Thanks to Morning Brew for my daily news briefing - sign up for free here: morningbrewdaily.com/greatscott

"this is not the lock picking lawyer"..... Mounts hinge on outside of door.

When I was building an RFID door lock for my mum when she developed Alzheimer's, the hardest bit was getting a good range. I ended up getting a huge (and resin potted!) reader unit and using it with the long range cards. (The keyfob circuit but with a wider coil in a plastic card.) I got a decent range from it. It also greatly improved the range of the common keyfobs too. There does seem to be quite a precise science to reading the keyfobs accurately. I did a lot of experimentation with adding wider coils too.

As LPL has proven so many times, that "lock" can be defeated with just a strong magnet - provided that it contains a relay to operate external circuits..

I got one of those readers...got about 45 reads off random people in just one day! In my own building I can now get to 14 additional floors. Honestly, rfid on elevator control might provide some security, but the stairwell doors have no security. This is an important lesson here, security is usually only theatre;a show.

When my mother started to develop dementia, I added such a key fob to her wrist band, build such a reader using ESP8266 to command the electronic lock "Keymatic" to open the doors. So, she could continue to live in her home instead of a nursing home. That was really very helpful.

I feel like the easiest way to "pick" that lock is to just pull the reader off the wall and short the appropriate pins to trigger the latch. That's why these systems usually use a separate controller - so there's nothing you can do to the external components to trigger the latch.

Seems like a pretty topic. I’d like to see more „security research“ videos from you!

I love how the Lockpickinglawyer has essentially become a meme on any lock-related video

You can absolutely grab tags easily with off the shelf long range readers, adding a microcontroller with BT/wifi in line with the reader wiegand or rs485 data lines is also a good way to read/replay a code back to the controller.

I once worked at a place where access to the parking lot was controlled with a large RFID reader. I would stick my arm out the window with my card in hand and slow down to just the right speed for the card to be read and the gate to go up just barely in time. The terrified looks I got from some security guards were priceless. 😂

Security is more a game of deterrence than anything else, and so you weigh everything from the value to bad actors to the (in)convenience for the valid users and find a solution that is sufficient for the scenario. I think the biggest takeaway should be “just because it has a computer in it doesn’t mean it’s automatically more secure than other options”, and that is something we would all do well to remember.

About 15 years ago, I was the developer of a production tracking system. At one point we started implementing controls of what leaves the production floor to be loaded into trucks. So we added an RFID tracking system. The system began printing RFID labels (yes, just like any other thin sticker) on our Zebra printers. If you think that product from Amazon is a lot, the reader we had installed on top of the exist door was over 3 meters high and could read the labels of all boxes in a pallet before they gotten directly under it. And they were passive and not active tags, as the cost of those would make the solution unviable. So you have an idea of what's possible. Now, If you want to maximize the range of your reader, I'd look on content for metal detector designs. Seeing how simplistic you design was if compared to the ones I saw for metal detectors, I know there is a lot of room to increase that range with some freely available designs. I am working towards building a metal detector and it is way more complicated than I was hoping for when I had this terrible idea. So it's going to take a while 😂. But I think you'd probably be able to adapt them in no time.

Mount the reader on the inside of the door for more security, the tag can be read through the door if its thin enough and not metal lined. Plus nobody knows it's there 👍🏻

Please continue! The Mythbusters were looking into this years ago and were discouraged from looking further. It would be very interesting to see what you could pull off!

I haven't been on KZbin as much as I use to, but I love the new intro. It is cool that you kept the premise the same. The artist did a very good job.

You the best GreatScott! So quality content here! Thank you :)

Nice video! A good idea for future video is to explain how NFC works and differences with RFID. And of course why it is more secure.

Never been so early! love your channel!, You have single handedly inspired my love for electronics for the past 4 years!

This was a most excellent lesson. Very inspiring, it makes me want to learn more about this subject.

Fantastic timing! I want a system with RFID to see which lawn mower is going for a recharge. This larger reader in the lawn and then an arduino telling which station it should go to. =)

Great video and idea, I just wanted to add up by looking at the internal circuit of the lock ( 3:57 ) that this lock uses a regular relay (almost certain to trigger the lock to open) which makes me sure you can open it just by using a powerful magnet (say neodymium) on the side of the lock, which is a known venerability to most cheap and even some premium security systems.

9:45 You might want to consider using a smith chart, it will make it a lot easier to calculate the impedance matching networks.I do the same thing however in my work a capacitor is usually just a thicker PCB trace and an inductor a thinner PCB trace :)

Thanks for making this video, I watch the LPL video, and thought the exact same thing you did!

