RFID Sleight of Hand: Covert Cloning Techniques

On linkedin the other day I posted a video showing how an RFID card could be cloned without having a reader (eg I-copy,flipper,etc) directly on the card or using a long range reader somewhere offscreen. In case you didn’t see the video, you can see it here.

How would you discreetly clone an access card if you only had a brief moment of physical access to it? This question isn't just hypothetical; it's a real challenge faced in the field.

I asked for some ideas on how this could be accomplished, and got some very interesting ideas back. In this post, I am going to go over how this works, why I use the method I do and what its pros and cons are when cloning a badge.

Before I give away how this works, I want to first explain a limitation of RFID badges, as it will help you to understand why i use this method.

Technical Nuances: The Importance of Alignment & Distance

Whether you are trying to use an RFID badge legitimately on a reader or copy it for a pentest, there are a few things that need to be considered.

A crucial aspect often overlooked is the alignment of the RFID card and the reader. Cards need to be flush from the reader for effective cloning. This requirement poses a challenge when cards are placed horizontally, such as on desks or tables. In basic terms, if you present a card to the reader or cloner horizontally it will likely not do a correct read as the antenna inside the card will not pick up the power the reader is omitting.

The above picture shows an RFID detection device set horizontal to a reader (phone), notice no LED is lit, indicating that the antenna is getting no power from the reader

This photo shows the same device set flush with the reader, the antenna is receiving power and thus the LED its connected to is powered