their own FZ, PM3, Chameleon Ultra or just a cellphone with the NFC Taginfo App and/or the NFC Tools App installed
