RFID access control, what it is and how to exploit it
2023-09-08, 17:55–18:55 (Europe/Berlin), Pupin

People attending the presentation will have the chance to try out some of the tools and see an example access control system.

While exploring the interesting world of RFID, witnessing a disappointing amount of improper implementations of access control systems, and dealing with shady vendors for backdoored cards, I realized there is a need for the proper education of people and making sure they know what to look for.

Prior knowledge about any of the topics of this presentation is optional, and it is appropriate for both beginners and someone who might already know something about this topic.

While some of the techniques and demos might look like some James Bond-level magic, most of the stuff I will be demoing and talking about can be done with pretty inexpensive equipment (you might need to spend some money if you decide to go deep into research equipment) and without much prior learning.

If you want to find more about some kind of credential, please, bring it and I will take a look at it


The presentation will consist of multiple parts.

The first part will break down the architecture of the average access control system, a high-level overview of the card, reader, communication with controller and controller, and a bit about electronic locks.

The second part will get into different types of cards and readers, including readers with backward compatibility and how that can be exploited.

The third part will talk about readers talking to controllers, and usual ways readers talk to controllers, and how that can be exploited.

The fourth part will discuss common mistakes integrators and equipment manufacturers make while producing RFID access control systems and how to exploit them.

See also: Presentation

I was passionate about taking things apart since I was a kid, now my hobbies and work revolve around how things work.