BIPI
BIPI

RFID and NFC Cloning for Red Teams: Proxmark3, Flipper Zero, and Card Choreography

Cybersecurity

Badge cloning is still the fastest way through a building. This guide compares the Proxmark3 and Flipper Zero for low frequency and high frequency reads, covers HID iClass and MIFARE Classic attacks, and walks through the social choreography that turns a five-second brush past a target into a working clone.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 11, 2023 · 9 min read

#rfid#nfc#proxmark#flipper#physical

Why badge cloning still works

Low frequency 125 kHz badges, especially HID Prox, ship without authentication. High frequency MIFARE Classic still appears in enterprise installs despite the Crypto1 cipher being broken for over a decade. Replacement cycles are slow and budgets favour cameras over readers.

Tool selection: Proxmark3 vs Flipper Zero

  • Proxmark3 RDV4 is the gold standard for cloning, sniffing, and emulation across LF and HF.
  • Flipper Zero is fast, pocketable, and great for opportunistic captures but limited on iClass and DESFire.
  • Combine both: Flipper for casual reads, Proxmark for the deep dive.

Low frequency: HID Prox

High frequency: MIFARE Classic

Use the nested or hardnested attack to recover sector keys, then dump the card. Real-world facilities still rely on default keys like FFFFFFFFFFFF on at least one sector, which is enough to seed the attack.

iClass legacy and SE

  • iClass legacy uses a shared diversified key, recoverable with Proxmark and a downgrade.
  • iClass SE uses SIO objects, harder but documented attacks exist against misconfigured installations.
  • Always check whether site keys have been changed from default, many integrators skip this.

Card choreography

Cloning needs three to five seconds of proximity. The realistic approach is a long read coil hidden in a backpack or padfolio, brushed past the badge during a conversation or a polite door hold. Always rehearse the move before the engagement.

What to write the clone to

  • T5577 cards for LF emulation, cheap and reliable.
  • Magic gen1a or gen2 cards for MIFARE Classic cloning.
  • Proxmark or Flipper emulation when you cannot leave a physical artefact.

Detection your client should run

  1. Anti-passback rules in the access control system.
  2. Reader-level alerts on duplicate UID seen at impossible locations.
  3. Tailgating analytics from camera feeds, correlated to badge swipes.

Remediation, ranked by cost

  • Cheap: rotate site keys away from defaults across all MIFARE installs.
  • Medium: migrate to DESFire EV2 or EV3 with diversified keys.
  • Expensive: move to mobile credentials over BLE plus secure enclave.
39%
Sites still on HID Prox
46%
MIFARE installs with default keys
73%
Clone success in under 5s
If the badge predates streaming TV, the building has already been cloned and nobody noticed.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.