RFID (125kHz)
Low-frequency RFID systems are widely used for physical access control (e.g., HID Prox, EM4100). These systems often rely on static IDs and lack encryption, making them easy to clone or spoof.
Target Tech:
- HID Prox
- EM4100 / EM4200
- Indala (limited support)
Common Use Cases:
- Office access control
- Parking barriers
- Hotel keycards (legacy systems)
Attack Techniques:
- Read badge UIDs using Flipper Zero or Proxmark3
- Clone card data to writable tags or emulate via device
- Brute-force badge ID sequences where predictable
- Signal replay against poorly configured readers
Tools & Methods:
- Flipper Zero: Quick read/clone/emulate for common tags
- Proxmark3 RDV4: Deep analysis, sniffing reader↔card comms, emulation
- RFIDler: Alternative LF RFID research tool
Challenges:
- Some systems use additional obfuscation (e.g., facility codes)
- Indala uses basic modulation differences, less supported
Defensive Notes (optional):
- Upgrade to encrypted high-frequency systems (e.g., iCLASS SE or DESFire)
- Implement anti-cloning features on backend (badge blacklist, rate limiting)
Next Steps:
- Practice reading/cloning your own badges
- Build a tag collection for testing
- Explore Proxmark
lf search,lf hid, andlf emcommand suites
NFC (13.56MHz)
NFC (13.56MHz)
Overview: High-frequency NFC is widely used in modern contactless systems including payment, transport, and access control. Unlike 125kHz RFID, NFC often supports encrypted protocols, but many legacy or budget implementations remain vulnerable.
Target Technologies:
-
MIFARE Classic (1K/4K)
-
MIFARE Ultralight / NTAG
-
DESFire EV1/EV2 (limited vulnerability without keys)
-
iCLASS (partially accessible)
Common Use Cases:
-
Contactless payment cards
-
Public transit passes
-
Mobile access badges
-
Smart posters or info tags
Attack Techniques:
-
Dump memory of MIFARE Classic cards using
mfoc/mfcuk -
Clone UID-only cards or emulate using devices (e.g., Flipper)
-
Emulate or spoof NDEF tags
-
Brute-force weak or default keys
-
Replay low-security or unencrypted tag data
Tools & Methods:
-
Flipper Zero: UID emulation, tag reading, basic dumping
-
Proxmark3 RDV4: Full sector dumps, key cracking, emulation
-
Android + NFC Tools or MIFARE Classic Tool (MCT)
Challenges:
-
DESFire and iCLASS use strong crypto and require key material
-
Some Android phones block low-level NFC operations
Defensive Notes (optional):
-
Use secure elements (SE) or mobile-based credentials with challenge-response
-
Implement transaction counters and session keys
Next Steps:
-
Collect old transit or hotel cards to practice
-
Explore
hf mfandhf iclassProxmark commands -
Build a reference library of known keysets and sector layouts
Sub-GHz RF (315 / 433 / 868 MHz)
Overview: Sub-GHz wireless is used in many IoT devices like garage doors, wireless outlets, smart remotes, and alarms. Many implementations lack encryption or use fixed codes.
Target Technologies:
-
Fixed code remotes (PT2262, EV1527)
-
Rolling code systems (Keeloq, HCS301)
-
Generic ASK/OOK transmitters
Common Use Cases:
-
Garage doors and gate controllers
-
Home automation remotes
-
Car alarm systems
-
RF motion detectors and door sensors
Attack Techniques:
-
Capture and replay RF signals for fixed code devices
-
Brute-force code space of short protocol devices
-
Jam RF transmissions to trigger fallback or deny service
Tools & Methods:
-
Flipper Zero: Signal capture, replay, and brute-force scripts
-
HackRF / RTL-SDR: Wideband analysis, decoding, replay scripting
-
Yard Stick One: Focused sub-GHz TX/RX with RFCat
Challenges:
-
Rolling codes typically resist replay attacks
-
Some devices have hardware-level noise or obfuscation
Defensive Notes (optional):
-
Use rolling code systems with replay protection
-
Validate source address or sequence numbers in protocol
Next Steps:
-
Capture your own remote signals and replay
-
Explore RF signal structure using URH or Inspectrum
-
Test for DoS vulnerability via jamming
Infrared (IR)
Overview: IR communication is still widely used in consumer electronics for control interfaces, and occasionally in industrial or signage systems.
Target Technologies:
-
NEC, Sony SIRC, RC5/RC6 protocols
-
Custom IR codes in signage systems
Common Use Cases:
-
TV/AV remote controls
-
Air conditioners and fans
-
Presentation systems and public displays
Attack Techniques:
-
Record IR signals from remotes
-
Replay known IR codes to trigger or disrupt behavior
-
Brute-force IR space against known targets
Tools & Methods:
-
Flipper Zero: Built-in IR send/record interface
-
USB IR Blasters: Used with LIRC or custom scripts
Challenges:
-
Requires line of sight and precise aiming
-
Brute-force is noisy and often impractical
Defensive Notes (optional):
-
Use RF or BLE-based control systems with pairing
-
Lock down public-facing IR interfaces
Next Steps:
-
Record and spoof IR from your own remotes
-
Test disruption of conference or classroom systems
-
Build an IR code library by brand and function
Bluetooth Low Energy (BLE)
Overview: BLE is used by many IoT devices due to low power requirements and mobile integration. Many devices rely on weak pairing, static keys, or insecure characteristics.
Target Technologies:
-
Smart locks and access tags
-
BLE trackers and wearables
-
Home automation peripherals
Common Use Cases:
-
Access control
-
Fitness and tracking
-
Wireless control systems
Attack Techniques:
-
Scan and identify nearby BLE devices
-
Analyze services and characteristics
-
Attempt MITM or spoof advertising
-
Replay known control payloads to vulnerable devices
Tools & Methods:
-
Flipper Zero: BLE scanner and basic identification
-
ESP32 with BLE sniffing firmware (e.g., btlejack)
-
Nordic tools, Ubertooth One
Challenges:
-
Secure pairing modes like LE Secure Connections block simple attacks
-
Device whitelisting and address randomization can limit targeting
Defensive Notes (optional):
-
Implement bonding, encryption, and key rotation
-
Validate BLE device identity beyond MAC address
Next Steps:
-
Scan and fingerprint BLE in your environment
-
Try replay attacks on smart bulbs or locks
-
Use
btlejackor Wireshark with BLE capture for deeper inspection