Is it possible to clone an RFID/NFC card using a simple RFID reader, for future reuse and impersonation?

  • RFID/NFC technology is used in credit cards and many other personal identification applications.

    Is it possible/how easy is it to clone a card using a simple RFID reader?

    In other words, can the retrieved information be reused in the future by the attacker?

  • Natanael

    Natanael Correct answer

    7 years ago

    NFC devices which do not use either public key crypto, encrypted tokens or HMAC tokens or similar cryptographic mechanisms where there is a secret that never leaves the device, they can all be impersonated. Simple devices often just have a static string of data which they broadcast.

    Many newer NFC devices as well as most enterprise grade devices since basically forever use cryptography which prevents impersonation.

    However, some of the new credit cards lack this type of cryptography. But from what I understand most of them now implements cryptography as defined by the EMV security standards.

    Then there's also the issue of that some of the variants like some Mifare variants are crackable due to sidechannel attacks against the cryptography. IIRC most newer ones aren't vulnerable, but I'm not entirely sure on the current state on this.

    So the manufacturer of the receiver hard_codes the key in the receiver, to correspond the key on the card? If yes, then if one gets his hands on a receiver they can retrieve the key, no?

    @Sparkler with public key cryptography they put the public key in the receiver (or the server it is connected to), it only gets a signature which it can verify. It can not impersonate the card. With symmetric key based systems like HMAC and OTP, however, yes it can. However, the receiver is usually well protected or communicates with a secure server which holds the secret.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM