KeySy: Copying and Replaying RFID Tags

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

The KeySy is an low-frequency RFID duplicator by Tiny Labs, which can be used to store, replay and duplicate 125kHz RFID Tags. It comes with the KeySy remote and an additional rewriteable keyfob, onto which stored data can be duplicated.

Keysy.jpg

Hardware Used

  • KeySy RFID Duplicator (includes CR2032 battery)
  • programmed 125 kHz RFID Tag
  • empty 125 kHz RFID Tag

Copying RFID Tags

Step 1

On the KeySy remote, press the button you wish to program until the light starts blinking red (approx. 8 seconds)

Step 2

Place the remote on the keycard to be copied until the light stops blinking. If the copying process was successful, the light will now be green otherwise it will turn amber and you should proceed to Step 3.

Step 3

If the light turned amber, the copying process failed. Turn over the tag and repeat Steps 1 & 2 while slowly moving the KeySy remote over the tag.

If the copying process keeps failing:

  • Change the battery:
    Copying a tag uses a lot more energy than just replaying one. This means, even if the LED lights up, the battery could be too weak to complete the copying process.
  • Check KeySy compatibility:
    The Tag you want to copy is simply not readable by the remote. Refer to Section Hardware Limitations or Tiny Labs website under KeySy compatibility for further information.

Note: Any buttons that have already been programmed can be rewritten using the same steps. It is not necessary to explicitly delete information from the remote beforehand.

Replaying and Duplicating Tags

When you press one of the buttons on the KeySy remote, the LED will either flash red (there is nothing programmed on the button) or green (there is currently something programmed on this button).

Replaying

To replay a stored RFID tag from the remote, simply press and release the corresponding button in front of the RFID reader. Replay distance of the KeySy is about 5cm. The reader should blink or beep when the tags has been read successfully.

Duplicating Tags

The KeySy remote can also be used to program empty RFIDs tags with the information stored on one of the buttons.

Step 1

Position the remote on top of the empty RFID tag.

Step 2

Press the button you wish to copy 5 times, after which the LED will start blinking.

Step 3

When programming is finished the LED will blink 3 times green or red, if programming the keyfob failed. In this case please refer to Section Copying RFID Tags Step 3.

Hardware Limitations

The KeySy is designed to only work with RFID Tags which operate on the 125kHz Frequency. This means, NFC tags which operate on 13.56 MHz cannot be read or copied. While perimeter access control systems frequently use low-frequency RFID (e.g., gym cards, garage doors, building key cards), many building key cards provided by employers use NFC, because the require additional functionality such as authentication and are incompatible with the KeySy. Phones also use high frequency RFID, so as a rule of thumb you can remember: Any tag your phone can read, the KeySy cannot and vice versa.

This limitation has been put on the KeySy purposefully for security reasons to prevent the copying of sensitive information, e.g., debit cards.

References