You can get commercial long distance RFID readers and reverse engineer how they work… they are used in tolling and parking entrances to read rfid tags on cars as they drive in

The LPL hack with the magnet to the relay was more fun :) (I think a general good indication: if you connect the lock contacts to the outside device it’s not safe) BTW the „better“ RFID systems go a long way to document that they should not be used as access control :) Only rfid Chips with smart card function can do challenge/response and are (partially, think relay attacks) safe.

Well GreatScott turned into Kevin Mitnick real quick

In the schematic at 7:45, play with the other part of the circuit also. Yes raise the voltage but also play with the receiving circuit, like the forward loss on D2 and also with the capacitance of C3, and at the end if you filter the noise down by playing with this part you can rise the gain of the OpAmp.

that quite a motor on a fancy bench for winding :) Always good to watch your videos!

To me this kind of lock would be used where you just want to keep unwanted walk ins out, but not for securing it for locking up and keeping your items safe from thieves. Kind of like a staff only area and you don't want to keep having to use an actual key to get in and out all the time.

Interesting stuff. Always wondered how easy it was to NFC at a distance. Realistically from a home security perspective this is no worse than most door locks. Average door? Easy to pick/rake/bump. A thief will probably just break something (like the window next to the door) instead.

A proxmark with some kind of amplification could work. It can also crack vulnerable Mifare classic, or loaded with custom firmware for other kinds of automation like saving keys in the onboard memory for later retrieval.

your videos must be shown in schools! they are so good and informative!

This method is pretty similar to taking a picture of someone's keys, only the range is occluded by metal rather than opaque things. So, if you just store your RFID tags in an RFID blocking container, then you'll actually be about as secure as regular keys since the range should be similar.

3:31 From what I can see, your little power supply module has a "push button to activate" function via relay built-in to it and you confused that with the wires coming out of the bolt lock. In the PSU module, when energised, if you apply 12V to the "PUSH" terminal, it will trip the relay and the contacts COM/NC/NC will change accordingly. The bolt lock wiring has nothing to do with this function though. The manual shows that RED/BLACK are for 12/24V power source and the WHITE/YELLOW are for a "locked" contact for monitoring. Meaning if the bolt is out, you get a short (NC) between those two wires. When the bolt retracts you get an open circuit (NO). You would wire that to an input on the door controller so you can monitor if the lock is actually locked or if the bolt is stuck half-way out or something. In short, although the manual has many spelling mistakes, it showed the correct information regarding the four wires coming out of the lock.

Long Range RFID system use UHF 433MHz & 928 MHz Transmitter along with sensitive receivers that can detect a fraction of change in the transmitted wave. If we increase the operating frequency of RFID system then the power required for transmission is decreased and improve the sensitivity also. Another way is modify the 125khz coil circuit with high speed switching transistor and adjust the gain of opamp at detector end with optimal level with pot...I think it works ✌️

Nice job. It's a pleasure to watch your videos.

Eh, since the control unit is basically just sending power to door latch to open the lock, it's easy to just smash it open and connect the wires that go to the door latch. So this is only barely better than a zip tie. Somewhat secure systems have an external panel with only the keypad and RFID plate, while the controller with the relays that control the door latches is internal. So even if you smash the external panel you can still just press the keypad buttons

Actually, sniffing works only for standards that do not use encryption or some standards, that use compromised security protocol such as Mifare Classic variants vulnerable for Nested and HardNested attacks. Sniffing is useless, for example, for Mifare Plus standard readers, that uses unique session key generation for encrypting data stream between reader and tag with AES-128. So, basically, sniffing would be efficient only for old RFID tag standards or for standards that not designed for to use in high security systems. Using outdated standards or standards that not designed for such purposes is only manufacturer fault. I assume, if you need secure something important with RFID locks, use only Mifare Plus or Mifare Ultralight-C reader variants and tags.

Amazing job, thanks for Your effort!

What you try there is one of the original flaws of RFID systems that has been known pretty much since the beginning. The communication between the reader and tag can be eavesdropped on from up to 20x the effective working distance for an actual tag - more with the right equipment. Since virtually all RFID tags are no more than passive memory devices, they are thoroughly unsuitable for any security critical application - as is all unencrypted wireless technology by the way. On the other hand, the important upside of digital keys of all sorts is that unlike in mechanical keys, each key is different and can be invalidated easily if lost. There are actually three solutions to this proplem: One, have a second factor like a pin that is needed to access the secure resource, or two, use cryptographic tags like DESFire instead of the cheapest option or three, use a secure-by-design reader that requires you to insert the key fob into an electromagnetically shielded slot to open

You can get enough security with RFID. First you need to choose between failsafe and failsecure lock options, and second You need to read hidden data or request processing, not only read the tag designator.

