Bypassing RFID HID Corporate 1000 physical access control system: improving the firmware of Proxmark III

Bypassing RFID HID Corporate 1000 physical access control system: improving the firmware of Proxmark III

One of still most used physical access control system in corporate environment is HID Corporate 1000. HID Corporate 1000 is a data format developed from HID Global on RFID tags (low frequency proximity technology at 125 kHz).

HID Corporate 1000 is a simple and flawed technology. Every badge contains a Facility Code (or Site Code) and a Card Number. The Facility Code identifies the company, while the Card Number identifies the particular badge. Both this numbers are not cyphered, so an attacker that can access to a badge can easily read the badge with a reader and obtain the two numbers. Even worse, very often these numbers are also physically printed on the badge and so an attacker can grab them simply reading the badge with his eyes! 🙂

So, what can we do with do if we have a Facility Code and a Card Number? Obviously we can clone the badge. But maybe the badge that we can clone can not access in every area of the corporate environment. Usually critical areas (ex. CED) are limited to a few people and most attackers are interested precisely in those areas.

For this reason, Brad Antoniewicz of McAfee® Foundstone® Professional Services published ProxBrute, a very smart modification of the stand-alone mode of Proxmark III firmware. The idea is very simple. If we have a HID Corporate ID (composed by a Facility Code and a Card Number) and a door to unlock that the ID can’t open, we could try to decrement by one unity the Card Number and see if the corresponding user can open the door, and so on, brute forcing the Card Number until it open the door.

Brad Antoniewicz’s idea was very good, but his implementation does not consider that the HID Corporate ID has some parity bits and consequently Proxbrute does not recalculate parity after decrementing the Card Number. If the reader check for the parity, it will reject the most Proxbrute attempts!

For this reason, we have implemented an our version of this type of attack. Our modification of the Proxmark Firmware calculates parity and adds a functionality to the bruteforce: it can also increment the Card Number, instead of only decrementing it. In this way, if all card numbers that can access to the area in which we are trying to get in are higher to the number of the badge we have, our attack will be anyway successful!

The following schema describes the new functionality added to the stand-alone mode of proxmark3:



There is only one detail not represented in the schema: if the user after selecting a slot and saving a tag in the corresponding slot, re-hold the button for 2 seconds, then the Proxmark tries to clone the tag. This functionality is native of original proxmark3 firmware and has not been introduced by the present work.

The modified Proxmark III firmware and the patch can be downloaded at:

Our modification has been applied to the last version of Proxmark available at time of the present work, that is commit “4b36037948fb7f0de45ac1033e6da335810c4993”.