Starting Out on RFID

Mon, Aug 12, 2019

RFID is everywhere. In our contactless payment systems, in transport cards like Oyster and Chipkart and M-card season tickets, in hotel room doors, in office door locks, in some domestic door locks, in phones, even in some advertising posters. I’ve seen bluetooth devices use it to make pairing easier.

But how does it actually work? And how secure is it?

A few months back, I became fascinated by RFID, and decided to learn more about it. I had made some assumptions about how things like door access cards work, and their fundamental security frameworks, but really didn’t know where to start with finding out if my assumptions were true.

So, I got a Proxmark.

To be precise, I didn’t really know what I was doing, so I got the “RFID Pentester Pack” pack from Lab401 (which included a Proxmark3 RDV4, a Chameleon Mini Rev E, and a SCL-3711 which is a mini USB read/write stick), along with the “Android” pack of blank cards. Whilst fairly expensive, I wanted to make sure I had enough kit to have a good stab at learning; I didn’t want to get something nearly working only to then discover that the kit I had didn’t support something, and then to wait a few days for the next bit to arrive.

The Proxmark is a great little device, with published circuit diagram / parts list / Gerber files etc, for doing all sorts of investigation into RFID cards and readers. I wasn’t really sure how it was different from the Chameleon, but I now know that the Proxmark is considerably more powerful because it has an FPGA driving the actual radio, leaving the microprocessor more free to implement the application-level protocols. The Chameleon, on the other hand, has a built-in battery so it can operate stand-alone without needing to be plugged in to a laptop (or at least an external power source). I tend to think of the Proxmark as the general-purpose investigative tool, for digging around and for doing things like brute-forcing a key, whereas the Chameleon is more of a “physical red-team” device which lets you save 8 keys and select which one it is pretending to be at any given time. Also, the Chameleon will only operate at “high” frequency (13.56MHz), whereas the Proxmark has 2 antennas for high and low (125kHz) frequencies¹.

In mid April, it all arrived. But I wasn’t really sure what to do with it…

The first line of the readme file said to update the firmware, so that’s what I did.

There is a third frequency which you may come across in the RFID world, which is 134kHz, which is the one used in animal implants (e.g. when you have your cat chipped). ↩︎