I'm new here so if i break any rules from this topic do tell me. Anyway, im planning to create a lock system like similar to what hotels are using where their University ID cards are their key. So my plan is that each lock for a room will be updated using Over the air programming(OTA) where it updates the RFID with the new assigned ID to the room. I probably used a rfid reader attached to an arduino uno with an esp8266 or mkr1010 to send the update to the rfid reader. I was wondering if
Is this even possible?
Am i in the right direction?
which is better for a small task for just updating the rfid reader - the esp8266 or mkr1010 or i dont even need a wifi module?
Not that really good with arduino since im studying ICT so for the programming part i probably be able to do it but the electrical stuff is quite new to me
ad 1) yes
ad 2) direction to what?
ad 3) depending on what you want to get done it might be the correct way or it might not be. You can buy standalone systems which need a progrsammer to program the keys or you can get wireless systems. Hacker like both
Keep in mind that is an extremely challenging project, especially for someone who has no experience with electronics and not much with programming.
With Arduino, we recommend to start with the simple examples that come with the IDE. Learn to blink an LED without using the delay function, read a voltage, a sensor or a keypad, in order to learn the language and special features of an MCU. Otherwise, expect endless frustration.
zwieblum:
ad 1) yes
ad 2) direction to what?
ad 3) depending on what you want to get done it might be the correct way or it might not be. You can buy standalone systems which need a progrsammer to program the keys or you can get wireless systems. Hacker like both
Alright thanks
Like in building this lock, is it correct with what i explained? Like using the wifi module with OTA and all
I see. Is it easy for the hacker to hack it? I know that there is no way to prevent a hacker to break in but i want to at least reduce the number of hackers able to do it. By the way im using the wifi module to just give on the air update to the rfid so i think a simple component like esp8266 should be able to handle that.
jremington:
Keep in mind that is an extremely challenging project, especially for someone who has no experience with electronics and not much with programming.
With Arduino, we recommend to start with the simple examples that come with the IDE. Learn to blink an LED without using the delay function, read a voltage, a sensor or a keypad, in order to learn the language and special features of an MCU. Otherwise, expect endless frustration.
Yep i already expected that this would be hard. I do have 4 months to do this project and already got a lot of info on it plus theres a lot of youtube videos on how to do the rfid lock. Only challenge is the update of the rfid cards to the lock each time a new student occupies the room. Well its for my final year project so i had to propose something that is quite challenging since they say it needs to be something "new" or enhance an old system. If i think this is too hard, ill probably just switch to something else. Hopefully im able to do this
"Security is not a product, it is a pocess". You need to beat a security lock worth 50 bucks - this is hard (no joke!). On youtube you'll find a lot of videos on lockpicking. Get them, it's the basics what a lot of smart locks get wrong - there are "smartlocks" you can open with a firm knock in the right place. Second, get some info on basic WiFi security. Read about HTTPS and cypher security. Check, if your platform does meet the requirements. Check, if the path of your information flow meets the security requirements. Then you'd need to dig into RFID security - most cheap readers+tokens are broken in a security sense. Then reconsider your requirements, might be wise to reduce the attack surface.
zwieblum:
"Security is not a product, it is a pocess". You need to beat a security lock worth 50 bucks - this is hard (no joke!). On youtube you'll find a lot of videos on lockpicking. Get them, it's the basics what a lot of smart locks get wrong - there are "smartlocks" you can open with a firm knock in the right place. Second, get some info on basic WiFi security. Read about HTTPS and cypher security. Check, if your platform does meet the requirements. Check, if the path of your information flow meets the security requirements. Then you'd need to dig into RFID security - most cheap readers+tokens are broken in a security sense. Then reconsider your requirements, might be wise to reduce the attack surface.
I'm thinking you may need to look into public key encryption.
Give every lock a key - the public key of the pair. Have a secure way of updating this if needed, physical access required would be acceptable here as it wouldn't happen much. The secret key to that lock remains on the computer handling the check-in process.
Then when a student checks in to a room, the key receives its expiry date/time. This data is encrypted with the secret key, and uploaded onto the RFID key. Then the door lock reads that data, decrypts it with its public key, and if not expired opens the door. The key is different for each room ensuring it works only on one room.
Data that is on the key only needs securing against changing, not from overwriting. The only way to change the data is with access to the secret key, and that is kept secure on the check-in desk's computer system. So you don't need to secure the card, if someone writes their data on it, it will simply stop working as it's not valid data any more.
