I’ve always wanted a runner – not a real one, but the kind you’d see in a cartoon that opens every door instantly. The idea of being able to just slip in anywhere, smoothly and discreetly has always been a secret dream for me.
Of course the time changes and so do the keys. Your front door can still use a metal key, but offices and industrial facilities are more likely to use some sort of wireless key card, be it NFC, RFID or some other radio signal. So what does a tapable runner look like?
What is it?
The ChameleonMini is a tool that allows you to emulate and clone high-frequency contactless cards and read RFID tags. It functions as an NFC emulator and RFID reader and can sniff and log radio frequency (RF) data. From a distance, it vaguely resembles a credit card, although there are multiple form factors. You can use it standalone or connect the device to your phone via Bluetooth and use one of the many chameleon apps to penetration testing on your own systems.
An NFC Emulator and RFID Reader
If you have an employee’s key fob handy, he can create a functional replica of the key fob that will take you wherever the original would go – along with a few more complicated tricks we’ll get into later.
The device started in 2013 as an open source project on GitHub, so there are a lot of versions. The Revision G is our favorite version, with success kickstart by means of KAOS back in 2016. It is powered by a rechargeable battery and comes in different sweet colors.
A company called Proxmark also offers two miniature models: the Chameleon Tiny and the Chameleon Tiny Pro. The form factor of the Chameleon Tiny is so small that it fits on a key fob just like a fob, and the Chameleon Tiny Pro has Bluetooth Low Energy, allowing it to quickly communicate with apps on both android and iOS.
What can it do?
The ChameleonMini can extract information from card keys and key fobs, including cloning the UID and saving the data for later. Card keys are the most obvious use, but the tricks don’t stop there: the Chameleon can also be used to attack RFID readers by perform an MFKey32 attack. You can also use it to sniff and crack keys, but it’s worth noting that you’ll need to be fairly close for that to work.
Crucially, the Chameleon won’t work on low-frequency RFID cards like the Proxmark3 and Flipper Zero can, but there are many cheap devices available online with that functionality if you really want to cover your bases.
How much threat is it?
If your security system uses RF signals, these types of attacks are a major threat. The ChameleonMini is a less powerful tool than other devices in this category, such as the Proxmark3 (by far the most popular) or the ICopy-X (which is built on the Proxmark3). But it’s also easier to use, unobtrusive and can used in tandem with those tools for a more efficient hack.
You can even use it to clone amiibos (sort of)
There are even simpler tools available on Amazon for: less than $30which can you come surprisingly far. In addition, there are countless old legacy keycard systems that have not been updated to the latest technology out of laziness or ignorance. As with most hacks, sometimes the simplest tool can be the most effective.
RFID projects like this and the Proxmark3 have been around for a while and there is a lot of open source support for the device – largely thanks to contributors like the productive ice cream man. The card supports emulation of multiple NFC chipsets, including a wide range of Mifare cards and codecs. It can also be used to perform an MFKey32 attack and restrict sniffing, cracking and logging.
Heck, you can even use it to clone amiibos (sort of inconsistent use of a forked version of the firmware).
Could I use it myself?
Depends on how handy you are, but I’d say probably. There are multiple apps for the Chameleon family of devices that are reasonable straightforwardincluding this one from the RFID research group, and allow you to control the device from your phone on the go. Besides, some pretty good online tutorials to exist, including this robust crash course on GitHub. In the pantheon of hacking devices, the Chameleon is one of the more approachable out there for novices and aspiring hackers.
Unfortunately for my dream of a universal runner, using the Chameleon is much more involved than just swinging at a door and letting it open like magic. It takes a fair amount of knowledge and strategy to use it effectively, so you should be prepared to study different standards for contactless and proximity cards. But that also makes it the perfect tool for those trying to learn the ins and outs of security so you can run your own penetration tests and find the flaws in your security systems.