In movies, geeks would pitch-in and attach a PDA to the door that sweeps the magnetic field patterns against the doors or analyze the lock code in matter of seconds. They employ modern science, mostly imaginary, but it sure looks complex. In reality, unlocking doors can be as easy as buying a Good Magnet.
Most office doors employ magnetic sensors that require a access card to be swiped across to unlock. These magnetic cards have unique magnetic pattern underneath the plastic, which when scanned is matched against a person’s identity.
Among the most popular lineup of Office door lock, Kaba Ilco Simplex lineup has been there for more than 3 decades, and had been pretty much unhackable till 2010. But if you have a strong magnet, it opens up effortlessly in under 3 seconds.
You devise the Hack, you need powerful rare-earth magnets, which formulates the state-of-the-art attack.
Worst part is, most other locks that use a combination chamber are equally vulnerable.
How it Works
Normally, these door locks need to capture weak magnetic fields generated in vicinity of a access card or a specific combination of buttons have to be pressed to make the bolt withdraw. However, when a strong magnet is presented, it messes with the magnetic field inside the combination chamber, the system scrambles making the bolt withdraw even if no buttons are pressed/ no card is presented.
Kaba, being the industry leader, has fixed the problem with a new combination chamber design in the latest models of its lock, but that won’t change the existing locks that have lying world over in offices since last 3 decades.
The rare earth (lanthanide) elements are metals that are ferromagnetic, meaning that like iron they can be magnetized, but their Curie temperatures are below room temperature, so in pure form their magnetism only appears at low temperatures. However, they form compounds with the transition metals such as iron, nickel, and cobalt, and some of these have Curie temperatures well above room temperature. Rare earth magnets are made from these compounds.
You can buy one of these neodymium magnet for about $10, no experience required.
Warning: This is just for educational purposes, do not hack into someone’s office, you and alone you would be responsible for any consequences.
Alternatively, you can design a a card writer that can hack magnetic locks:
In the above demo, hacker used pre-made connectors so he could easily disconnect and reconnect the device. When you put the reader’s cover back, the Gecko would be hidden behind it.
The card reader also continues to work fine with the Gecko attached. It passes along the signal from the reader to the control system as it’s supposed to. But when someone swipes an authorized card that unlocks the door, Gecko saves that signal.
With that saved unlock signal, the attacker can swipe a ‘replay’ card that tells Gecko to re-send that saved signal, and the doors unlock. What’s more, any saved access logs would only show that the same person who originally swiped the saved signal swiped his card again.
The replay card isn’t anything special, and could be any card. It’s just one that Gecko knows about beforehand. When it sees that card’s code – because the card reader passes it along – Gecko knows to send its saved signal in response.
The device also knows to look out for another card code – again, just a regular card – and in that case, disable the system. Only the recognized replay card can unlock the door. Every other card, authorized or not, will fail.