Beginner's Guide to HID iClass Cloning with the Flipper Zero

Our StandardUser team is excited to share new processes we're learning. Thanks to Sebastian Bowman, Security Engineer, for this guide.

As technology continues to be integrated into every grain of our lives, the use of radio-frequency identification (RFID) access cards becomes more prevalent in every industry. Ranging from government to warehouse work, there is a solid chance that you will be given a RFID access card to access buildings and secure areas. However, as advancements in technology continue to enhance the security of RFID access systems, the development of cloning technology also persists. It has become imperative for individuals and organizations to learn about cloning RFID access cards, and the technology's potential malicious uses, in order to protect themselves and their place of work.

Brute Force an HID iClass SE reader

The original goal of this project is to successfully brute force a door that utilizes NFC cards to authenticate. Specifically, an HID iClass SE reader that utilizes HID iCLass DP cards. In the process of figuring out how to brute force, we have learned a great amount about how to clone said iClass DP cards, so we decided to make a writeup for anyone else interested in doing so. To start, through simple fuzzing, reading the frequency, and/or research online, you can learn that the cards transfer the “Key” at a frequency of 13.56Mhz.

Picopass

With this information above, we can conclude that the reader is most likely designed to interact with cards that use the “Picopass protocol.” Picopass is a type of contactless smart card technology used for secure identification and authentication purposes. It was developed by a French company named Inside Secure and communicates using ISO 14443B and ISO 15693 protocols. Picopass operates at a frequency of 13.56 MHz and is the standard for high-frequency (HF) RFID systems.

RFID vs NFC

To clear confusion, NFC is best described as a subset of RFID. The difference is the size of the wavelengths in which data is sent, just some basic chemistry. The higher frequency correlates to less distance the wavelength can travel. The lower the frequency, the longer distance the wavelength can travel.

Frequency with regards to tech equals the amount of data you can transmit. Therefore, with NFC you can send more data; however, you must be close to the card reader for it to work, while RFID can be set up to work from 100+ meters but with less security. Since people can send more data over NFC, we can implement more security layers; in our case, these cards add encryption.

Each “|” represents a data stream being transmitted

Flipper Zero

The Flipper Zero comes with many different applications capable of reading and writing NFC or RFID. The default firmware for the Flipper Zero comes with an application that is capable of reading and writing cards that communicate on the 13.56MHz frequency -- this application is called Picopass Reader. This application is designed to work with multiple card types, but it is limited to writing only and it cannot currently emulate different saved cards.

Cloning

To make a clone of this card, you simply need another HID iClass DP card, which can be purchased online. Due to the embedded “Pico Pass” chip in contactless cards, you need to write your data to another one of these same chips. You also need the PicoPass reader tool installed on your Flipper Zero. This can be done by flashing your Flipper Zero with the most recent version of the Flipper Zero firmware. Alternatively, you can flash a 3rd party firmware called ‘Rogue Master’. Once you have all of these components:

1. Start up your Flipper Zero, and take out the card you would like to copy

2. Hit the down arrow >> Scroll right or left until you are in the “Apps” directory

3. In the apps directory, select “Tools”

4. Scroll through tools and look for the “PicoPass Reader” and select it >> Select “Run In App”

5. Next hit “read card” and put your card to the back of your Flipper Zero

a. Put card to the black of the flipper

b. After reading the card you should receive a screen like this:

c. Card Serial Number (CSN): unique identification number

d. Frequency Code (FC): 24. = This means the card is operating at 13.56 MHz.

e. Card Number (CN): <integer> = unique card number given to the card by the manufacturer, can also be used

f. And the last line that starts with “04” is the Unique IDentifier (UID)

6. Click the right arrow for “More” >> Select “Save” >> Name your card

7. Click the back button on the Flipper Zero, and it will take you back to the first screen that popped up when you opened Pico Pass Reader

8. Select “Saved” >> select the name of the file you just created >> Take out the card you would like to clone to

9. Simply scroll down and select write and hold up the new card to the back of the Flipper Zero

a.

b.

c. Put new card to the back of the flipper just like in step 5

10. To confirm the card was cloned, you can go back and follow steps 4-5 and see if the new card matches the screen of the previous card.

You are done!

Mitigation

In order to clone a card, you must be within close proximity. The Flipper Zero can clone through a wallet or while the card is in your pocket.

Wallet example:

Through pants inside a wallet:

To best way to mitigate this and protect your own personal data is to have an RFID shield in and/or around your wallet. You can purchase a wallet with RFID protection and/or install it yourself. This will protect your card from being read by malicious actors.

With RFID shield:

Wallet that comes with RFID protection:

The Rabbit Hole

There is a LOT more that goes into how these cards function, there is plenty of research and resources dissecting the function of these cards. We also believe that these cards can be cloned with a HID iClass standard implantable chip with personalization mode enabled. However these chips can be quite expensive, where you could buy a single iClass DP card online for much cheaper. We have not tested if it works with either said implantable chip.

Below is a list of resources that we have used to figure out cloning and are also currently using to finish the brute forcing of an RFID door lock.

Exposed secret key of HID iClass Cards

https://get.meriac.com/docs/HID-iCLASS-security.pdf

More cloning stuff

http://www.proxmark.org/files/proxclone.com/iClass_Cloner.pdf

HID iClass standard implantable chip forum

https://forum.dangerousthings.com/t/cloning-hid-iclass-dp/12398

Wealth of info about how iClass cards work

https://swende.se/blog/Elite-Hacking.html

Flipper Forum about cloning cards:

https://forum.flipperzero.one/t/13-56-mhz-hid-iclass-corp1000-wiegand-format-cards/1990/17

Flipper Zero Stock Firmware

https://flipperzero.one/update

Rogue Master Firmware

https://github.com/RogueMaster/flipperzero-firmware-wPlugins

Showing iClass brute force

We at StandardUser Cybersecurity are on a mission to share cybersecurity and cyber safety education with everyone, to make our world a better place. Are you with us? How can we help? Let us know today.

Whatever your cybersecurity challenge, we can help you keep your business running. We are a defensive and offensive cybersecurity company, using over 30 years of experience with active commercial and government work and proven security methodologies. We also educate teams and professionals who want to build on their skills. Occasionally we communicate with cybersecurity memes.

We set the standard for cybersecurity excellence.