RFID / NFC

From building access and transit cards to smart posters and contactless pairing, RFID and NFC are everywhere. This page covers fundamentals, research workflows, and practical hardening tips—used only with permission.

Quick-start checklist

Authorization: Only assess tags/readers you own or for which you have explicit written permission.
Identify frequency: Determine LF (125/134.2 kHz) vs HF (13.56 MHz). LF is common in legacy access badges; HF covers NFC (Type 1–5, MIFARE, etc.).
Determine tag type: Simple ID-only (EM4100, HID Prox) vs. secure memory (MIFARE DESFire EVx, iCLASS SE, etc.).
Plan tests: Start with non-invasive reads and metadata; log UIDs/ATQA/SAK/tech lists; avoid writing until you understand memory layout and access control.
Environment: Avoid reading random people’s cards or causing denial-of-service at doors/turnstiles. Keep it to your lab.

RFID/NFC primer

RFID and NFC use inductive coupling between a reader and a passive tag. The reader energizes the tag, which responds with modulated data. Systems vary in frequency, encoding, and security features.

Common families:

LF (125/134.2 kHz): EM4100/EM41xx, HID Prox, FDX-B (animal ID). Usually UID-only and unauthenticated.
HF (13.56 MHz): ISO14443 A/B (MIFARE Classic, Ultralight/NTAG, DESFire), ISO15693 (iCode, Tag-it), NFC Forum Types 1–5.

Reader powers tag; tag backscatters data. Security varies by tag family.

UIDs & anti-collision: Many systems identify tags by a unique identifier (UID). Readers use anti-collision to select one tag in a field of many. Secure HF tags additionally support authenticated sessions, encrypted files, and fine-grained access keys.

Common research workflows

1) Non-invasive inventory (what is this tag?)

Detect frequency and technology (LF/HF, ISO14443-A/B, ISO15693).
Log identifiers/ATQA/SAK/tech-list. For HF, enumerate application directories (where allowed).
Capture reader behavior in a test rig (timing, retries) to understand expectations.

2) Read & emulate (lab with authorized tags)

For UID-only LF badges (e.g., EM4100), read the ID and test emulation against a lab reader.
For HF NFC tags (NTAG/Ultralight), read NDEF records; safely emulate read-only content to test signage/apps.
Document edge cases (anti-collision with multiple tags, noisy environments).

3) Secure tag assessment (authorized)

With client permission, validate that modern secure tags (e.g., DESFire EV2/EV3) are used instead of legacy vulnerable ones (e.g., MIFARE Classic).
Check that keys are unique per installation and diversified—not all default keys.
Verify access control lists: read/write rights, file permissions, app isolation.

4) Reader-side behavior & migration planning

Assess readers for backwards-compatibility quirks (e.g., accepting both Classic and DESFire unintentionally).
Test reader configuration (card technology whitelist, key stores, fallback behavior).
Plan migration paths: badge re-issuance, reader firmware updates, mixed-mode transition risks.

5) NFC app interactions (UX & safety)

Test how mobile apps handle NDEF URLs/text/records (prompting, domain allowlist, deep links).
Verify rate-limits and user prompts to prevent “tapjacking” style tricks.
Ensure signed records where appropriate (e.g., product authenticity tags).

Important: Avoid cloning/emulating real production credentials or payments. Keep work to lab tags/test badges that you control, with written authorization for any enterprise system.

Hardening & defense notes

Retire legacy tech: Move away from LF UID-only badges and MIFARE Classic for access control. Prefer DESFire EV2/EV3 or iCLASS SE with strong keys and diversification.
Unique keys: Avoid defaults and global keys. Use per-site (and ideally per-card) diversified keys.
Reader config: Disable unsupported/legacy protocols; ensure readers don’t unintentionally accept “weak” tags alongside secure ones.
Backend checks: Enforce server-side policy (revocation lists, anti-passback, unusual time/location alerts).
Physical hygiene: Use shielded holders for sensitive badges; educate users about shoulder-surfing and “brush-by” reads.
NFC content: Sign and validate NDEF where authenticity matters; avoid blind automatic actions on URL taps.

Troubleshooting

Tag not detected? Verify frequency and orientation. Some antennas are directional; try different angles/distances.
Interference: Metal surfaces and other tags nearby can detune fields. Isolate the tag and lift off metal by a few millimeters.
Read errors on HF secure tags: You may need correct keys and app/file selection sequence. Confirm key versions and diversification.
Emulation unreliable: Readers can be strict about timing. Use tools known to emulate your target tech, or test with the real tag to establish baselines.

FAQ

Is NFC the same as RFID?

NFC is a subset of HF RFID with standardized device roles and data formats (NDEF). All NFC is RFID, but not all RFID is NFC.

Can I “clone any card”?

No. Some legacy LF/HF tags without crypto can be trivially copied, but secure HF families (e.g., DESFire EVx) use strong cryptography and per-application keys. Always follow the law and your engagement scope.

Do UIDs guarantee uniqueness and security?

UIDs help identify tags but don’t imply security. Some tags use random or changeable UIDs; some readers accept any UID. Security depends on cryptographic protocols and reader/backend checks.

What about payments or transit systems?

These often involve additional cryptography, backend risk controls, and legal restrictions. Do not attempt to assess such systems without explicit authorization and a formal scope.

Devices for RFID/NFC

Useful references

ISO/IEC 14443 & 15693 standards (HF), common LF datasheets (EM41xx, HID Prox)
NFC Forum specifications (NDEF, RTD)
Vendor docs for DESFire/iCLASS key management and application design
Academic papers on RFID security, relay attacks, and backend mitigations

Legal & ethics: See Ethics for permission boundaries and safe lab guidelines.