Proxmark3 RFID Security for Defenders
A defender's guide to Proxmark3 RFID security — auditing 125 kHz and MIFARE Classic credentials, detecting cloned badges, and migrating to DESFire EV3 and AES.
Proxmark3 RFID security work, for a defender, is credential auditing: using the reference RFID research tool to prove which of your access cards are weak before an attacker does. Where a Flipper Zero handles default-key and legacy cards, the Proxmark3 goes further — cracking non-default MIFARE Classic keys with nested attacks and analyzing low-level protocol behavior. That makes it the auditor’s instrument for answering one question: can our badges be cloned, and what do we migrate to? This guide is the defensive playbook.
An unauthorized RFID device at your perimeter is a hardware addition — T1200 — Hardware Additions in MITRE ATT&CK. The defensive use of the same tool is to find the weak credential first.
What is a Proxmark3 and why does it matter for defenders?
The Proxmark3 (commonly the RDV4) is a dedicated RFID/NFC research platform that reads, analyzes, and tests both 125 kHz (low-frequency) and 13.56 MHz (high-frequency) credentials. Its defensive value is depth: it does not just copy default-key cards, it can run nested and hardnested attacks to recover custom MIFARE Classic keys in a lab — which is exactly how you prove whether a deployed card is actually secure or just appears to be.
For a defender running an authorized access-control audit, that depth is the point. A card that resists a Flipper might still fall to a Proxmark3, and knowing which is true for your badges is what prioritizes the migration budget.
What RFID credentials are weak, and what replaces them?
| Credential | Security | Auditor’s verdict |
|---|---|---|
| 125 kHz (HID Prox, EM4100, Indala) | None (plain ID) | Replace — trivially cloned |
| MIFARE Classic (CRYPTO1) | Broken cipher | Replace — crackable even with custom keys |
| MIFARE DESFire EV1 | AES, strong | Acceptable; EV3 preferred |
| MIFARE DESFire EV3 / iCLASS SE / Seos | Modern crypto | Recommended target |
| Mobile credentials (NFC/BLE) | Dynamic auth | Strongest; phishing-resistant |
The migration story is consistent with the Flipper Zero NFC risk: the frequency does not determine security, the cryptography does. 125 kHz and MIFARE Classic are the replace-now population.
How to detect cloned RFID credentials
A clone is byte-identical at the reader, so detection lives in the access-control data — the same principle as broken access control detection for web apps, applied to doors.
A badge that was never issued
The cleanest signal: a credential ID that authenticates but is not in your issuance database. That is a rogue or cloned card by definition.
index=physical sourcetype=access:badge action=granted
| lookup issued_credentials credential_id OUTPUT holder, status
| where isnull(holder) OR status!="active"
| stats count, values(reader_id) AS readers by credential_id
| sort - count Use from an anomalous reader
For environments on Microsoft Sentinel, the same logic in KQL flags a credential appearing at a reader it has never used — a sign of a clone moving through the building.
AccessBadge_CL
| where Action_s == "granted"
| summarize firstReader = min(TimeGenerated) by CredentialId_s, ReaderId_s
| join kind=leftanti (BadgeReaderBaseline_CL) on CredentialId_s, ReaderId_s
| project TimeGenerated = firstReader, CredentialId_s, ReaderId_s How to run a Proxmark3 credential audit
In an authorized physical-security engagement on systems you own:
- Identify each credential’s technology and frequency at every reader.
- Test 125 kHz cards — they are plain IDs; confirm the replace list.
- Test MIFARE Classic for default and crackable custom keys (nested/hardnested in a lab) to prove real weakness.
- Validate reader anti-cloning — confirm modern readers reject emulated/cloned credentials.
- Document the migration roadmap by reader, prioritized by exposure.
How to harden RFID access control
- Multi-factor at sensitive doors (badge + PIN/biometric) so a clone alone fails.
- Reconcile credentials continuously against the issuance system (detection above).
- Rolling/dynamic credentials over any static, replayable ID.
Common RFID security mistakes
- Trusting custom MIFARE Classic keys. CRYPTO1 is broken; custom keys only delay.
- Assuming higher frequency means secure. 13.56 MHz MIFARE Classic is broken.
- No credential reconciliation. Without it, a cloned badge is invisible.
- Banning tools instead of fixing credentials. The card technology is the control.
Proxmark3 RFID security checklist
- Inventory credential technology and frequency at every reader.
- Flag and schedule replacement of all 125 kHz and MIFARE Classic credentials.
- Audit MIFARE Classic for default and crackable custom keys (authorized lab only).
- Migrate to DESFire EV3 / iCLASS SE / mobile credentials; eliminate default keys.
- Deploy anti-cloning readers; add MFA at sensitive doors.
- Reconcile every granted credential against the issuance database in the SIEM.
- Alert on un-issued IDs, impossible travel, and first-seen-reader anomalies.
- Maintain a prioritized migration roadmap by exposure.
The takeaway
Proxmark3 RFID security is about auditing your own credentials to depth, then migrating off CRYPTO1 and 125 kHz to DESFire EV3 or AES-based credentials — while reconciling badge logs to catch the clones in the meantime. Continue with Flipper Zero NFC risk and HackRF defensive RF awareness, or browse the full Hardware Security pillar.
Training & tools referenced
Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.
- Proxmark3 RDV4The RFID research platform used for the credential audits in this guideLab HardwareCheck price
- TryHackMeAuthorized labs to build RFID and access-control security skillsSecurity TrainingStart training
Frequently asked questions
What is a Proxmark3 used for in defense?
A Proxmark3 is the reference RFID research tool defenders use to audit access credentials — identifying card technology, testing whether MIFARE Classic cards still use default or crackable keys, and validating that readers reject cloned cards. It is more capable than a Flipper Zero because it can run nested and hardnested attacks against MIFARE Classic to prove key weakness in a lab.
How is a Proxmark3 different from a Flipper Zero?
The Flipper Zero is a consumer multi-tool good for default-key MIFARE Classic and legacy 125 kHz cards. The Proxmark3 is a dedicated RFID platform that can crack non-default MIFARE Classic keys (nested/hardnested), analyze low-level protocol behavior, and audit credentials a Flipper cannot — which is why it is the auditor's tool.
How do you detect a cloned RFID badge?
Because a clone is identical at the reader, detect it in the access-control system: a badge ID that is not in your issuance database, the same credential used at impossible-travel speed, or use from a reader the credential has never touched. Deploy readers with anti-cloning checks for prevention.
What should replace MIFARE Classic and 125 kHz cards?
Migrate to MIFARE DESFire EV3 or other AES-based credentials, iCLASS SE/Seos, or mobile credentials with dynamic authentication. Eliminate default keys first, then plan the technology migration; NIST SP 800-116 Rev 1 guides higher-assurance PIV deployments.