Berkner Tech

Berkner Tech Modern Hardware Security

Proxmark3 and RFID Access Control Testing

Testing RFID access control with a Proxmark3, from identifying the card to assessing the badge system

Physical access control often runs on RFID badges, and a large share of deployments still use MIFARE Classic, whose Crypto1 cipher has been broken since 2008. With a Proxmark3 and written authorization, a tester can show how easily a legacy badge is read and cloned. Here is how that assessment goes and why the answer is to upgrade the technology.

A Note on Authorization

Cloning an access credential is a real-world entry capability, so this work happens only under a signed engagement that explicitly authorizes it, against the client’s own badges. With that in place, the test demonstrates a risk the organization already owns; without it, none of this is appropriate.

Step 1: Identify the Card

Start by reading what technology the badge uses. The card type tells you immediately whether it is in the broken-by-default category:

pm3 --> hf 14a info
Example output
[+] UID: 04 A3 B1 C2 D5 E6 F7
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types: MIFARE Classic 1K

Step 2: Recover Keys and Read

MIFARE Classic 1K is the textbook case. The Proxmark chains the known Crypto1 attacks to recover the sector keys and dump the card:

Anatomy of a Proxmark3 MIFARE Classic key recovery command using hf mf autopwn
pm3 --> hf mf autopwn
Example output
[+] Found 16 valid keys
[+] Default key found: FFFFFFFFFFFF (sector 3)
[+] Nested attack recovered key A: a0b1c2d3e4f5
[+] Card dumped to hf-mf-04A3B1C2-dump.bin

Default keys on some sectors and a nested attack on the rest, and the card is fully read. The dump can be written to a blank, which is the cloning step the engagement is meant to demonstrate.

Three RFID Access Weaknesses

Why legacy badge systems fail:

Three RFID access control weaknesses: broken Crypto1, default keys, and no key diversification

Upgrading the System

There is no safe way to keep using Crypto1. Move to modern credentials such as MIFARE DESFire EV3 or Seos, use diversified keys so each badge is cryptographically unique, and add a second factor for high-security doors. The badge should be hard to clone by design, not by obscurity.

Where This Fits

Assessing an access-control system, including authorized badge cloning tests, is part of a physical and product penetration test. That work is the kind of work we do at Berkner Tech.

References and Further Reading