The door lock needs to be secured so no unauthorised change can be made, i.e. no-one can upload their own public key onto the lock, and then use their own secret key to create a valid card. It doesn't matter if they obtain the key that's on the door lock; they can just decrypt the data that is on the card, not create new valid data for the card. Also you do not have to tell the door lock which card to accept, as the valid data is stored on the card at the check-in desk.
Of course you also need a secure way for the lock to obtain the time. NTP would be the obvious source; but someone may spoof the NTP server, tell the lock it's yesterday and get in with yesterday's card.
A remaining attack vector: someone could read and thus copy the card data, and use the cloned card to enter the room - until it expires, of course. I can't think of an easy way to stop this from happening other than wrapping it in aluminium foil, after all the card will respond to any request for its data, as it should.
Have a look at commercial systems - “control by web” do such a system . The hard bit in these projects is reliability , false triggers and getting the hardware side right.
danialsaufi:
So my plan is that each lock for a room will be updated using Over the air programming(OTA) where it updates the RFID with the new assigned ID to the room. I probably used a rfid reader attached to an arduino uno with an esp8266 or mkr1010 to send the update to the rfid reader.
Couple of practical points: - You do not re-program the device to update it, you upload the new data in the flash.
You do not use an ESP8266 in conjunction with a UNO or similar, the ESP8266 (such as a WeMOS D1 Mini) replaces the UNO. And since the RFID reader probably uses 3.3 V logic, that actually makes interfacing much easier than with a UNO.
The UNO is the "toy" - demonstration or experimental - version of the Arduino. If used for a practical project instead of an ESP8266, it would be a Nano if you need re-programming or USB functionality or Pro Mini when that is no longer required.
Do you know what RFID reader is required to read the cards in question?
Paul__B:
Couple of practical points: - You do not re-program the device to update it, you upload the new data in the flash.
You do not use an ESP8266 in conjunction with a UNO or similar, the ESP8266 (such as a WeMOS D1 Mini) replaces the UNO. And since the RFID reader probably uses 3.3 V logic, that actually makes interfacing much easier than with a UNO.
The UNO is the "toy" - demonstration or experimental - version of the Arduino. If used for a practical project instead of an ESP8266, it would be a Nano if you need re-programming or USB functionality or Pro Mini when that is no longer required.
Do you know what RFID reader is required to read the cards in question?
4 - i used this and youtube videos as a reference
hammy:
Have a look at commercial systems - “control by web” do such a system . The hard bit in these projects is reliability , false triggers and getting the hardware side right.
Alright i'll look into it. Thanks for the suggestion.
wvmarle:
I'm thinking you may need to look into public key encryption.
Give every lock a key - the public key of the pair. Have a secure way of updating this if needed, physical access required would be acceptable here as it wouldn't happen much. The secret key to that lock remains on the computer handling the check-in process.
Then when a student checks in to a room, the key receives its expiry date/time. This data is encrypted with the secret key, and uploaded onto the RFID key. Then the door lock reads that data, decrypts it with its public key, and if not expired opens the door. The key is different for each room ensuring it works only on one room.
Data that is on the key only needs securing against changing, not from overwriting. The only way to change the data is with access to the secret key, and that is kept secure on the check-in desk's computer system. So you don't need to secure the card, if someone writes their data on it, it will simply stop working as it's not valid data any more.
The door lock needs to be secured so no unauthorised change can be made, i.e. no-one can upload their own public key onto the lock, and then use their own secret key to create a valid card. It doesn't matter if they obtain the key that's on the door lock; they can just decrypt the data that is on the card, not create new valid data for the card. Also you do not have to tell the door lock which card to accept, as the valid data is stored on the card at the check-in desk.
Of course you also need a secure way for the lock to obtain the time. NTP would be the obvious source; but someone may spoof the NTP server, tell the lock it's yesterday and get in with yesterday's card.
A remaining attack vector: someone could read and thus copy the card data, and use the cloned card to enter the room - until it expires, of course. I can't think of an easy way to stop this from happening other than wrapping it in aluminium foil, after all the card will respond to any request for its data, as it should.
So now, what makes you think the MFRC522 will read the University ID cards?
Probably not the university ID cards. Im planning to just present the rfid card as the university id cards since im pretty sure my university ID cards are not RFID cards.
