Hardware Security

Proxmark3 RFID Security for Defenders

A defender's guide to Proxmark3 RFID security — auditing 125 kHz and MIFARE Classic credentials, detecting cloned badges, and migrating to DESFire EV3 and AES.

A Proxmark3 RDV4 device with RFID test cards on a dark workbench under low red light
Threat reference

Proxmark3 RFID security work, for a defender, is credential auditing: using the reference RFID research tool to prove which of your access cards are weak before an attacker does. Where a Flipper Zero handles default-key and legacy cards, the Proxmark3 goes further — cracking non-default MIFARE Classic keys with nested attacks and analyzing low-level protocol behavior. That makes it the auditor’s instrument for answering one question: can our badges be cloned, and what do we migrate to? This guide is the defensive playbook.

An unauthorized RFID device at your perimeter is a hardware addition — T1200 — Hardware Additions in MITRE ATT&CK. The defensive use of the same tool is to find the weak credential first.

What is a Proxmark3 and why does it matter for defenders?

The Proxmark3 (commonly the RDV4) is a dedicated RFID/NFC research platform that reads, analyzes, and tests both 125 kHz (low-frequency) and 13.56 MHz (high-frequency) credentials. Its defensive value is depth: it does not just copy default-key cards, it can run nested and hardnested attacks to recover custom MIFARE Classic keys in a lab — which is exactly how you prove whether a deployed card is actually secure or just appears to be.

For a defender running an authorized access-control audit, that depth is the point. A card that resists a Flipper might still fall to a Proxmark3, and knowing which is true for your badges is what prioritizes the migration budget.

What RFID credentials are weak, and what replaces them?

CredentialSecurityAuditor’s verdict
125 kHz (HID Prox, EM4100, Indala)None (plain ID)Replace — trivially cloned
MIFARE Classic (CRYPTO1)Broken cipherReplace — crackable even with custom keys
MIFARE DESFire EV1AES, strongAcceptable; EV3 preferred
MIFARE DESFire EV3 / iCLASS SE / SeosModern cryptoRecommended target
Mobile credentials (NFC/BLE)Dynamic authStrongest; phishing-resistant

The migration story is consistent with the Flipper Zero NFC risk: the frequency does not determine security, the cryptography does. 125 kHz and MIFARE Classic are the replace-now population.

How to detect cloned RFID credentials

A clone is byte-identical at the reader, so detection lives in the access-control data — the same principle as broken access control detection for web apps, applied to doors.

A badge that was never issued

The cleanest signal: a credential ID that authenticates but is not in your issuance database. That is a rogue or cloned card by definition.

SPL Badge ID Not in the Issuance System (Rogue or Cloned Card)
index=physical sourcetype=access:badge action=granted
| lookup issued_credentials credential_id OUTPUT holder, status
| where isnull(holder) OR status!="active"
| stats count, values(reader_id) AS readers by credential_id
| sort - count

Use from an anomalous reader

For environments on Microsoft Sentinel, the same logic in KQL flags a credential appearing at a reader it has never used — a sign of a clone moving through the building.

KQL Credential Used From an Unenrolled or Anomalous Reader
AccessBadge_CL
| where Action_s == "granted"
| summarize firstReader = min(TimeGenerated) by CredentialId_s, ReaderId_s
| join kind=leftanti (BadgeReaderBaseline_CL) on CredentialId_s, ReaderId_s
| project TimeGenerated = firstReader, CredentialId_s, ReaderId_s

How to run a Proxmark3 credential audit

In an authorized physical-security engagement on systems you own:

  1. Identify each credential’s technology and frequency at every reader.
  2. Test 125 kHz cards — they are plain IDs; confirm the replace list.
  3. Test MIFARE Classic for default and crackable custom keys (nested/hardnested in a lab) to prove real weakness.
  4. Validate reader anti-cloning — confirm modern readers reject emulated/cloned credentials.
  5. Document the migration roadmap by reader, prioritized by exposure.

How to harden RFID access control

  • Multi-factor at sensitive doors (badge + PIN/biometric) so a clone alone fails.
  • Reconcile credentials continuously against the issuance system (detection above).
  • Rolling/dynamic credentials over any static, replayable ID.

Common RFID security mistakes

  • Trusting custom MIFARE Classic keys. CRYPTO1 is broken; custom keys only delay.
  • Assuming higher frequency means secure. 13.56 MHz MIFARE Classic is broken.
  • No credential reconciliation. Without it, a cloned badge is invisible.
  • Banning tools instead of fixing credentials. The card technology is the control.

Proxmark3 RFID security checklist

  1. Inventory credential technology and frequency at every reader.
  2. Flag and schedule replacement of all 125 kHz and MIFARE Classic credentials.
  3. Audit MIFARE Classic for default and crackable custom keys (authorized lab only).
  4. Migrate to DESFire EV3 / iCLASS SE / mobile credentials; eliminate default keys.
  5. Deploy anti-cloning readers; add MFA at sensitive doors.
  6. Reconcile every granted credential against the issuance database in the SIEM.
  7. Alert on un-issued IDs, impossible travel, and first-seen-reader anomalies.
  8. Maintain a prioritized migration roadmap by exposure.

The takeaway

Proxmark3 RFID security is about auditing your own credentials to depth, then migrating off CRYPTO1 and 125 kHz to DESFire EV3 or AES-based credentials — while reconciling badge logs to catch the clones in the meantime. Continue with Flipper Zero NFC risk and HackRF defensive RF awareness, or browse the full Hardware Security pillar.

Training & tools referenced

Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.

  • Proxmark3 RDV4The RFID research platform used for the credential audits in this guideLab Hardware
    Check price
  • TryHackMeAuthorized labs to build RFID and access-control security skillsSecurity Training
    Start training

Frequently asked questions

What is a Proxmark3 used for in defense?

A Proxmark3 is the reference RFID research tool defenders use to audit access credentials — identifying card technology, testing whether MIFARE Classic cards still use default or crackable keys, and validating that readers reject cloned cards. It is more capable than a Flipper Zero because it can run nested and hardnested attacks against MIFARE Classic to prove key weakness in a lab.

How is a Proxmark3 different from a Flipper Zero?

The Flipper Zero is a consumer multi-tool good for default-key MIFARE Classic and legacy 125 kHz cards. The Proxmark3 is a dedicated RFID platform that can crack non-default MIFARE Classic keys (nested/hardnested), analyze low-level protocol behavior, and audit credentials a Flipper cannot — which is why it is the auditor's tool.

How do you detect a cloned RFID badge?

Because a clone is identical at the reader, detect it in the access-control system: a badge ID that is not in your issuance database, the same credential used at impossible-travel speed, or use from a reader the credential has never touched. Deploy readers with anti-cloning checks for prevention.

What should replace MIFARE Classic and 125 kHz cards?

Migrate to MIFARE DESFire EV3 or other AES-based credentials, iCLASS SE/Seos, or mobile credentials with dynamic authentication. Eliminate default keys first, then plan the technology migration; NIST SP 800-116 Rev 1 guides higher-assurance PIV deployments.

Newsletter

Liked this breakdown?

Defensive security research — detection, hardening, and hardware — delivered when there is something worth saying. No spam, unsubscribe anytime.