Pretty sure you need something more than a larger coil to increase tbe distance. Think you need to increase the antenna's directionality gain (focusing the rf). Think pringles can or a yagi antenna

Excellent video!! keep it up 👏

You had me glued to the screen with this. I'm working on an RFID product using Gen2 tags (~900MHz). I have read tags over 2m and I have a more powerful reader I haven't tried yet. I assumed that lock tags would perform some kind of encryption, or at least use a unique number that can't be easily copied. Gen2 tags include a permanent, unique identifier as far as I know. I'm shocked that those tags can just be copied and work.

It really comes down to use case tho. If you are worried about "random bad guy" dropping by, then tag copying isn't really a concern. The "random bad guy" is unlikely to bother making sure they get close enough to you to copy the tag. I see you thought about that a bit, with your 30cm range requirement. But I still think that's not the random bad guy who is hanging around most neighborhoods. So you are right, yeah, RFID isn't the best if you are worried about a targeted attack. But I don't think that is the use case for these devices.

Hi Scott, great video. I have got a question, How do you calculate the number of turns and AWG for the coils used as antenna?

Your products are amazing and I really look up to you as an intellectual superior- I have a question which i was hoping you could answer please. Q) is it possible it increase the reception of the proxmark pro?

You know whats crazy about these cheap units? There's a relay on the board, and if you use a magnet you can trigger it to open.

Well this only works when the RFID system being used is static, most comercial rfid systems use a encryption scheme and have other solutions to this problem, this is only so if you set an id an a tag.

LF tags are ideal for implanting into pets as they are about the size of a grain of rice so don't cause irritation and the read range and security are not a problem. HF is still used, especially its NFC variant where security is more important and the slightly better read range is useful. In industry UHF is the most common standard now as it has a much better read range (even small hand held devices can read a few metres) and multiple tags can be read at once.

The HID maxiprox 5375 rfid readers at garages can read up to 3 feet away (~90cm), That is obviously much farther than the 30cm goal you want, but the coil wrapped in there is roughly 30cm x 30cm

An RFID alarm in the market might help you with your project, since it need to keep a quite far distance and read the data in the tag, I'm sure there must be some kind of information of these theft-proof system!

Type 1 is unsafe. That’s the 125 KHz one. The type 2 is bi-directional and have updatable data in the chip. It’s the 2 MHz+ one. Implementation becomes the key factor.

Great video scott! Keep these videos coming!

Look forward to the next video on this!

should have not been using unsecured 125khz and instead been using the more modern NFC standard that can use an encrypted key. I'm kinda surprised they still sell 125khz systems.

Remember that "S" in "RFID" stands for security

We used to make coils that where rectangular about 1meter x 1 meter in size and where build to be hidden in concrete floors to read tags in prison buildings. Not used for opening doors but for tracking people, so nobody could escape because rfid is indeed a bad idea for locking doors. We could read tags up to about 3 meters. The electronics for this was made in house as well. Had a sizeable amplifier for driving the coil i remember, can't remember what exactly we did to get the range it had something to do with waveforms and filtering.

Great video as always Thanks for sharing 🙂

hey neat, that RFID reader with the keypad is the one they used in better call saul as a jaguar key fob clone. they took the case off but left the keypad on the PCB

Excellent work. Cheers

As someone who has been designing RFID readers for the last 8 years, let me point some things: - The 125kHz systems (often called EMARINE) usually works on one of the EM41xx standards. It was developed decades ago, back when microchips were not that common. This standard, while widely used, is outdated, and shouldn’t be used for a security purposes. They are so widespread because they are extremely cheap. And they work great for some stuff, like if you have a lunch ordering system or a digital timeclock. You can get ISO datasheets with detailed descriptions of those cards and readers if you look up EM4000 or EM4002. - Readers which work with 125kHz frequency use near field because the wavelength is about 2.4km. Reader with the most range that I’ve seen, and which is commercially available, has about 1m range. The problem is in the fact that you have to power the tag from the antenna coil. Transmission of energy is not efficient at these low frequencies and antenna shape doesn't really help that much. It’s a good idea to make a simple circuit which measures the field strength. Just make a small coil (like the tag), connect a capacitor for 125kHz resonance, rectifier, divider and another capacitor. You can measure the output directly with a multimeter. - Making a long-range spoofer should be possible. Just make an 125kHz receiver and detect the signal from the reader itself. Since you don’t have to energize the tag (it’s already energized by the reader), you should be able to catch the communication. Using some digital filters to process the output, you should be able to get at least 10m range. The only downside is, that you can capture the communication only when the tag is being used, but that can be solved by leaving that device somewhere near the reader and recording tags as they come. - More secure standards usually use 13.56MHz frequency (f.e. your credit card) and they have a two-way communication between the reader and tag. Many standards support advanced encryption (look up Mifare Desfire or Legic).

