RFID & NFC Cloning
Read, clone, emulate, and write RFID and NFC tags — from hotel key cards to access control systems.
RFID & NFC Fundamentals
RFID (Radio Frequency Identification) and NFC (Near Field Communication) use electromagnetic coupling to transfer data between a reader and a passive or active tag. RFID operates at various frequencies; NFC is a subset of RFID operating at 13.56 MHz with a range of a few centimeters.
RFID Frequency Bands
Band Freq Range Common Uses
──────────────────────────────────────────────────────
LF 125-134 kHz ~10 cm Animal ID, access fobs
125 kHz ~30 cm Proximity cards (HID)
HF 13.56 MHz ~10 cm NFC, MIFARE, transit cards
UHF 860-960 MHz ~12 m Supply chain, retail tags
Microwave 2.45 GHz ~10 m Toll tags, vehicle IDCommon RFID/NFC Card Types
Type Freq UID Len Encryption ────────────────────────────────────────────────────── EM4100 125 kHz 40-bit None (read-only) HID Prox 125 kHz 26-bit None (Wiegand) MIFARE 1K 13.56 MHz 4-byte Crypto-1 (cracked) MIFARE Classic 13.56 MHz 4-byte Crypto-1 (vulnerable) MIFARE Ultralight 13.56 MHz 7-byte None MIFARE DESFire 13.56 MHz 7-byte 3DES/AES (strong) NTAG21x 13.56 MHz 7-byte Password-protected iCLASS 13.56 MHz 8-byte Custom (partially cracked) Legic 13.56 MHz varies Custom
Proxmark3 — The RFID Swiss Army Knife
The Proxmark3 is the gold standard for RFID research. Originally developed at Stockholm University, it can read, write, clone, and emulate virtually any low-frequency (125 kHz) and high-frequency (13.56 MHz) RFID tag.
- LF range: 125-134 kHz — reads EM4100, HID Prox, Indala, Viking, etc.
- HF range: 13.56 MHz — reads MIFARE Classic, DESFire, iCLASS, NTAG, etc.
- Capabilities: Sniff, read, write, clone, emulate, brute-force, crack encryption
- MIFARE attack: Can crack MIFARE Classic Crypto-1 keys in seconds using nested attacks
- Firmware: Open-source client and firmware — extensive command-line interface
- Price: $50-300 depending on version (Chinese clones vs official RDV4)
Common RFID Attacks
- Cloning: Read a legitimate card and write its data to a blank card — simplest and most common attack
- Replay: Capture the reader-to-tag challenge-response and replay it to gain access
- Brute-force: Try all possible keys against a protected card (effective against MIFARE with weak keys)
- Relay/Replay: Relay authentication between a legitimate card and a distant reader (card cloning at a distance)
- Skimming: Covertly read proximity cards in pockets using concealed reader antennas
- Crypto attacks: Mathematical attacks on MIFARE Classic Crypto-1, HID iCLASS, and other proprietary ciphers
ACR122U NFC Reader ($30-50)
A widely available USB NFC reader/writer based on the NXP PN532 chip. Popular for MIFARE Classic research and NFC tag programming.
- Frequency: 13.56 MHz only (no 125 kHz support)
- Supported tags: MIFARE Classic 1K/4K, MIFARE Ultralight, NTAG, ISO 14443 A/B
- Software: libnfc, MFKEY32, NFC GUI tools
- Price: $30-50 on Amazon/eBay
Defending Against RFID Attacks
- RFID-blocking wallets: Metal-lined wallets prevent unauthorized reading
- Faraday bags: Shield cards from all RF signals
- Disable when not in use: Some cards can be temporarily disabled by bending or demagnetizing
- Use stronger cards: MIFARE DESFire EV2/EV3 use AES encryption — much harder to crack than MIFARE Classic
- Multi-factor: Don't rely solely on RFID for access control
Timeline
1983Mario Cardullo patents the first passive RFID tag
1990sRFID adopted for animal identification, toll collection, and access control
2000Proxmark developed at Stockholm University — first open RFID research tool
2004NXP develops MIFARE Classic — most deployed RFID card worldwide
2013Proxmark III becomes the gold standard for RFID research
2017ChameleonMini — open-source RFID emulator for research
2020Proxmark3 RDV4 — latest generation with Bluetooth and improved range
2022Flipper Zero adds built-in RFID/NFC cloning to mainstream audience