I’ve been playing with reading/cracking hotel room keys using the Proxmark3 RDV4 lately.
Most hotel room keys I have collected are MiFare Classic 1K. MOST of them are susceptible to autopwn within a minute or so. Coincidentally, most of my collection are from Hilton properties. Recently I came across a Sheraton room key that didn’t fall within the expected timeframe.
The “Weak PRNG” method did not work on this particular card, and so pm3 (RRG/Iceman fork) reverted to a hardnested attack. On my macbook M1 air, that was slated to take 2 days. I moved the task to a more powerful Kali desktop, and it’s now slated to take 9 hours to complete.
I will update this post when experience either success or failure. I do like a challenge.
Hours later: The first run stopped in midstream with “Could not connect to Proxmark.” Running it again for good measure.
Hours later again: Collapsed again after a couple of hours. Might have to try a different approach.
I learned some stuff in my reading, though. Apparently it’s all a game of spy vs spy. There are RFID systems that will detect cloned cards by attempting to write to block 0. If successful, it’s a writable clone card and the system can deny and alert. There are also more advanced CARDS that can be written and then locked, to defeat those features.
I went through my collection of DEF CON hotel room keys, with the following results. Some cards are magnetic only, and some, interestingly are dual magnetic and MiFare 1K.
DC25 Ballys: hf-mf-CDB0A861-dump
DC25 Paris: hf-mf-ED50684A-dump (dual)
DC25 Caesars: hf-mf-FD84FF60-dump (dual)
DC25 Flamingo: (magnetic only)
DC25 Harrahs: hf-mf-FD1D7061-dump (dual)
DC26 Linq: success hf-mf-63593B25-dump
DC26 Flamingo: hf-mf-E3C32925-dump (dual)
DC26 Paris: (magnetic only)
DC26 Ballys: hf-mf-E3ACE524-dump
DC26 Caesars: hf-mf-F3C04725-dump. (Dual)
DC27 Linq: hf-mf-4D0233C0-dump
DC27 Ballys: hf-mf-2D162374-dump
DC27 Ballys: hf-mf-A0F99001-dump
DC27 Paris: hf-mf-DD37F96D-dump
DC27 Flamingo: hf-mf-9D4C3B6E-dump