A Detailed Review of Top Gear for Pen Testers
In the realm of physical penetration testing, having the right tools at your disposal is imperative for uncovering vulnerabilities within security systems. RFID (Radio Frequency Identification) technology, used extensively for access control, is one such area ripe for scrutiny. The market offers a variety of RFID cloning gadgets, each with its unique set of features, advantages, and drawbacks. This post takes a magnified look at four prominent RFID cloning tools: Flipper Zero, I-copy XS, Chameleon Ultra, and Proxmark, shedding light on their capabilities, ease of use, and cost-effectiveness.
I have used all of these devices both in the field and during testing and will discuss my results, benchmark tests and my thoughts on each. This post will focus on devices for reading / writing cards and not backend attacks, so I won’t be discussing things like the ESP key.
Flipper Zero earned its stripes in the hacking community, notably going viral on TikTok. Its appeal lies in its multi-faceted functionality, offering not just RFID cloning, but also hacking capabilities for USB-enabled computers and sub-1-gigahertz radio devices12. This device caters to both seasoned pen testers and novices, serving as a learning tool for the latter1. However, its effectiveness dwindles when faced with encrypted communications between readers and access badges, posing a challenge in certain security environments3.
During testing the flipper performed decently as an RFID device with a few exceptions. When decrypting HF cards it hadn’t seen before, it could be a very slow process compared to others on this list.
When attempting to decrypt a Mifare Classic 1k card in which the flipper was not aware of the key the time to decrypt was:
While waiting for around 3 minutes isn’t a deal breaker, it may seem like an eternity if you’re grabbing someones badge from their desk to clone in a crowded office. That said, the flipper has abilities all the other devices on this list simply do not have, and you may find that the flipper’s slower RFID abilities paired with some of its other uses may make it the device to use in certain situations.
Struggles with copying cards
Long decryption times for unknown keys (benchmark was around 3 minutes)
Struggles with simulating some card types
Boasting a built-in Proxmark 3, I-copy XS stands out for its ease of use and rapid cloning of RFID badges across a wide spectrum of Low Frequency (125KHz / 134KHz) and High Frequency (13.56MHz) RFID tags45. Its user-friendly interface takes the hassle out of RFID cloning, making it a go-to for penetration testers and security researchers5. Despite its prowess, it’s noteworthy that the creators do not market it as a pen testing device, but rather towards consumers in the property sector6.
This is my go to device as it is effectively a proxmark with a built in battery, GUI and “easy button” for copying cards.
During testing I have found that it can struggle with simulating some card types (usually LF cards for some reason), but is extremely reliable at cloning cards. Bring a few writable card types, or something like the “magic watch” and you will likely be set for most situations.
The I-copy also can easily sniff out keys from HF card readers to drastically speed up decryption times and permanetly add the key to its DB. There is a github repo that people add discovered Mifare Classic keys to which you can also manually add to your I-Copy.
Note that there are several versions of the I-copy, and if you are going to buy one ensure that you purchase the XS model, as it can handle the most card types. No point in spending the extra money for an I-copy but getting one that has limited function.
Very easy to use
Single button to “Do everything for me”
Doubles as a proxmark
Comes with many cloneable cards
Easily add extra keys to database
Probably the best for reliably and quickly copying cards in the field
Chameleon Ultra is a compact, key-chain sized device, revered for its emulation and cloning capabilities across LF and HF spectrums78. Priced at around $120, it’s a cost-effective option for RFID enthusiasts and pen testers alike7. Though compact, its size can be a drawback for PCBA manufacturing and firmware development, necessitating a larger volume development board for these tasks9.
I really want to like this product, but always seem to have issues with it both in testing and in the field. The most reliable useage I have found for this device requires an Android phone and the device. Place the device over the card you want to copy, then use the phone to “read the card”. At this point you can walk away and attempt to either add the card to a slot in the Chameleon for simulation, or crack the cards encryption (which can both be done away from the card).
The clone tag button is very hit and miss in my testing and I wouldn’t rely on it in the field when you may not get a second try copying a badge. Using the phone’s GUI to read and copy badges is simply more reliable.
On the plus side, grabbing the card data is almost instant, which means you can grab a card very fast, though you will need two hands (phone and device). On the other hand the process to add the newly discovered / decrypted tag to the device is rather slow and awkward.
Place device onto card and use your phone to read the tag
Decrypt the tag if necessary
save the tag to whatever name you wish
select the newly saved tag onto an open slot on the device
close out the phone’s GUI to unpair the device and phone
select the slot number your saved tag is on when you are at the card reader to simulate the new tag
NOTE that the chameleon tiny is effectively a dead project. If you are going to purchase one of these ensure it is the ulta as this is a project that is still being worked on.
A long-standing player in the RFID arena, Proxmark 3, priced at $270, is known for its robustness in snooping, listening, and emulating RFID tags ranging from Low Frequency (125kHz) to High Frequency (13.56MHz)10. It’s an invaluable tool for physical pen tests, capable of capturing, replaying, and cloning certain RFID tags1112. The setup and firmware updating can be quite the chore, but once past these hurdles, its performance in RFID experimentation is commendable12.
The proxmark is the original RFID / NFC swiss army knife. If it cannot do something in this field than none of the other tools on this list will be able to either.
The proxmark does require a lot of time to learn all the abilities, but this can do things the other tools on this list simply cannot (with the exception of the I-copy as it is effectvely a proxmark in a box).
It is also the only device on this list (that i am aware of) that can be paired with a long range reader, making it a very useful tool for stealing ID cards at a distance (of course distance is relative here).
NOTE that if you are going to purchase a proxmark, ensure that you get proxmark3 rdv4. There are other models such as the “proxmark easy”, but these are cheaper with far less reliability.
Open sourced project
The most capabilities of reading / copying / writing / altering cards
Fastest at card manipulation (read/write/decrypt/etc)
Can be used with long range readers
The landscape of RFID cloning gear is rich and varied, catering to different levels of expertise and different facets of RFID exploration. Whether you’re a seasoned pen tester, a hobbyist, or a security researcher, the market has something to offer. Your choice boils down to your specific needs, budget, and the level of complexity you are willing to navigate. Each of the discussed tools brings a unique flavor to the table, and a careful consideration of their pros and cons will steer you towards the one that aligns with your objectives in the fascinating world of RFID cloning and penetration testing.
Like all tools there is no best or worst tool, there are simply trade offs and personal preferences. You may find that different engagements and situations require different tools, but hopefully this list gave you a better idea of the capabiliites and use cases for each.
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
ncG1vNJzZmibn6uys8DAnJqeq6OpsqK5jaysm6uklrCsesKopGioX6ezqrCMnKOoppmjtG6t0aycp5mcYq5usMStmKKklZl6s7HVopyw