How Hackers Clone RFID Cards in Under 60 Seconds — The Hardware They Use

Mr Elite 14 min read
How Hackers Clone RFID Cards in Under 60 Seconds — The Hardware They Use
⚠️ Authorised Physical Testing Only: RFID cloning techniques are legal only within an explicitly authorised physical penetration test engagement. Cloning any access card without the owner’s explicit written permission is illegal under fraud, trespass, and computer misuse laws worldwide. This article is an educational analysis of real physical security vulnerabilities.
How hackers clone RFID cards in under 60 seconds — this is the physical security vulnerability that surprises everyone the first time they see it demonstrated. You walk past a colleague in the corridor. A device smaller than a wallet, held in a jacket pocket, reads their access card at a range of 5-10cm. Twenty seconds later, a blank card sitting in a writer has a perfect duplicate of that credential. Your colleague still has their original card. The building’s access control system sees two valid entries and logs nothing unusual. The clone works on every door the original opens, indefinitely, until someone notices something wrong. And most organisations never do. Today you are understanding exactly how this works and why it keeps appearing in physical penetration test reports.

🎯 What You’ll Understand After This Guide

Why 125kHz RFID cards broadcast credentials to any reader within range
The specific hardware used in professional physical penetration tests
The difference between trivially cloneable 125kHz and more secure 13.56MHz cards
How physical pentesters demonstrate and report RFID vulnerabilities ethically
The only defences that actually work against modern RFID cloning attacks

⏱️ 40 min read · 3 exercises

📊 What type of access card does your workplace use?




✅ The “no idea” answer is the most honest — and statistically the most common. Most employees have no idea which frequency their access card operates on or whether it has any encryption. Most of those cards were chosen by a facilities team in 2008 and have never been reviewed. By the end of this article you will know exactly how to check.

📋 What You’ll Learn — How hackers clone rfid cards in 2026 | Complete Guide

  1. How RFID Access Cards Work — and Why Old Ones Are Trivially Cloneable
  2. 125kHz vs 13.56MHz — Which Cards Are Vulnerable
  3. The Real Hardware — Proxmark3, Flipper Zero and What They Cost
  4. The Physical Attack — What Actually Happens in 60 Seconds
  5. Advanced Attacks — MIFARE Classic Sector Key Extraction
  6. The Only Defences That Work Against RFID Cloning

How RFID Access Cards Work — and Why Old Ones Are Trivially Cloneable

RFID (Radio Frequency Identification) access cards work through electromagnetic induction. When a card enters the reader’s radio frequency field, the reader’s antenna transmits enough RF energy to power the card’s passive microchip. The chip wakes up, reads a unique identifier stored in its memory, and broadcasts that identifier back to the reader. The reader receives the identifier, looks it up in the access control database, and decides whether to unlock the door.

The security of this system depends entirely on the identifier being secret. In 125kHz systems, it is not secret at all. The card broadcasts its identifier in cleartext to any powered reader within range, using no authentication handshake and no encryption. The assumption in 1990 was that card readers were expensive and controlled. Today, a reader capable of capturing that identifier costs $20 and arrives in a regular-sized postal envelope.

securityelites.com
RFID Card Vulnerability by Technology
125kHz — HID ProxCard, EM4100, Indala
TRIVIALLY CLONEABLE

No encryption · broadcasts UID to any reader · clone with $20 device in 2 seconds

13.56MHz — MIFARE Classic
WEAK CRYPTO — CRACKABLE

Crypto1 cipher broken in 2008 · Proxmark3 cracks sector keys in minutes · then cloneable

13.56MHz — MIFARE DESFire EV2, iCLASS Elite
STRONG — DIFFICULT TO CLONE

AES-128 mutual auth · no known practical key extraction · recommended standard

📸 RFID vulnerability spectrum — 125kHz cards used in the majority of pre-2015 buildings are trivially cloneable; MIFARE Classic (widely deployed 2005-2015) has broken cryptography; only modern DESFire EV2 and iCLASS Elite cards provide genuine resistance.

The Real Hardware — Proxmark3, Flipper Zero and What They Cost

The Proxmark3 is the professional standard for RFID security research and physical penetration testing. It reads and writes virtually all common RFID card types, supports standalone operation for field use, and has an active community producing new attack modules. A Proxmark3 RDV4 (the current version) costs approximately $320. It handles 125kHz read/write, 13.56MHz read/write, MIFARE Classic key cracking, and advanced ISO14443/15693 protocol attacks.

