From Linklayer
Jump to: navigation, search
Blekey quarter.png

BLEKey is a small device for reading Wiegand data over Bluetooth Low Energy. Wiegand is the protocol most commonly used in card readers for access control systems.

BLEKey is open source. The firmware and hardware design files are available on Github.

BLEKey can be purchased from the Linklayer Store.

Use Cases

The BLEKey has been used for a few different applications.


The BLEKey is small enough to implant into RFID readers. This can be used to demonstrate the vulnerability of using Wiegand readers during physical penetration testing. This is made relatively simple since many installations do not connect, or monitor, the tamper detection feature of the readers.

Once installed, the BLEKey will record all cards that are read. This data can be used to create cloned cards.

The BLEKey can also resend cards that it has recorded. This allows the user to open the door over Bluetooth.

Wiegand is vulnerable to a simple denial of service attack, and the BLEKey can perform this by asserting control over the Wiegand connection. This will effectively disable the reader.


Another common method used during physical penetration tests is skimming of cards. Since RFID cards can be read from a distance, a long range reader can be used to read the card from afar. Typically, a long range reader like the HID MaxiProx is used to read the card, and a BLEKey is used to store the card data. This data can be used to create cloned cards.


EricEvenchick and Mark Baseggio gave a talk on BLEKey at Blackhat USA 2015. You can watch it on YouTube.

Hardware Details

BLEKey is based on the MDBT40 module from Raytac. This module contains the Nordic nRF51822 Bluetooth SoC. Two transistors are used to drive the two Wiegand lines, and resistor dividers to monitor the lines. A punch down IDC connector allows for the Wiegand lines to be connected quickly, and without breaking the wire.