Understanding How Cards & Readers Talk
When you scan your RFID access card at a building entrance, you probably assume it's doing something sophisticated—maybe cryptographically verifying your card’s legitimacy.
However, many card readers, even ones marketed as “secure,” only check the card’s unique identifier (UID) and fail to enforce a cryptographic challenge-response.
This oversight makes many access control systems vulnerable to simple cloning attacks. If a system relies only on a card's UID, an attacker can use a cheap RFID tool to copy or spoof that UID, gaining unauthorized access with minimal effort.
This post will go into detail on how cards and readers communicate, and how sometimes even secure cards can be cloned if the reader is improperly setup.
How RFID Access Cards Communicate with Readers
When an RFID access card is presented to a reader, a structured communication process begins, similar to a TCP handshake in networked systems. This process ensures that data is exchanged in a specific sequence, and in more secure implementations, it also enforces cryptographic authentication.
The communication can be broken down into the following steps:
1. Power & Initialization (Electromagnetic Coupling)
Most RFID cards, especially passive ones, do not have an internal power source. Instead, they rely on electromagnetic induction from the reader. Here’s how it works:
The reader continuously emits an RF field (typically at 125 kHz for LF or 13.56 MHz for HF systems).
When a card enters this field, its internal coil harvests energy from the RF signal, activating the card’s chip.
The chip powers on and synchronizes with the reader’s signal, preparing for data exchange.
2. Anti-Collision & UID Transmission
If multiple cards are within range, the reader needs to identify them individually. This is done through an anti-collision protocol, which allows each card to respond in sequence.
The reader sends a polling request asking nearby cards to identify themselves.
Each card responds with a partial UID, and the reader assigns temporary identifiers to them.
The reader then queries each card separately to get its full UID and stored data.
For UID-based access control, this is often the only step needed—the reader checks the UID against an access list, and if it matches, access is granted. However, in more secure systems, additional cryptographic authentication follows.
3. Challenge-Response Authentication (Optional but Secure)
In advanced systems, after receiving the UID, the reader initiates a cryptographic challenge-response process to verify the card’s legitimacy.
The reader sends a random challenge (nonce).
The card encrypts this challenge using a shared key stored in its chip.
The card sends the encrypted response back to the reader.
The reader verifies the response using its own stored key. If it matches, the card is authenticated.
This prevents simple UID cloning attacks, as an attacker would need access to the encryption key to generate a valid response.
How RFID Cards Use Encryption
Encryption in RFID access control systems varies by technology and manufacturer. Some cards rely solely on static UIDs (which are insecure), while others implement AES, DES, or proprietary encryption schemes to protect their data.
1. Weak or Nonexistent Encryption: UID-Based Systems
HID Prox (125 kHz) and MIFARE Classic (13.56 MHz) cards rely primarily on static UIDs and simple facility code + card number combinations.
These UIDs and data are transmitted in plaintext, meaning an attacker with a Flipper Zero or Proxmark3 can easily read and clone them.
Example of a Prox-format card data structure (H10301 - HID 26-bit format):
Bit PositionFieldDescription1Even Parity BitEnsures integrity2-9Facility CodeSite-specific identifier10-25Card NumberUnique to the user26Odd Parity BitEnsures integrity
Since this data is unencrypted, it can be copied and replayed easily.
2. Symmetric Encryption (DESFire, iCLASS, LEGIC)
More secure cards like MIFARE DESFire EV1/EV2 and HID iCLASS SE use symmetric encryption (e.g., AES-128 or DES/3DES) to protect data and authenticate communication.
Instead of simply transmitting a UID, these cards use session keys that change with each transaction.
How symmetric encryption works in RFID authentication:
The reader and card share a pre-established encryption key (stored securely in each).
The reader sends a random challenge to the card.
The card encrypts the challenge using its stored key and sends the response.
The reader decrypts the response and verifies that the card is genuine.
Without knowing the shared key, an attacker cannot generate a valid response, preventing cloning attacks.
