Cloning Physical Access Badges with E-Ink Displays

TLDR: This research demonstrates how to bypass physical access controls by cloning RFID/NFC badges using low-cost E-Ink displays and ESP32 microcontrollers. By reverse-engineering badge communication protocols and creating high-fidelity visual replicas, attackers can create convincing, reusable physical credentials. Security teams must move beyond simple proximity card reliance and implement multi-factor authentication for physical access to mitigate this risk.

Physical security is often the weakest link in an otherwise hardened environment. While we spend thousands of hours auditing web applications and cloud infrastructure, a simple, low-cost badge clone can often grant an attacker unfettered access to a server room or a restricted office floor. The recent research presented at DEF CON 2024 on using E-Ink displays to "fake" identification badges highlights exactly how trivial this bypass has become.

The Mechanics of the Badge Clone

The core of this technique relies on the fact that many physical access badges are essentially static, unencrypted identifiers. When an attacker captures the data from a badge, they are essentially capturing a static string that the reader accepts as proof of identity. The innovation here is not just in the signal cloning, but in the visual deception. By using an E-Ink display, an attacker can create a badge that looks identical to a legitimate employee ID, complete with a high-resolution photo and a QR code.

The hardware setup is surprisingly accessible. The researcher utilized a Waveshare ESP32 driver board to interface with an E-Ink display. The ESP32 acts as the brain, handling the logic for the display and, in more advanced iterations, the NFC/RFID emulation. Because E-Ink is bistable, it retains the image even after the power is removed, making the badge look like a standard, non-electronic plastic card.

Technical Implementation and Challenges

Programming these devices requires a specific workflow. The researcher noted that the Arduino IDE is the standard tool for flashing the ESP32, but it is not without its pitfalls. The driver board expects specific parameters, and the communication between the ESP32 and the display can be finicky.

One of the most critical technical hurdles is the physical integration. To make the badge look authentic, the electronics must be hidden. The researcher used a "sandwich" design, placing the E-Ink display and the NFC/RFID component inside a standard holder wallet.

// Example of the server-side logic for updating the badge image
const char* ssid = "YOUR_SSID";
const char* password = "YOUR_PASSWORD";

// Static IP configuration to avoid DHCP overhead
IPAddress staticIP(192, 168, 0, 150);
IPAddress gateway(192, 168, 0, 1);
IPAddress subnet(255, 255, 255, 0);

The use of a static IP and a simple web server on the ESP32 allows for remote updates to the badge's display. If an attacker needs to change the identity on the badge, they simply connect to the device's local network and push a new image. The OWASP Identification and Authentication Failures category is highly relevant here, as these systems rely entirely on "something you have" without any secondary verification.

Real-World Applicability for Pentesters

For a red team engagement, this technique is a game-changer. During a physical penetration test, the primary goal is often to blend in. A standard, blank, or obviously fake badge is a red flag for security guards. A high-fidelity, E-Ink-based badge that displays the correct name, photo, and company logo significantly increases the chances of a successful social engineering attempt.

If you are performing a physical assessment, start by identifying the badge technology used by the target. If they are using legacy 125 kHz proximity cards, they are highly vulnerable to cloning with a Proxmark3. Once you have the card data, you can clone it onto a programmable card and hide it behind your E-Ink display. The visual component is the "psychic paper" that prevents guards from looking too closely at the device.

Defensive Considerations

Defending against this is difficult because the vulnerability lies in the trust model of the physical access system itself. If your organization relies solely on proximity cards for access to sensitive areas, you are effectively operating without authentication.

The most effective mitigation is to implement multi-factor authentication for physical access. This could be as simple as requiring a PIN in addition to the badge scan, or using modern, encrypted smart cards that support mutual authentication. If you are a security manager, audit your physical access logs for anomalies, such as the same badge being used at two different locations in an impossible timeframe.

This research serves as a stark reminder that hardware-level exploits are becoming increasingly accessible. The barrier to entry for physical access bypasses has dropped significantly, and the tools are now cheap enough to be part of any standard red team kit. If you haven't tested your physical security controls against modern cloning techniques, you are likely more exposed than you think. Investigate your badge infrastructure, understand the limitations of your current readers, and start planning for a transition to more secure, encrypted credentials.