Why Your Office Badge Is Just a Four-Byte Password Waiting to Be Stolen

TLDR: Low-frequency RFID systems like HID Prox and EM4100 are fundamentally insecure because they transmit credentials in plaintext without encryption. Attackers can easily clone these badges using a Flipper Zero or Proxmark3 by simply sniffing the signal or brute-forcing the ID. Organizations must stop treating these badges as secure and transition to encrypted, high-frequency alternatives to prevent unauthorized physical access.

Physical security is often the blind spot in an otherwise hardened infrastructure. We spend thousands of hours auditing web applications, patching zero-days, and segmenting networks, yet we still rely on 125 kHz RFID badges that broadcast their identity to anyone with a cheap antenna. If you are still using legacy HID Prox or EM4100 cards, you are essentially leaving your office doors unlocked.

The Physics of the Problem

At the core of these legacy RFID systems is a simple transformer. When a badge enters the electromagnetic field of a reader, the reader induces a current in the badge's internal coil. This power wakes up the chip, which then broadcasts its unique ID back to the reader. There is no handshake, no challenge-response, and absolutely no encryption. You cannot encrypt physics.

Because the communication is unencrypted, capturing a badge ID is trivial. A researcher can hide a long-range reader near an entrance, wait for employees to walk by, and scrape every badge ID that passes through the field. Once the ID is captured, cloning it onto a blank T5577 tag takes seconds. The reader cannot distinguish between the original card and the clone because it only cares about the four-byte ID number being presented.

Exploiting the Protocol

During a recent demonstration, it was clear how quickly these systems fall to basic brute-force attacks. Using a Flipper Zero, an attacker can cycle through potential ID numbers against a reader. Since the protocol is passive and the reader is constantly polling for a response, the device simply waits for the reader to ask for an ID and then provides the next one in the sequence.

For common formats like HID Prox, the ID space is small enough that a brute-force attack can succeed in under a minute. Even if the reader has a rate limit, the sheer simplicity of the protocol means that an attacker can just leave a device in place to perform the attack over several hours.

If you are conducting a physical penetration test, the workflow is straightforward:

1. Identify the reader type by checking the manufacturer or using a Proxmark3 to analyze the frequency.
2. If it is a 125 kHz system, assume it is vulnerable.
3. Use a device to sniff the ID of a legitimate badge or, if you lack a target, use a brute-force dictionary to cycle through common facility codes.
4. Emulate the badge using your hardware to gain entry.

This falls squarely under OWASP A07:2021 – Identification and Authentication Failures. The system fails to verify the authenticity of the credential, relying entirely on the possession of a static, easily replicable identifier.

The Reality of Tamper Protection

Many security teams believe their readers are safe because they have "tamper protection." They assume that if someone tries to open the reader to access the wiring, an alarm will trigger. In practice, this is rarely the case.

If you are on-site, take a screwdriver and carefully remove the reader housing. In many deployments, the tamper switch is either not connected to the alarm system or has been disabled by a technician who got tired of false positives. Even if it is active, "alarm fatigue" is a real phenomenon. If a reader triggers an alarm every time a door is forced or a badge is misread, security staff will eventually ignore the alerts.

An attacker can use this to their advantage. By triggering the tamper switch, waiting for the alarm to be silenced, and then repeating the process, you can effectively train the security team to ignore the very alerts that should be stopping you. Once they stop checking, you have a clear path to the Wiegand wires. Once you have access to the wires, you can intercept the plaintext data being sent to the central controller, effectively bypassing the reader entirely.

Moving Beyond Legacy Hardware

Defending against this requires a shift in mindset. You cannot patch a 125 kHz reader. If your organization is still using these, the only real solution is a hardware refresh. Move to high-frequency systems that support mutual authentication, such as MIFARE DESFire EV2 or EV3. These systems require a cryptographic handshake between the card and the reader, meaning that even if an attacker sniffs the airwaves, they only capture encrypted, non-reusable data.

For those of you currently managing physical security, start by auditing your badge inventory. Identify which employees have access to sensitive areas and ensure their credentials are not part of a legacy, unencrypted system. If you cannot replace the readers immediately, at least implement secondary authentication for high-security zones. A badge should be a convenience, not the sole factor for entry into a server room or a sensitive data center.

Stop trusting the hardware just because it has a vendor logo on the front. If it is broadcasting your identity in the clear, it is not a security device. It is a beacon.