BLEKey is a small device for reading Wiegand data over Bluetooth Low Energy. Wiegand is the protocol most commonly used in card readers for access control systems.
BLEKey is open source. The firmware and hardware design files are available on Github.
The BLEKey is small enough to implant into RFID readers. This can be used to demonstrate the vulnerability of using Wiegand readers during physical penetration testing. This is made relatively simple since many installations do not connect, or monitor, the tamper detection feature of the readers.
Once installed, the BLEKey will record all cards that are read. This data can be used to create cloned cards.
The BLEKey can also resend cards that it has recorded. This allows the user to open the door over Bluetooth.
Wiegand is vulnerable to a simple denial of service attack, and the BLEKey can perform this by asserting control over the Wiegand connection. This will effectively disable the reader.
Another common method used during physical penetration tests is skimming of cards. Since RFID cards can be read from a distance, a long range reader can be used to read the card from afar. Typically, a long range reader like the HID MaxiProx is used to read the card, and a BLEKey is used to store the card data. This data can be used to create cloned cards.
BLEKey is based on the MDBT40 module from Raytac. This module contains the Nordic nRF51822 Bluetooth SoC. Two transistors are used to drive the two Wiegand lines, and resistor dividers to monitor the lines. A punch down IDC connector allows for the Wiegand lines to be connected quickly, and without breaking the wire.