The Wiegand protocol is a plain-text protocol and is employed in systems that secure not only some office buildings but also some airports. Franken has said that it’s used at Heathrow airport. Retina scanners, proximity scanners and other access systems all use the Wiegand protocol so the vulnerability isn’t device-specific. It’s plain text and easily intercepted and replayed.
The hack involves splicing the internal wiring and inserting a device with a PIC chip that Franken has dubbed “gecko.” To conduct the hack, Franken simply had to pop the plastic cover off the reader with a knife, then unscrewed an internal plate to access the wires. Once he connected the wires to the gecko he returned the plate and cover. (Some card readers have tamper evident devices that send a signal to the backend system if someone removes the reader’s cover, but Franken says it’s easy to bypass the devices if you know where they are.)
Once the gecko with the PIC chip is in place, here’s how it works:
When someone uses their card to access the building, the gecko captures the signal. If Franken then entered later with a card that he designated his “replay” card (a card that the PIC chip is programmed to recognize) gecko signals the system to use the same signal taken from the card of the person who was previously allowed access. The logs wouldn’t show anything amiss, although a camera positioned at the entrance would (but that’s only if they’re saved and someone bothers to view them).
http://blog.wired.com/27bstroke6/2007/08/open-sesame-acc.html