Bypassing Physical Access Control: The Reality of RFID Downgrade Attacks

TLDR: Physical access control systems often rely on insecure, unencrypted RFID protocols that are trivial to clone using low-cost hardware like the Flipper Zero. This research demonstrates how to perform stealthy, remote credential collection using custom-built implants and how to execute downgrade attacks against multi-class readers. Security teams must audit their badge infrastructure to disable legacy protocol support and transition to modern, encrypted standards to mitigate these risks.

Physical security assessments are often treated as a secondary concern compared to network or application penetration testing. Many organizations assume that because a badge reader is mounted on a wall and connected to a backend server, it is inherently secure. This assumption is a massive blind spot. The reality is that the vast majority of legacy RFID badge systems, particularly those using 125kHz HID Prox, transmit data in the clear. If you can get within range of a badge, you can clone it. If you can get within range of a reader, you can harvest credentials.

The Mechanics of RFID Cloning

The core issue with many legacy RFID systems is the lack of mutual authentication and encryption. When a badge is presented to a reader, it broadcasts its facility code and card number. This broadcast is essentially a radio-frequency version of a cleartext password.

Tools like the Flipper Zero have democratized this process, but the real power lies in how you deploy them. During a physical engagement, you are rarely going to stand next to a target and scan their badge. Instead, you use an ESP RFID Tool or similar hardware to create a "rogue reader" implant. By mounting this device near an existing reader and using social engineering—such as a sign instructing employees to use the "new" reader—you can capture every badge ID that passes through that door.

The technical flow is straightforward. The implant captures the Wiegand data, which consists of a facility code and a card number. Once you have this binary data, you can convert it into the hexadecimal format required by the Flipper Zero.

# Example of converting binary Wiegand data to Hex for Flipper
# Binary: 000100001000010100110011
# Remove parity bits, convert to hex: 21 05 39

Once you have the hex code, you can manually add the card to your Flipper Zero. From there, you can either emulate the card directly or write the data to a blank T5577 rewritable RFID card.

Downgrade Attacks on Multi-Class Readers

Modern readers often support both legacy low-frequency (125kHz) and newer, encrypted high-frequency (13.56MHz) protocols. This is where the "multi-class" vulnerability comes into play. These readers are designed to be backward compatible, which means they are forced to support the insecure legacy protocols.

If you encounter a reader that supports both, you can perform a downgrade attack. You capture the high-frequency credential, then write that same data to a low-frequency card. When you present the low-frequency card to the multi-class reader, the reader sees a valid credential and grants access. It does not care that the protocol was downgraded; it only cares that the facility code and card number match its database.

This technique is particularly effective because it bypasses the security controls that organizations believe they have implemented by "upgrading" their readers. They have the hardware, but they have not disabled the legacy support.

Real-World Engagement Strategy

In a real-world test, the goal is to remain undetected. Using a clipboard or a small, battery-powered enclosure allows you to carry your reader into a building under the guise of a maintenance worker or an auditor. The iCopy-X is another powerful tool for these scenarios, especially when dealing with iCLASS SE or SEOS cards that require more sophisticated handling.

When you are on-site, look for the "gooseneck" pedestals in parking garages. These are prime targets for implants because they are often isolated and rarely monitored. By installing a long-range reader inside a custom-built, weather-resistant enclosure, you can collect credentials from every vehicle that enters the facility.

Defensive Hardening

Defenders must stop relying on the physical hardware to provide security. The most effective mitigation is to disable legacy card support on all readers. This is typically done using a HID configuration card, which allows you to toggle off the 125kHz support.

If your organization is still using 125kHz HID Prox, you are effectively running an open network. The only way to truly secure these systems is to migrate to encrypted standards like HID iCLASS SE or SEOS, and ensure that the readers are configured to reject any legacy protocol attempts. If you are a pentester, your report should focus on the lack of encryption and the presence of legacy protocol support. If the client is not ready to rip and replace their entire infrastructure, they must at least implement compensating controls, such as multi-factor authentication for physical access to sensitive areas like server rooms.

Physical security is not a static state. It is a constant battle against the ease of cloning. If you are not auditing your readers for legacy protocol support, you are leaving the door wide open.