RFID Cloning
What is RFID Cloning?
RFID CloningCopying the identifier or cryptographic data of an RFID tag, such as HID Prox or MIFARE Classic, onto another device to impersonate the original badge.
RFID cloning replicates the data of a radio-frequency identification tag onto another device so that it presents the same identity to readers. Low-frequency 125 kHz cards like HID Prox transmit a static identifier in clear and can be cloned from a few centimeters with cheap tools such as the Proxmark3 or even a long-range reader. High-frequency 13.56 MHz cards like MIFARE Classic use the broken Crypto-1 cipher, allowing key recovery and cloning in seconds. Even some MIFARE DESFire and HID iCLASS deployments are vulnerable when keys are leaked or non-diversified. Mitigations include diversified keys, modern AES-based cards (DESFire EV3, SEOS), mutual authentication, anti-collision randomization, and physical access controls plus tamper-evident enclosures.
● Examples
- 01
Capturing an HID Prox badge with a Proxmark3 and rewriting it onto a T5577 chip.
- 02
Cloning a MIFARE Classic transit card after recovering the keys via the nested attack.
● Frequently asked questions
What is RFID Cloning?
Copying the identifier or cryptographic data of an RFID tag, such as HID Prox or MIFARE Classic, onto another device to impersonate the original badge. It belongs to the Cryptography category of cybersecurity.
What does RFID Cloning mean?
Copying the identifier or cryptographic data of an RFID tag, such as HID Prox or MIFARE Classic, onto another device to impersonate the original badge.
How does RFID Cloning work?
RFID cloning replicates the data of a radio-frequency identification tag onto another device so that it presents the same identity to readers. Low-frequency 125 kHz cards like HID Prox transmit a static identifier in clear and can be cloned from a few centimeters with cheap tools such as the Proxmark3 or even a long-range reader. High-frequency 13.56 MHz cards like MIFARE Classic use the broken Crypto-1 cipher, allowing key recovery and cloning in seconds. Even some MIFARE DESFire and HID iCLASS deployments are vulnerable when keys are leaked or non-diversified. Mitigations include diversified keys, modern AES-based cards (DESFire EV3, SEOS), mutual authentication, anti-collision randomization, and physical access controls plus tamper-evident enclosures.
How do you defend against RFID Cloning?
Defences for RFID Cloning typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for RFID Cloning?
Common alternative names include: Badge cloning, Card cloning.
● Related terms
- cryptography№ 727
NFC Relay Attack
A real-time man-in-the-middle attack that tunnels NFC traffic between a victim's card and a remote reader so the attacker can use the card from a distance.
- cryptography№ 848
Power Analysis Attack
A side-channel attack that recovers secret keys by measuring fluctuations in the power consumption of a cryptographic device during operations.
- cryptography№ 1139
TEMPEST Attack
Recovery of secret information by capturing unintended electromagnetic, acoustic, or optical emanations from electronic equipment.
- cryptography№ 445
Glitch Attack
A fault-injection technique that briefly perturbs voltage or clock signals to make a chip skip instructions or leak cryptographic secrets.