The Flipper Zero became the widely-recognised tool in this space after 2022 due to its pocket-size form factor and multi-protocol capability. It reads and copies 125kHz cards (EM4100, HID Prox), reads 13.56MHz NFC cards and performs basic MIFARE Classic operations, and includes sub-GHz radio for additional wireless protocol testing. At approximately $169, it became the accessible entry point for physical security research. It does not have the full attack capability of the Proxmark3 against hardened 13.56MHz cards but covers the vast majority of real-world corporate access cards in use today.

🛠️ EXERCISE 1 — BROWSER (10 MIN · NO INSTALL)
Identify What RFID Technology Your Building Uses and Assess Its Vulnerability

⏱️ Time: 10 minutes · Browser only

Step 1: Look at your own access card or a photo of it
Check for any printed text or logos:
– “HID” → almost certainly 125kHz ProxCard
– “MIFARE” → 13.56MHz (then check Classic vs DESFire)
– “iCLASS” → HID iCLASS (different security levels exist)
– “DESFire” → 13.56MHz with strong crypto

Step 2: Check the card reader at your building entrance:
– Older rectangular grey readers = likely 125kHz
– Readers with animated LED rings = usually multi-frequency
– Readers that also accept phone taps = 13.56MHz at minimum

Step 3: Search the card reader model number on the manufacturer’s
website to find which frequencies it supports

Step 4: Go to hidglobal.com and browse the credential portfolio
HID makes the most common corporate access cards globally
Note the difference between ProxCard (125kHz, legacy) and
SEOS/Signo (their modern secure product line)

Step 5: Rate your building’s physical access security:
□ 125kHz only → Critical vulnerability → trivially cloneable
□ MIFARE Classic → High vulnerability → crackable with Proxmark3
□ DESFire EV2 / iCLASS Elite → Adequate (but still need anti-passback)
□ Card + PIN → Good baseline multi-factor

NOTE: This exercise is for awareness only — no hardware, no cloning.

✅ What you just learned: Most people have never looked at what their access card actually says or what the reader model is. In the overwhelming majority of offices, the card is HID ProxCard (125kHz, no encryption, introduced in 1991). The building’s facilities manager often has no idea what the vulnerability is — they just know “the cards work.” Knowing what technology protects a building is the first step in any physical security assessment, and it requires no tools at all — just reading the card and looking up the reader model number.

📸 Share your building’s access card vulnerability rating in #physical-security on Discord.

The Physical Attack — What Actually Happens in 60 Seconds

A typical 125kHz RFID cloning attack during a physical penetration test involves four steps. First, the tester positions a concealed reader — either a Flipper Zero in a jacket pocket or a purpose-built long-range reader in a bag — near a target employee. Second, the reader broadcasts an activation signal and captures the card’s response (UID broadcast) when proximity is established. Third, the captured UID is written to a blank T5577 card (a writable 125kHz card that can be programmed to emulate any 125kHz card type). Fourth, the clone card is presented to the target building’s access reader.

The entire process — from initial read to having a working clone — takes under 60 seconds with practised technique. The original card is never physically handled. The employee whose card was cloned has no indication that anything occurred. The building’s access control logs show two entries: the original card entering, and later the clone entering. Without anti-passback controls comparing entry and exit logs, neither event appears anomalous.

Advanced Attacks — MIFARE Classic Sector Key Extraction

MIFARE Classic cards use the Crypto1 cipher for sector authentication — a proprietary algorithm designed by NXP in the 1990s that was reverse-engineered by security researchers in 2008. Two practical attacks exist: the Darkside attack (works against cards with at least one known sector key, recovers other keys) and the Nested attack (after one key is known, recovers remaining keys extremely quickly). Proxmark3 with the Iceman firmware implements both attacks and can extract all 16 sector keys from a MIFARE Classic 1K card in 2-10 minutes, after which the card can be fully cloned to a blank writable MIFARE Classic card.

🧠 EXERCISE 2 — THINK LIKE A HACKER (10 MIN · NO TOOLS)
Design the Physical RFID Attack Sequence for a Corporate Office Physical Pentest

⏱️ Time: 10 minutes · No tools required

You are conducting an authorised physical penetration test at a
corporate headquarters. Your written scope authorises testing of
physical access controls including RFID/NFC badge cloning.

