The principle of mobile phone NFC simulation door card. Complete NFC has three major functions: card reader (active mode), simulation card (passive mode), and point-to-point (two-way transmission).
The mobile phone simulated door card uses NFC to read the password information in the door card (we can understand it as a key), and then uses this information to virtualize a key, that is, the mobile phone writes it by itself.
Of course, NFC can also be simulated as an empty card and can be written by authorized card issuers, such as public transportation card office. Online application for transportation cards solves the trouble of users running errands. This is supported by Xiaomi, Huawei and Apple. .
Unencrypted door card NFC mobile phones can be easily simulated but hidden security risks
As for the scope of application of Xiaomi door cards, Xiaomi mobile wallet makes it very clear: currently the door card simulation supports simulation that is not available on the market. An encrypted door card with a frequency of 13.56MHz. However, if the door card has an encryption area, it cannot be simulated. For security reasons, bank cards with access card functions and access cards with stored value consumption and public transportation consumption functions cannot be simulated temporarily; even if the simulation is successful, this function cannot have additional functions such as banking, consumption, and public transportation.
After personal testing by Qike, a certain building in Dongguan pre-installed a smart lock for the owner. Although the style is a bit old (it uses 4 AA batteries), Xiaomi Mi 6 does not support simulation because the door card is encrypted. A relative in Shenzhen got a thousand-yuan smart lock from a friend. Xiaomi Mi 6 opened the card in just one minute. The NFC Tools software detected that the original door card should be an M1 chip.
Multiple investigations revealed that many smart door locks are currently paired with door cards using M1 cards (Mifare One is the earliest patented technology owned by NXP and has a history of more than 20 years. It is widely used due to its low cost. After thorough research, existing domestic compatible chips are very popular), there are many reading and writing devices specifically for M1 cards on the market, which can completely copy the card sector key data.
In other words, this kind of unencrypted access control card can be easily copied by criminals and stolen on another day (local media survey said that low-end access control cards such as IC and ID cards account for eight or more of the cards in various communities in Quanzhou. 90% of the share can be easily copied in 30 seconds). Last time Qike also specially reminded this relative to be careful about losing the key card and not to lend it to others at will.
It should be noted that the door card with an operating frequency of 13.56MHz belongs to high-frequency RFID radio frequency identification technology. There are two main standards: ISO14443 (i.e. M1 card, maximum reading distance 10cm) and ISO15693 (sparse coupling IC card, maximum reading distance 1m). Although some door cards are also in the form of keychains, they use low-frequency RFID chips with an operating frequency of 125-134.2KHz and a reading distance of 5-10cm. Such cards cannot be simulated by NFC mobile phones.
Apple mobile phones can also simulate access control cards and require authorization
Currently, the most commonly used NFC card simulation on mobile phones is that UnionPay cooperates with mobile phone manufacturers to launch mobile PAY payment functions. So, can it be given directly? What are the functions that the NFC simulated bank card gives the access card? The answer is yes!
After three consecutive readings through the NFC card reader, it was found that the UID simulated by the mobile phone card would change every time, but the subsequent string of card numbers was fixed. This string of fixed serial numbers was used as the secret of the door card. By pressing the key, the mobile NFC bank card can open the door. In other words, we can set this string of numbers as the password for the smart door lock. When a stranger is present, the owner can add some garbled characters before and after the password. As long as the number entered includes the normal password, the door can be opened. This is the principle.
My friend who owns RFID reading and writing equipment is an expert in the industry. This type of equipment is generally provided to card issuers (RFID is basically a 2B application). This method has been used to test Huawei, Xiaomi, Apple and many other models. All models are available. NFC mobile phones generally cannot be debugged, and may not be able to obtain the fixed serial number of the simulation card. If any friend can do it, please leave a message and give advice (it is within the scope of cracking, mainly for technical discussions, and must not be used for illegal purposes).
▲It is very simple to clone the M1 access card with PM3, and you can also write the encrypted information into the NFC mobile phone. Interested friends can do their own research
To summarize the advantages of the NFC mobile phone simulation door card:
Portable, no need to bring a door card, the phone is the room card;
Not only Huawei, Xiaomi, and Samsung Android phones are available, iPhone users can also experience opening the door by swiping their phone (the iOS system is not open source and cannot Call the NFC interface);
The card simulated by the mobile phone belongs to the CPU card. The security level is very high and there is no possibility of being copied.
Finally, the industry recommends that lock factories upgrade the standard M1 card to a CPU card. Each CPU card has a CPU chip and COS (on-chip operating system) inside to ensure that the card cannot be copied. Although the cost of the CPU card will be higher than that of the M1 card, it will be safer from the user's perspective.