RFID Replaying with the Proxmarx3

Rick Wisser //

ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.

 Ohhh Who Says Tree’s are not Interesting

RFID’s (Radio-Frequency Identification) have been around for a while now and are utilized for Inventory tracking/control, retail, clothing, animal tracking, and door access control, among other uses. Most of these RFID tags are known as passive: meaning that they don’t require power and utilize a magnetic field to be active. This allows them to essentially turn on when an electromagnetic field is near them. When this happens the tag unlocks and transmits a fixed code within the chip. RFID’s can be made into almost any shape and size.

The most interesting uses of RFID are related to security, such as door access control devices. These usually serve as a name badge as well as a key to grant access to specific doors throughout a facility. Access can be granted based on the work functions of the employee. For example an IT professional will need access to the server room but not necessarily the secretary. Physical penetration testers are always interested in getting a hold of one of these cards, especially if they can just clone a key card. This leads us to a Proxmarx3 device.

At BHIS we find ourselves hired to do a physical assessment from time to time.  To help in doing these assessments we recently acquired a Proxmarx3 RFID device that can be utilized to clone or replay an RFID door access card. To see how well the Proxmarx3 functions and get familiar with the device I decided to do some testing. I have an RFID card that I use to access my local Recreation Center that I used as the test. (I did get authorization from the Recreation Center Director before conducting the test.)

I first had to update the Proxmarx3 firmware before I could utilize it since the firmware on the device was outdated. I will not go over this portion are several resources on the Internet for flashing and updating the Proxmarx3. Assuming that the device has already been updated, let’s show the functionality of the Proxmarx3:

 A step-by-step process of the video above:

  1. Plug the USB of the Proxmarx3 into a portable USB battery, note that when plugging it in you will see the lights flash on the Proxmarx3 indicating that it has power.
  2. Hold the button on the Proxmarx3 down for about 3 seconds until the lights start to flash then release. The end result should leave the Proxmarx3 setting with a solid red light.
  3. Press and hold the button again until the other red light comes on. This now indicates that the Proxmarx3 is ready for a card to be scanned and read into storage of the device.
  4. Pass the RFID tagged device that you want to copy over the antennae until the red light that came on in step 3 goes out. This indicates that the RFID tag information was read into the Proxmarx3 memory.
  5. Hold the button down again for about 1 second; a green light should come on. This indicates that the Proxmarx3 is now replaying the captured RFID tag.

To continue with the testing it was now time to see if the replay portion of the Proxmarx3 was real. After having the key cards information captured/cloned into the Proxmarx3, I headed to the Recreation Center for some testing.

I accessed the door several times and the Director of the Recreation Center monitored the system to see if it logged my card as being read by the system. He did verify that it was in fact my card being logged on the system when utilizing the Proxmarx3.

It is nice to see how the Proxmarx3 works, but what about protecting your cards from being cloned? Hence the aluminum wallet myth, I am sure you have all heard of it or seen advertisements for it. In Theory if your cards are in an aluminum wallet they will be protected from being scanned and/or cloned.  I decided to pick one of these up at the local dollar store to give it a try. After several attempts it seems that the aluminum does block or interfere with the electromagnetic field enough to hinder cards contained within it from being accessed with the Proxmarx3. But wait, what about tin foil? I have a couple paranoid friends who we will just say are frugal and believe that tin foil will do the same thing. So out of curiosity I attempted to copy the RFID tag wrapped in tin foil. The results were conclusive and the attempt was unsuccessful. Below is a Video attempting to read the RFID card with these protections in place.

In conclusion, it looks like the Proxmarx3 is a tool that should be included in your physical pen testing jump bag. Keep in mind that this is just a high level approach to the functionality of the device. More information can be found with a simple search of the internet.

Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand