This chapter covers RFID (Radio Frequency Identification) and NFC (Near Field Communication) security attacks, a critical topic for the SY0-701 exam under Domain 2.0 (Threats, Vulnerabilities, and Mitigations), Objective 2.3: Explain various types of vulnerabilities and attacks. You will learn how RFID and NFC technologies work, the specific attack vectors attackers use—including skimming, eavesdropping, relay attacks, and cloning—and the defenses such as encryption, mutual authentication, and Faraday cages. Understanding these attacks is essential for securing access control systems, contactless payments, and inventory tracking in enterprise environments.
Jump to a section
Imagine a secure office building with a mail slot in the door. Each employee has a unique key card that, when tapped on the slot, unlocks the door. The mail slot uses RFID: it broadcasts a weak electromagnetic field. When a key card enters the field, it powers up a tiny chip that transmits its ID. The door reader checks the ID against a database and unlocks if authorized. An attacker, however, can stand near the door with a powerful RFID reader that boosts the field range, forcing nearby cards to respond even if they are in a pocket or purse. This is RFID skimming: the attacker captures the card's ID without the owner's knowledge. If the attacker then replays that captured ID using a device that mimics the card, they can unlock the door—a relay attack. Alternatively, the attacker could clone the card by writing the captured ID onto a blank card. The countermeasure is to use cards that employ cryptographic authentication (like a challenge-response protocol) so that even if the ID is captured, it cannot be replayed because the reader expects a dynamic response derived from a secret key. Additionally, shielding the card in a Faraday cage (like an RFID-blocking wallet) prevents the card from being powered by unauthorized readers. This mirrors NFC security: NFC is a subset of RFID operating at 13.56 MHz, used for contactless payments. Attackers can skim NFC credit cards or use relay attacks to make fraudulent payments. The defense is tokenization (dynamic CVV) and cryptographic authentication (like EMVCo's chip authentication program).
What are RFID and NFC?
RFID (Radio Frequency Identification) is a wireless technology that uses radio waves to automatically identify and track tags attached to objects. An RFID system consists of a reader (interrogator) and a tag (transponder). The reader emits a radio signal that powers the tag (in passive tags) and communicates data. NFC (Near Field Communication) is a subset of RFID operating at 13.56 MHz (HF band) with a maximum range of about 10 cm. NFC is standardized under ISO/IEC 14443 and ISO/IEC 18092, and is used for contactless payments, ticketing, and data exchange. Both technologies are vulnerable to several attacks due to their wireless nature and often limited security features.
How RFID Works Mechanically
Reader emits RF field: The reader continuously generates an RF signal at a specific frequency (e.g., 125 kHz for low-frequency, 13.56 MHz for high-frequency, or 860-960 MHz for UHF). This signal serves two purposes: powering passive tags and carrying data.
Tag powers up: A passive tag has no internal battery. It harvests energy from the reader's RF field via its antenna, rectifying the AC signal to DC to power its microchip.
Tag responds: Once powered, the tag modulates the RF field (load modulation or backscatter) to send its stored data (e.g., unique ID, product code) back to the reader.
Reader decodes: The reader demodulates the response and processes the data, often forwarding it to a backend system for authentication or logging.
Key Components and Standards
Frequency Bands:
- Low Frequency (LF): 125-134 kHz, short range (~10 cm), used for animal tagging, access control. - High Frequency (HF): 13.56 MHz, range ~10 cm to 1 m, used for NFC, smart cards (ISO 14443), library books. - Ultra-High Frequency (UHF): 860-960 MHz, range up to 12 m, used for supply chain, inventory. - Tag Types: - Passive: No battery; powered by reader. Limited range, low cost. Most common. - Active: Has battery; can transmit independently. Longer range (100+ m). Used for vehicle tracking, container monitoring. - Semi-passive (BAP): Battery-assisted passive; battery powers chip but communication is still backscatter. Longer read range than passive. - Standards:
ISO/IEC 14443: Proximity cards (HF, ~10 cm range) for contactless smart cards.
ISO/IEC 15693: Vicinity cards (HF, up to 1 m) for item management.
ISO/IEC 18000-6C: UHF Gen2 standard for passive tags.
NFC Forum: Defines NFC data exchange formats and protocols (e.g., NDEF).
Attack Vectors on RFID/NFC
#### 1. Skimming (Eavesdropping) Skimming is the unauthorized reading of RFID/NFC tag data by an attacker using a rogue reader. The attacker can capture the tag's ID, stored data (e.g., credit card number, access credentials), and sometimes cryptographic material if the protocol is weak.
Mechanism: The attacker's reader emits a stronger field or is placed close to the victim's tag. The tag, unaware of the legitimacy of the reader, responds with its data. For passive tags, the attacker can also intercept the communication between a legitimate reader and tag if within range.
Example: An attacker with a handheld RFID reader walks through a crowd and captures credit card numbers from contactless cards in wallets. NFC-enabled smartphones can also be skimmed if they have payment apps open.
Countermeasures:
Use RFID-blocking sleeves or wallets (Faraday cages) that block RF signals.
Implement cryptographic authentication (e.g., challenge-response) so that simply reading the tag does not reveal useful data.
Use tokenization: the actual credit card number is replaced with a one-time token for each transaction.
#### 2. Relay Attacks (Man-in-the-Middle) A relay attack extends the range of the RFID/NFC communication by placing two devices: one near the legitimate reader (the 'ghost') and one near the tag (the 'mole'). The ghost communicates with the reader, and the mole communicates with the tag, relaying the data over a longer distance (e.g., via Wi-Fi or Bluetooth). This tricks the reader into thinking the tag is present when it is actually far away.
Mechanism: 1. Attacker places a proxy reader near the legitimate reader (e.g., at a payment terminal). 2. Attacker places a proxy tag near the victim's tag (e.g., within 10 cm of the victim's wallet). 3. The proxy reader and proxy tag communicate via a high-speed link (e.g., 4G, Wi-Fi). 4. The legitimate reader sends a challenge; the proxy reader forwards it to the proxy tag, which sends it to the victim's tag. The victim's tag responds; the response is relayed back. 5. The legitimate reader authenticates the victim's tag, granting access or authorizing payment.
Example: An attacker uses a small device near a car's keyless entry system to relay the signal from the key fob inside the house, unlocking the car. This is a known attack on passive keyless entry (PKE) systems.
Countermeasures:
Use distance-bounding protocols that measure the round-trip time of the signal; if the distance exceeds the physical range, the authentication fails.
Implement cryptographic authentication with timeouts.
For payments, require additional verification (e.g., PIN, biometric) for high-value transactions.
#### 3. Cloning Cloning involves copying the data from a legitimate RFID/NFC tag onto a blank tag, creating a duplicate. This allows the attacker to impersonate the original tag.
Mechanism: 1. The attacker uses an RFID reader to read the tag's data (e.g., UID, access control data). 2. If the tag is writable (e.g., some HF tags allow writing), the attacker writes that data onto a blank compatible tag. 3. The cloned tag can then be used to gain unauthorized access, make payments, or bypass inventory systems.
Example: An employee's access card is cloned by an attacker who briefly skims the card in a crowded elevator. The attacker then uses the cloned card to enter the building.
Countermeasures:
Use tags with read-only memory (ROM) for unique identifiers.
Implement cryptographic authentication (e.g., MIFARE DESFire) that requires a secret key to authenticate; the key cannot be extracted from the tag.
Use tags that support mutual authentication (the reader also proves its identity to the tag).
For high-security applications, use tags with anti-cloning features like unique chip ID or physically unclonable functions (PUFs).
#### 4. Eavesdropping (Sniffing) Eavesdropping is the passive interception of communication between a legitimate reader and tag. Unlike skimming, the attacker does not initiate communication but listens to existing exchanges.
Mechanism: The attacker uses a software-defined radio (SDR) or a specialized RFID sniffer to capture the RF signals. This can be done from a distance if the signal is strong. The captured data can be analyzed offline.
Example: An attacker sits in a coffee shop with a laptop and an SDR, capturing NFC payment transactions from nearby customers paying at a terminal. The attacker later extracts credit card numbers from the captured data.
Countermeasures:
Encrypt the data transmitted between reader and tag (e.g., AES-128 encryption).
Use session keys that change per transaction.
Limit the transmission power to reduce the readable range.
#### 5. Denial of Service (DoS) An attacker can disrupt RFID/NFC communication by jamming the RF frequency, causing the reader to fail to read tags or causing tags to malfunction.
Mechanism: The attacker transmits a strong RF signal on the same frequency, overwhelming the reader's receiver. Alternatively, the attacker can send malformed commands to cause the tag to crash or enter an error state.
Example: An attacker uses a portable jammer near an access control door, preventing legitimate cards from being read, effectively locking everyone out or causing a security breach.
Countermeasures:
Use frequency hopping spread spectrum (FHSS) to make jamming harder.
Implement error correction and retry mechanisms.
Monitor for unusual RF activity and have backup authentication methods (e.g., PIN pad).
Real Tools and Commands
Proxmark3: A popular RFID research tool that can read, write, and emulate many RFID tags. It supports low-frequency (125 kHz) and high-frequency (13.56 MHz) tags.
Example command to read a MIFARE Classic card: hf mf rdbl 0 A FFFFFFFFFFFF
libnfc: An open-source library for NFC. Tools like nfc-list can detect NFC tags.
ChameleonMini: A versatile NFC/RFID emulator that can clone and emulate various tags.
SDR (e.g., HackRF): Used for eavesdropping on RFID signals. For example, capturing UHF RFID communication with GNU Radio.
Defenses in Depth
Cryptographic Authentication: Use tags that support mutual authentication with strong encryption (e.g., AES-128, 3DES). Examples: MIFARE DESFire EV2, SLE 66 series.
Faraday Cages: Enclose tags in metal mesh or foil to block RF signals when not in use.
Tokenization: For payments, replace sensitive data with a one-time token.
Distance Bounding: Protocols that verify the physical proximity of the tag by measuring signal round-trip time.
Frequency Hopping: Makes jamming and eavesdropping more difficult.
Tamper-Evident Tags: For asset tracking, tags that show evidence of removal or tampering.
Reconnaissance: Identify Target Tags
The attacker first identifies the type of RFID/NFC system in use. They may observe employees entering a building with access cards, or notice contactless payment terminals. Using an SDR or a Proxmark3, the attacker determines the frequency (125 kHz, 13.56 MHz, etc.) and the protocol (MIFARE Classic, ISO 14443, etc.). This step may involve capturing a few sample reads to analyze the data structure. The attacker might also search for publicly available information about the system, such as default keys (e.g., MIFARE Classic uses default keys like `FFFFFFFFFFFF`).
Skimming: Capture Tag Data
The attacker positions a rogue reader close to the victim's tag (within a few centimeters for HF, up to a meter for UHF). The reader sends a request command (e.g., REQA for ISO 14443) to which the tag responds with its UID and possibly other data. For MIFARE Classic, the attacker can authenticate using default keys and read all sectors. The captured data includes the UID, sector data, and any access conditions. Tools like Proxmark3 can dump the entire memory of the tag. The attacker saves this data for later cloning or replay.
Data Extraction and Analysis
The attacker examines the captured data to identify useful information. For access control cards, the UID is often the credential. For payment cards, the attacker may extract the PAN (Primary Account Number), expiry date, and CVV if the card uses unencrypted magnetic stripe emulation. The attacker may also attempt to crack cryptographic keys if the tag uses encryption. For instance, MIFARE Classic uses a proprietary Crypto-1 cipher that has been broken; attackers can recover keys using known plaintext attacks or by brute-forcing weak keys. Tools like `mfoc` can perform a nested authentication attack to recover keys.
Cloning or Emulation
With the extracted data, the attacker can either clone the tag onto a blank writable tag or emulate the tag using a device like Proxmark3 or ChameleonMini. For cloning, the attacker writes the UID and sector data onto a compatible blank tag (e.g., a MIFARE Classic 1K blank). For emulation, the attacker loads the dump into the emulator and presents it to the reader. The reader treats the emulator as the original tag. This step may require adjusting the emulator's settings to match the original tag's protocol and timing.
Exploitation: Unauthorized Access or Payment
The attacker uses the cloned tag or emulator to bypass security. For example, they tap the cloned card on an access control reader to enter a building. The reader authenticates the card and grants access because the UID and authentication data match. For payment, the attacker holds the emulated card near a contactless terminal to make a purchase. The terminal processes the transaction, potentially deducting funds from the victim's account. The attacker may also perform a relay attack in real-time without cloning, using two devices to extend the range. The success of the attack depends on the system's security measures; if the system uses mutual authentication or dynamic keys, cloning may fail.
Scenario 1: Access Control Breach at a Corporate Office
A security analyst notices an anomaly in the access logs: an employee's badge was used to enter the building at 2:00 AM, but the employee had reported the badge lost the previous day. The analyst reviews the badge's history and sees multiple entries in different locations within minutes, which is impossible for a single person. The analyst suspects cloning. Using an RFID reader and software like Proxmark3, the analyst scans the employee's replacement badge and compares its UID and sector data with logs. The analyst finds that the lost badge's UID matches the one used in the unauthorized entries. The attacker had skimmed the badge before it was lost, cloned it onto a blank card, and used it. The correct response is to revoke the compromised badge immediately, issue a new badge with a different UID, and implement stronger authentication (e.g., MIFARE DESFire with mutual authentication). A common mistake is to assume the badge was simply lost and not cloned, leading to continued vulnerability.
Scenario 2: Contactless Payment Fraud at a Retail Store
A customer complains of unauthorized transactions on their contactless credit card. The bank's fraud detection team investigates and finds that the transactions occurred at a retail store where the customer had shopped earlier. The team suspects a relay attack. They analyze the transaction timestamps and find that the time between the card being tapped and the transaction approval was unusually long (over 2 seconds), indicating a relay. The attacker had placed a proxy reader near the payment terminal and a proxy tag near the victim's wallet. The correct response is to issue a new card with a dynamic CVV (e.g., Mastercard's Dynamic CVV) and advise the customer to use an RFID-blocking wallet. A common mistake is to assume the card was physically stolen, but the victim still has the card. The bank should also update the terminal software to enforce a maximum transaction time and use distance-bounding protocols.
Scenario 3: Inventory Theft in a Warehouse
A warehouse using UHF RFID for inventory tracking notices that high-value items are disappearing. The RFID system shows these items as checked out, but they never left the facility. The security team investigates and finds that an attacker is using a portable UHF reader to skim tags on pallets, then cloning them onto tags attached to dummy pallets. The attacker swaps the real pallet with the dummy, and the system thinks the items are still present. The correct response is to implement tamper-evident tags and use cryptographic authentication that prevents cloning. The team should also monitor for unusual read patterns, such as multiple reads of the same tag in different locations. A common mistake is to focus only on physical security (e.g., cameras) without addressing the RFID vulnerability.
What SY0-701 Tests on This Objective
Objective 2.3 includes understanding of various attacks, including RFID/NFC attacks. The exam expects you to identify specific attack types (skimming, eavesdropping, relay, cloning) and their mitigations. You may be given a scenario and asked to choose the correct attack or defense. Key sub-objectives include:
Differentiating between passive and active attacks.
Understanding the role of Faraday cages, encryption, and mutual authentication.
Recognizing that NFC is a subset of RFID with shorter range and is used for payments.
Common Wrong Answers and Why Candidates Choose Them
Choosing 'Bluesnarfing' for an RFID attack: Bluesnarfing is a Bluetooth attack. Candidates confuse wireless technologies because both are short-range. Remember: RFID/NFC uses RF, not Bluetooth.
Selecting 'Jamming' as the primary threat for skimming: Jamming is a DoS attack, not a data theft attack. Skimming is about unauthorized reading. Candidates may pick jamming because they think of RF interference.
Thinking that encryption alone prevents cloning: Encryption protects data in transit, but if the tag's secret key is static and can be extracted (e.g., MIFARE Classic), cloning is still possible. Mutual authentication and dynamic keys are needed.
Believing that NFC is inherently secure due to short range: The short range (10 cm) reduces but does not eliminate risk; attackers can get close or use relay attacks.
Specific Terms and Acronyms
RFID: Radio Frequency Identification
NFC: Near Field Communication
LF/HF/UHF: Low/High/Ultra-High Frequency
ISO 14443: Standard for proximity cards (HF, 10 cm range)
MIFARE: A common brand of contactless smart card (Classic, DESFire)
Faraday cage: A shielded enclosure that blocks electromagnetic fields.
Skimming: Unauthorized reading of RFID/NFC data.
Relay attack: Extending the range of communication via intermediate devices.
Cloning: Copying tag data to another tag.
Eavesdropping: Passive interception of communication.
Distance bounding: Protocol to verify physical proximity.
Common Trick Questions
Scenario with a device near a payment terminal that captures data: The attack is skimming (eavesdropping on the transaction) or relay, not cloning. Cloning would require writing to a blank tag, which is not described.
Question about preventing unauthorized reading of an RFID badge: The best answer is a Faraday cage (shield), not encryption alone, because encryption does not prevent the tag from responding to any reader.
Comparison of NFC and Bluetooth: NFC is a subset of RFID; Bluetooth is a different technology. Attacks on NFC are RFID attacks, not Bluetooth attacks.
Decision Rule for Eliminating Wrong Answers
When given a scenario question about RFID/NFC attacks, identify the attacker's goal: if they want to read data without authorization, it's skimming; if they want to use the data later, it's cloning; if they want to extend range, it's relay; if they want to disrupt, it's jamming. Eliminate any answer that does not match the goal or that describes a different technology (e.g., Bluetooth, Wi-Fi).
RFID and NFC are wireless technologies vulnerable to skimming, eavesdropping, relay attacks, and cloning.
NFC operates at 13.56 MHz (HF) with a range of about 10 cm; it is used for contactless payments and data exchange.
Passive RFID tags have no battery; they are powered by the reader's RF field.
Skimming is passive reading; relay attacks are active man-in-the-middle attacks that extend range.
Cloning requires the attacker to read the tag's data and write it to a blank tag.
Faraday cages (RFID-blocking wallets) prevent unauthorized reading by blocking RF signals.
Mutual authentication and dynamic session keys (e.g., MIFARE DESFire) prevent cloning and replay.
Distance-bounding protocols mitigate relay attacks by measuring signal round-trip time.
Common RFID frequencies: LF (125 kHz), HF (13.56 MHz), UHF (860-960 MHz).
The SY0-701 exam expects you to identify attack types and appropriate countermeasures in scenarios.
These come up on the exam all the time. Here's how to tell them apart.
RFID Skimming
Goal: Unauthorized reading of tag data.
Mechanism: Attacker's reader communicates directly with the tag.
Range: Typically within a few centimeters to meters depending on frequency.
Defense: Faraday cage, encryption, mutual authentication.
Example: Stealing credit card number from a contactless card in a wallet.
RFID Relay Attack
Goal: Extend the range of the legitimate reader to authenticate a remote tag.
Mechanism: Two proxy devices relay communication between reader and tag.
Range: Can extend to hundreds of meters via a network link.
Defense: Distance-bounding protocols, timeouts, additional authentication factors.
Example: Unlocking a car by relaying the key fob signal from inside a house.
Mistake
NFC is completely secure because it only works at a very short range (a few centimeters).
Correct
While NFC's short range reduces risk, attackers can still skim from a few centimeters away (e.g., in a crowded elevator) or use relay attacks to extend the range. The short range is a deterrent, not a guarantee of security.
Mistake
Encrypting the data on an RFID tag prevents cloning.
Correct
Encryption protects the data in transit, but if the tag uses a static key (e.g., MIFARE Classic's Crypto-1), an attacker can recover the key through cryptanalysis and then clone the tag. Mutual authentication and dynamic session keys are needed to prevent cloning.
Mistake
RFID tags always require a battery to operate.
Correct
Most RFID tags are passive and have no battery; they are powered by the reader's RF field. Active tags have batteries, but they are less common. The exam may test this distinction.
Mistake
A Faraday cage prevents all RFID attacks.
Correct
Faraday cages block external RF signals, preventing skimming and eavesdropping. However, they do not protect against relay attacks where the attacker is already within the cage, nor do they prevent cloning of data already captured before the cage was used.
Mistake
UHF RFID is used for contactless payments.
Correct
Contactless payments (e.g., credit cards, Apple Pay) use HF (13.56 MHz) NFC, not UHF. UHF is used for supply chain and inventory tracking. The exam may test the correct frequency for payment systems.
NFC is a subset of RFID that operates at 13.56 MHz (HF) with a maximum range of about 10 cm. RFID encompasses a broader range of frequencies (LF, HF, UHF) and ranges (from cm to meters). NFC is designed for proximity communication and is commonly used for contactless payments, while RFID is used for access control, inventory tracking, and animal tagging. On the SY0-701 exam, expect questions that treat NFC as a specific type of RFID.
In a relay attack, the attacker places a device (ghost) near the legitimate reader and another device (mole) near the victim's tag. The ghost communicates with the reader, and the mole communicates with the tag, relaying the data over a longer distance (e.g., via Wi-Fi). This makes the reader think the tag is physically close when it is not. For example, an attacker can relay the signal from a key fob to unlock a car from a distance. Defenses include distance-bounding protocols that measure the round-trip time of the signal.
Yes, if the tag's data is readable and writable. An attacker uses an RFID reader to read the tag's memory (UID, sector data) and then writes that data onto a blank compatible tag. This is especially easy with older tags like MIFARE Classic that use weak encryption (Crypto-1) or no encryption. Modern tags with mutual authentication and dynamic keys (e.g., MIFARE DESFire) are resistant to cloning. On the exam, remember that cloning requires both reading and writing capabilities.
A Faraday cage is an enclosure made of conductive material (e.g., metal mesh, foil) that blocks external electromagnetic fields. When an RFID tag is inside a Faraday cage, it cannot be powered by an external reader's RF field, so it cannot respond. This prevents skimming and eavesdropping. RFID-blocking wallets and sleeves are common examples. However, Faraday cages do not protect against relay attacks or attacks that occur before the tag is placed in the cage.
MIFARE Classic is a popular contactless smart card used for access control and public transit. It uses a proprietary encryption algorithm called Crypto-1, which has been broken. Attackers can recover the encryption keys using cryptanalysis (e.g., nested authentication attack) and then read and clone the card. MIFARE DESFire is a more secure alternative that uses AES encryption and mutual authentication.
Use an RFID-blocking wallet or sleeve (Faraday cage) to prevent unauthorized readers from powering your tags. For credit cards, enable contactless payment only when needed, or use cards with dynamic CVV. For access cards, choose tags that support mutual authentication and encryption. On the enterprise side, implement access control systems that use cryptographic authentication and monitor for unusual read patterns.
Distance-bounding protocols measure the round-trip time of a signal between reader and tag to verify that the tag is within a certain physical distance. This prevents relay attacks because the relay introduces a delay that exceeds the expected time. For example, if the reader expects a response within 1 nanosecond (corresponding to 30 cm range), a relay that adds even a microsecond of delay will cause the authentication to fail.
You've just covered RFID and NFC Security Attacks — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?