Lille Allen / The Verge
I’ve always wanted a skeleton key — not a real one, but the kind you would see in a cartoon that opens any door immediately. The idea of just being able to slip in anywhere, smoothly and discreetly, has always been a secret dream for me.
Of course, time changes and so do keys. Your front door might still use a metal key, but offices and industrial facilities are more likely to use some kind of wireless keycard, whether it’s NFC, RFID, or some other radio signal. So what does a tappable skeleton key look like?
What is it?
The ChameleonMini is a tool that allows you to emulate and clone high-frequency contactless cards and read RFID tags. It functions as an NFC emulator and RFID reader and can sniff and log radio frequency (RF) data. From a distance, it looks vaguely like a credit card, although there are multiple form factors. You can use it standalone or connect the device to your phone over Bluetooth and use one of the many chameleon apps to conduct penetration tests on your own systems.
If you’ve got an employee’s key fob handy, it can make a functional replica of the fob that will get you in anywhere the original would — along with a few more complicated tricks we’ll get into later.
The device started as an open-source project on GitHub back in 2013, so there are a bunch of versions. The Revision G is our favorite version, successfully kickstarted by KAOS back in 2016. It’s powered by a rechargeable battery and comes in several darling colors.
A company called Proxmark also offers two miniature models: the Chameleon Tiny and the Chameleon Tiny Pro. The Chameleon Tiny’s form factor is so small it fits on a keychain, not unlike a fob, and the Chameleon Tiny Pro has Bluetooth Low Energy, which allows it to quickly communicate with apps on both Android and iOS.
What can it do?
The ChameleonMini can extract info from card keys and key fobs, including cloning the UID and storing the data for later. Card keys are the most obvious use, but the tricks don’t stop there: the Chameleon can also be used to attack RFID readers by executing an MFKey32 attack. You can also use it to sniff for keys and crack them, but it’s worth noting that you have to be in fairly close range to make that work.
Crucially, the Chameleon does not work on low-frequency RFID cards the way the Proxmark3 and Flipper Zero can, but there are many cheap devices available online with that functionality if you really want to cover your bases.
How much of a threat is it?
If your security system uses RF signals, this kind of attack is a significant threat. The ChameleonMini is a less powerful tool than other devices in this category like the Proxmark3 (by far the most popular) or the ICopy-X (which is built on the Proxmark3). But it’s also simpler to use, inconspicuous, and can be used in tandem with those tools for a more efficient hack.
There are even simpler tools out there on Amazon for less than $30, which can get you surprisingly far. What’s more, there are tons of old legacy keycard systems out there that have not been updated to the latest tech out of either laziness or ignorance. As with most hacking, sometimes the simplest tool can be the most effective.
RFID projects like this and the Proxmark3 have been around for a while, and there’s a lot of open-source support for the device — thanks in large part to contributors like the prolific Iceman. The card supports emulation of multiple NFC chipsets, including a wide array of Mifare cards and codecs. It can also be used to execute an MFKey32 attack and perform limited sniffing, cracking, and logging.
Heck, you can even use it to clone amiibos (sort of inconsistently using a forked version of the firmware).
Could I use it myself?
Depends on how handy you are, but I would say probably. There are multiple apps for the Chameleon family of devices that are fairly straightforward, including this one by the RFID Research Group, and that let you control the device on the go from your phone. On top of that, some fairly good online tutorials do exist, including this robust crash course on GitHub. In the pantheon of hacking devices, the Chameleon is one of the more approachable ones out there for newbies and aspiring hackers.
Unfortunately for my dream of a universal skeleton key, using the Chameleon is a lot more involved than just waving it at a door and having it open like magic. It takes a decent chunk of know-how and strategy to be able to use it effectively, so you should be prepared to study up on different contactless and proximity card standards. But that also makes it the perfect tool for people attempting to learn the ins and outs of security, allowing you to conduct your own penetration tests and find the flaws in your security systems.