I built one of these after seeing this idea on the Lockpicking Lawyers channel.

Spannendes Video. War Thema meiner Diplomarbeit 2007 bei Braun...

I bought a proxmak3 rdv3 a while back to tinker with rfid, it's very clear that security in this domain isn't very widespread, there are some HF tags (like the mifare desfire ones) that are pretty good, but there is till a big lack of awareness on the consumer side

This is really cool! I'd love to see how to set off those little puck restaurant thingies ;) I can't imagine its too hard given what you just did

So ein Teil baut man nicht wegen der Sicherheit, sondern wegen der Bequemlichkeit. ❤❤❤

Great intro, Scott!

this is why at the pharmaceutical factory i worked security at for 15 years i insisted that all the card readers also require a pin (which only some doors had). after cloning a fewer people higher access rfid cards i showed them how easy it was to clone a card. I had to compromise as set up a anti pass back system to prevent the same card from entering a door twice with out scanning out.

Some of these will try to write to the fob before reading it, meaning you can't really use rewiteable tags. Of course you can get around this by using a more advanced transmitter than just a normal fob.

Great topic 👍👍here is an idea of the next video. How about if you make a portable device to bruteforce the lock by sending random numbers combination

In the early days of WiFi I used to design corporate WiFi networks and the first thing I need to do was check or set the access points output to 25mW because pda’s weren’t that powerful. People thought it was counterintuitive to place more individual AP’s in stead of one big antenna at 100mW at the center of a room. What they forgot was that it’s a half-duplex communication and just turning up the WiFi amp is like SHOUTING REALLY LOUD whilst putting fingers in your ears. Changing the op-amp in this video reminded me of this. And it reminded me of a time before lithium ion and that pda’s were a thing…

A more secure approach is the unit to send an encrypted random code to the key, which then has to send back the correct corresponding code. Of course, the mechanical parts also have to be strong and secure.

It should be possible to do a passive read from a distance when someone opens the door. With a proper directional antenna directed at the door lock, you could probably detect the communication between reader and tag and decode it.

Thanks for your sharing

Good thing you looked over the instryctions

Seven words into the video, you got a thumbs-up.

The Intro is already legend!

Very interesting intryctions.

Great and interesting video as always 👍👍👍

alternatively bring a very strong magnet close to it sometimes they will directly pull the bolt open sometimes they will trip a solenoid that opens the bold sometimes they will crash the software which then resets and defaults to open

I just recently looked a bit into something somewhat related. The new Webauthn standard. You could likely create a lock with that via NFC, and that should be secure at least from the non-physucal standpoint. Webauthn uses stuff like "challenge response", where the "key" never leaves the Webauthn device, but instead you only prove its presence. The challenge is provided by the resource to be opened and contains both host information as well as stuff that's temporary (like the precise start time of the authentification), and IIRC should also be signed by the resource to be opened, to avoid people just faking that resource to get a valid key.

Can you overwhelm an RFID lock by using a stun gun? IE: generating a high frequency random signal by sparking the gun near the reader? --- When trying to "break" security, you either try to get through in a normal way, or an alternate way. -- An alternate way in this case would be to cook the RFID read so everyone has to use the keypad and then note the numbers or dust the pad.

This just illustrates that when you make something wireless: encryption is even more necessary. Hell I remember back in the day with 900mhz cordless phones: I would be able to hear my neighbor's phone conversations unintentionally on my radio scanner. Back then cordless phones sent an entirely analog signal. No encryption at all.

Your penmanship is extraordinary! Wow, I am not kidding I am jealous, this is how i wish my hand printing would look. But it is so hard to change the way you write as an adult, I have tried but it seems like it is really hard to make changes. Also the video was really great, very interesting and I also like to watch the lock picking lawyers videos as well! By the way, does anyone have experience with trying to change/improve your handwriting as an adult? Is there a reason that this is difficult and is it just me or for anyone/everyone?

You should try directing your magnetic field with half open pot cores. You can use femm for simulation.

Pretty interesting indeed! 😃 I would love to see a system you would approve! Stay safe and creative there! 🖖😊

Great work

There is particular way in designing the receiving signal coil, which is called "loop antenna." It can received much longer distance.

Really enjoy your channel! 👍

I LOVE THE NEW INTRO

Gutes video, wie immer. Gruss aus California

As a simple more secure solutions there are also tags with a button on it you have to press in order to unlock the door

thank you bro

Work had one of these installed but it wasn't a pin lock system, it was just a magnet. If you yanked the door open you could still get in if you forgot your badge that day.

i need one of these

Skip cloning the tag with this kind of system. Just bring a magnet to bypass/trip the relay in the keypad. :)

Where did you get that LCR meter that you have there? I want one too!

We need a part two of thiss