The building has:
– Three entrance points with card readers (no PIN)
– A reception desk with a receptionist who badges visitors
– Open plan office with employees at desks
– Server room with a separate card reader
– Parking structure with RFID-controlled barrier

Design a realistic attack sequence for the physical assessment:

1. RECONNAISSANCE: How would you identify the card technology
without entering the building?

2. INITIAL CLONE: Where and how would you capture your first
card read in a natural, non-suspicious context?

3. ESCALATION: Once inside with a cloned card, how would you
attempt to access the server room?

4. EVIDENCE COLLECTION: What evidence do you collect to prove
physical access was achieved for your report?

5. REMEDIATION: What three specific fixes would you recommend?

✅ Answer key: (1) Photograph reader model from public street view, look up frequency on manufacturer site, check job listings (often mention badge system brand). (2) Café near the building entrance is the classic technique — wait for employees, position the reader while in natural proximity (queue, elevator). Reception desk during a visit is also effective. (3) Try the cloned employee card first, then attempt tailgating, then if the server room has a different card type consider separate engagement. (4) Entry log screenshot, photo of successfully opened door, document showing data accessed from inside. (5) Upgrade to 13.56MHz DESFire EV2, implement card + PIN multi-factor, deploy anti-passback.

📸 Share your physical pentest sequence in #physical-security on Discord.

The Only Defences That Work Against RFID Cloning

There are exactly two hardware defences and several procedural defences. On hardware: replace 125kHz cards with MIFARE DESFire EV2 or iCLASS Elite technology (mutual authentication with AES-128 that has no practical cloning attack); and add PIN pads to access readers for multi-factor physical access (a clone card without the PIN is useless). On procedure: implement anti-passback controls that detect the same card ID entering twice without an exit record between the entries; deploy access log monitoring with alerts for unusual entry patterns; and brief employees on the close-range read risk of 125kHz cards.

RFID-blocking wallets provide personal protection against opportunistic reads — they use a Faraday cage to block RF signals. They do not protect against targeted attacks where an employee is specifically targeted at the moment they present their card to a legitimate reader, because the card must leave the blocking wallet to be used. True defence requires hardware upgrades, not accessories.

🛠️ EXERCISE 3 — BROWSER ADVANCED (12 MIN)
Research the RFID Vulnerabilities in Real-World Access Control Systems

⏱️ Time: 12 minutes · Browser · academic/research reading

Step 1: Go to scholar.google.com and search:
“MIFARE Classic security analysis” OR “HID ProxCard cloning”
Find one peer-reviewed paper or security research presentation

Step 2: Go to defcon.org/html/defcon-18/dc-18-speakers.html
or search “DEFCON RFID cloning talk”
Chris Paget’s 2009 talk “Extreme-Range RFID Tracking” is a classic
Find the talk abstract or slides

Step 3: Search for “Proxmark3 MIFARE classic attack tutorial” on GitHub
The Iceman/Proxmark3 repository has extensive documentation
Read the wiki page on MIFARE Classic attacks

Step 4: On the NXP website (nxp.com), find the MIFARE DESFire EV2
product page — read the security features section
Note: what specific cryptographic methods are used?

Step 5: Research “anti-passback access control” — find one
vendor that sells anti-passback enabled systems
Note the price difference vs non-anti-passback readers

Step 6: Write a 3-sentence “physical access recommendations”
paragraph you could include in a pentest executive summary,
referencing specific card technologies and estimated costs

✅ What you just learned: The combination of academic research (Proxmark3 MIFARE attack papers), practitioner knowledge (DEF CON talks), vendor documentation (NXP DESFire), and cost research (anti-passback pricing) gives you the complete foundation for a professional physical access finding. The executive summary paragraph in Step 6 is directly reusable in real reports — it names specific technologies, explains the vulnerability without jargon, and gives actionable remediation with cost context. That combination is what separates a $200 physical pentest finding from a $2,000 one.

📸 Share your executive summary paragraph in #physical-security on Discord. Tag #rfidcloning2026

🧠 QUICK CHECK — RFID Security

A company uses HID ProxCard II (125kHz) for all building access. They ask you what single change would most significantly reduce their RFID cloning risk. What do you recommend?