3. Mutual Authentication & Secure Key Exchange
Some systems use mutual authentication, where both the card and the reader authenticate each other before exchanging data.
Elliptic Curve Cryptography (ECC) or Diffie-Hellman key exchange can be used for secure session establishment, making replay and man-in-the-middle attacks significantly harder.
1. Identifying UID-Based Card Readers
Not all card readers are created equal. Some support full cryptographic authentication, while others only read a card’s UID, leaving them wide open to attacks.
Look for the Reader Model and Manufacturer
Most card readers have branding or model numbers printed on them. A quick Google search can often tell you whether the reader enforces cryptographic authentication or just reads the UID.
Common insecure readers (UID-based):
HID Prox (125 kHz)
EM4100 / EM4200 readers
Generic 13.56 MHz MIFARE Classic readers
More secure readers (challenge-response authentication):
HID iCLASS SE / iCLASS Elite
MIFARE DESFire EV1/EV2 readers
LEGIC Advant
Even if a reader supports secure cards, it can still be misconfigured to only read the UID—so model number alone isn’t always enough to confirm security.
2. Checking the Reader’s Frequency (LF vs. HF)
A card reader’s frequency can tell you a lot about its security.
Low-Frequency (125 kHz) readers – Almost always UID-based and insecure.
High-Frequency (13.56 MHz) readers – Might support cryptographic authentication, but some are still UID-based depending on configuration.
How to check the frequency:
Use an RFID tool like Flipper Zero or Proxmark3 to scan the reader.
If it responds at 125 kHz, it's almost certainly UID-only.
If it responds at 13.56 MHz, it might still be UID-based, but there's a chance it supports cryptographic authentication.
3. Observing Reader Behavior
Sometimes, a reader’s reaction can tell you whether it’s just checking the UID or actually requiring a cryptographic challenge.
Look at the Reader’s LED or Beep Behavior
If the reader beeps/flashes when scanning any random card → It’s likely UID-based.
If the reader does nothing or flashes but doesn’t beep → It may require challenge-response authentication.
Use a Dummy UID Card
Test cards or blank UID cards can help confirm if a reader is UID-based.
If the reader accepts a dummy UID-only card → It’s UID-based.
If the reader ignores or rejects it → It likely requires cryptographic authentication.
Try a UID Emulator
Using an RFID emulator (like Proxmark3 , Flipper Zero, etc), you can simulate a random UID to see if the reader reacts.
If the reader grants access or reacts → It’s UID-based.
If the reader ignores the emulated UID → It likely requires a cryptographic challenge-response.
4. Recognizing Additional Security Features
If a reader has extra security measures, UID cloning alone may not be enough for an attacker to bypass access control.
Keypad + Card Authentication – Some systems require a PIN in addition to the card, making UID-only attacks ineffective.
Secure Elements (SAM modules) – Some readers have built-in cryptographic chips that enforce proper authentication.
However, if a system lacks these features and relies on UID alone, it is vulnerable to cloning attacks.
5. Why UID-Only Authentication is a Security Risk
If a system relies only on the UID, cloning a card is trivial. An attacker can:
Scan an employee’s card using a discreet RFID reader.
Copy the UID and program it into a blank card or an RFID emulator.
Use the cloned card to gain unauthorized access.
Since UIDs are static and unencrypted, they can be easily duplicated. Secure systems should use cryptographic authentication to ensure the card and reader engage in a challenge-response exchange, making cloning ineffective.
Conclusion:
Use the following checklist to assess the reader’s security:
✅ Likely UID-Based (Vulnerable to Cloning)
Beeps/flashes when scanning any random card
Accepts blank UID test cards
Responds to a UID emulator
Operates at 125 kHz
❌ Likely Secure (Uses Challenge-Response Authentication)
Ignores blank UID cards
Doesn’t react to a UID emulator
Requires cryptographic challenge-response (e.g., HID iCLASS SE, MIFARE DESFire EV1/EV2)