NFC logo

Cloning Hotel Keycards with Android

Most Hotels use NFC keycards. NFC stands for near field communication. It is used in a wide variety of products, from tags to keycards. Most smartphones today have NFC functions built in. Today we will go over how to clone a common hotel NFC keycard with an android phone.

Equipment:

Android Phone — Should have NFC capability and be able to read MIFARE Classic cards, a list of known incompatible phones here

Hotel Room Keycard — Hopefully a MIFARE classic card

MIFAREClassic 1k or 4k card — We will be writing the copied data here

Optional: external NFC reader

Software:

MIFARE Classic tool — Used to read and write cards

Optional: kali nethunter for external NFC reader

Taking Data from the Hotel Keycard

In this demonstration, I will be using a Nexus 5X running kali nethunter. We’ll start by extracting the data we need from the key we want to clone. In the MIFARE Classic Tool app, select the Read Tag option.

MIFARE Classic home screen

In the Read menu only select std.keys. Once std.keys is selected press the Start Mapping And Read Tag button.

Read menu

If it works you’ll see a page with a bunch of numbers and letters. This is the data stored in the card. You may have to try multiple times to get a good read depending on your phone. If you are unable to get anything try the extended keys option.

Once you have completed the steps above you should have the data needed to unlock the door.

Creating the Clone

Take the blank MIFARE Classic card and place it near your phone. In the app, select the write option. In the menu, select the Write Dump (clone) option. Select the dump you got from the previous step. There will be a popup asking for which sectors to copy. Typically only the first sector is needed but occasionally hotels will write to multiple sectors.

Write Menu (dunno why this photo is smaller)

Once you have selected the sectors a menu similar to the read menu will show up. Once again select std.keys or the extended version. The writing process may take multiple tries.

Sector Selector

Once the writing process is finished you can try the cloned keycard on the lock. If everything went well then the lock will open. If it doesn’t work then something must have gone wrong during the reading or writing process.

Key screen for writing

mfcuk and mfoc

If std.keys and the extended version don’t work then use these tools. Mfcuk and mfoc both require Linux and an external NFC reader. To use these tools on an android phone, kali nethunter and a custom kernel will be required.

I will not go over these tools in this article but you can find information on mfcuk here and mfoc here.

Conclusion

NFC keycards are a great security tool. However, a prepared attacker can quickly defeat its security if the card is set up incorrectly. MIFARE Classic cards are especially vulnerable as they have been extensively researched and are commonly used. The best mitigations to the attacks described above are to change the default keys on the card and to prevent the original card from being read.

Happy Hacking~!