📋 RFID Attack and Defence Reference

125kHz cards (HID Prox, EM4100)No encryption · cloneable with $20-320 hardware in seconds · Critical risk
MIFARE Classic (13.56MHz)Broken Crypto1 cipher · sector keys extractable with Proxmark3 · High risk
DESFire EV2 / iCLASS EliteAES-128 mutual auth · no practical clone attack · recommended minimum
Proxmark3 RDV4 (~$320)Professional RFID pentest tool — reads, analyses, clones all common cards
Flipper Zero (~$169)Portable multi-protocol — 125kHz + NFC + sub-GHz, pocket-sized field tool
Anti-passbackDetects same card ID entering without a prior exit — catches cloned card use

❓ Frequently Asked Questions

Can RFID cards really be cloned without the owner knowing?
Yes — 125kHz cards broadcast their UID to any powered reader within 5-10cm. The card owner feels nothing and the original still works. Most cards in pre-2015 buildings are 125kHz with no encryption, cloneable with a $30 device in under 2 seconds.
What is the difference between 125kHz and 13.56MHz RFID cards?
125kHz (HID ProxCard, EM4100) = no encryption, trivially cloneable. 13.56MHz MIFARE Classic = broken Crypto1 cipher, crackable with Proxmark3. 13.56MHz DESFire EV2/iCLASS Elite = AES-128 mutual authentication, genuinely difficult to clone. Most corporate buildings still use 125kHz.
What hardware do physical penetration testers use for RFID attacks?
Proxmark3 RDV4 (~$320) for professional assessments, Flipper Zero (~$169) for portable field work, ACR122U (~$30) for 13.56MHz only. Blank T5577 cards (~$1 each) for 125kHz clones, blank MIFARE Classic for 13.56MHz clones.
Is RFID cloning illegal?
Cloning cards you do not own without authorisation is illegal — fraud, unlawful premises access, and computer misuse violations. Physical pentesters clone only within signed engagement scope. Cloning your own card in a lab is legal.
How do organisations defend against RFID cloning?
Upgrade 125kHz to DESFire EV2 or iCLASS Elite (removes the cloning vulnerability at source), add PIN pads (multi-factor — clone without PIN is useless), deploy anti-passback (detects same card entering twice), monitor access logs for anomalous patterns.
← Related

Physical Security Testing Guide

Related →

300 Ethical Hacking Tools 2026

📚 Further Reading

  • 300 Ethical Hacking Tools 2026 — The complete ethical hacking tool catalogue including physical security testing hardware alongside all digital attack tools — Proxmark3 and Flipper Zero are covered in the physical category.
  • 100-Day Ethical Hacking Course — The complete ethical hacking course that covers physical security as part of the full penetration testing methodology — social engineering, physical access, and digital attack chains working together.
  • Proxmark3 Iceman Firmware — GitHub — The community firmware for Proxmark3 with all RFID attack capabilities including MIFARE Classic Darkside and Nested attacks, LF/HF read-write, and standalone mode.
  • Flipper Zero Official Site — The official Flipper Zero documentation covering RFID, NFC, sub-GHz, IR, and GPIO capabilities, with firmware update guides and community application library.
  • NXP MIFARE DESFire Product Page — Official NXP documentation for MIFARE DESFire EV2/EV3 — the cryptographic specification, security features, and comparison with legacy MIFARE Classic cards.
ME
Mr Elite
Owner, SecurityElites.com
The first time I demonstrated 125kHz cloning to a CISO, the look on their face is something I have not forgotten. I cloned one of their own access cards (with permission, in a meeting room) in front of them using a device smaller than a credit card, and then used the clone to open the same meeting room door we were sitting in. The whole thing took about 45 seconds. The CISO had been told by their facilities management vendor just three months earlier that their HID ProxCard system was “secure and industry standard.” It was both of those things — in 1998. They replaced 2,400 cards across three sites within six months. Sometimes the most impactful security finding in an entire engagement is 45 seconds with a $30 piece of hardware that you can buy from an online electronics retailer with next-day shipping.

flipper zero rfid how to clone access card proxmark rfid rfid cloning attack rfid security vulnerabilities 2026

Leave a Reply

Your email address will not be published. Required fields are marked *