Exploring RFID technology with Proxmark3
RFID technology became rather ubiquitous in recent years, and its security has become topic of many studies.
I decided to gain some hands-on experience in this topic and as a suitable tool I can recommend the
, which is a universal LF/HF smartcard reader, writer,
To install Proxmark, download the latest code from SVN repository:
svn checkout http://proxmark3.googlecode.com/svn/trunk/ proxmark3-read-only
vi common/Makefile.common and change CROSS prefix for your ARM crosscompiler (I have arm-none-eabi-, which I installed using crossdev on the Gentoo Linux)
Notice that this just uses the provided fpga/fpga.bit file. If you want to recompile the Verilog code, you have to install
Xilinx Webpack (free of charge), see some hints here
Notice also that I had troubles when I plugged Proxmark to a USB3 port or to USB2 via a HUB - plug it to a USB2 port directly in the computer!
Start the client program:
Check whether antennas are OK
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait.
# LF antenna: 23,23 V @ 125.00 kHz
# LF antenna: 9,80 V @ 134.00 kHz
# LF optimal: 28,47 V @ 122,45 kHz
# HF antenna: 12,63 V @ 13.56 MHz
Now you can issue further commands - see the Proxmark documentation ...
Here is my Proxmark setup with quick and dirty antennas - but they work well.
I did not have much time for RFID experiments recently; I have just successfully reproduced the Mifare classic cracking
with some old RFID card for keyless building entry. I have also checked which files are stored in a Czech
biometric passport and that a hash of the data signed by the State Printing Works of Securities of the Czech Republic (active authentication) is present.
I have tested also a few examples of the Prague "Opencard" public transport card (btw. a project rather famous as a corruption case in our country that become rather expensive for Prague city),
but all of them were already Mifare Desfire, which can probably be cracked by side-channel cryptanalysis
, but that is nontrivial and requires different tools.
NOTE: In the meantime Mifare DESFIRE has been hacked, see links below.
Moreover, not all RFID formats are presently supported by Proxmark, one example being the proprietary LEGIC protocol (www.legic.com),
which is being used for example in RFID locks sold by Kaba.
Here are some further links to useful programs and papers (not all of them support Proxmark, but a PCSC compatible reader is needed anyway if you want to test Proxmark as emulator)
and information from the RFID field:
Timo Kasper's PhD thesis on Security analysis of pervasive wireless devices
which covers the recent side channel cryptanalysis of Mifare Desfire RFID cards, which are widely employed (e.g. Prague's Opencard for public transport)
Notice that the side channel cryptanalysis of RFID cards is much more technically demanding than that of, say, Keeloq chips.
ISO 14443 emulator based on ATxmega MCU
Maybe more information will be added during time...
My Electronics page
My hobby page
My main page with e-mail contact
TOP of my family pages