Wireless Charging, RFID, and Proxmark

7 min readNov 21, 2021

Intro

I have owned my Proxmark3, the “de-facto” RFID research tool, for about four years since I bought it (a cheaper Chinese copy) from China. At first, I only treated it as a fancy key fob copying tool that requires multiple cables, a computer, and a command-line tool to use. Recently, as I had to again fish the circuit-board contraption out of my box-full of unorganized gimmicks, I decided to learn a bit more about how RFID works and what Proxmark is doing under the hood of nicely-packaged CLI commands.

TL;DR

RFID is similar to wireless charging in that it uses magnetic induction(like in your transformer) to wirelessly couple two devices. Unlike wireless charging, RFID also modulates data in its carrier wave to enable two-way communication between the reader and the tag. The information communicated is dictated by the data stored on the two devices. Proxmark3 can talk to RFID tags like an RFID reader and modify the data stored in tag memory to modify the tags.

Wireless Charging

As we learned in high school physics class, an electric current flowing through a wire creates a magnetic field. Conversely, a magnetic field can also propagate electrons to flow in a wire (must be a time-varying magnetic field). This exchange mechanism from wired→ wireless and wireless→ wired enables us to transmit electricity wirelessly.

An analogy is that anyone can exchange the US dollar and bitcoin easily. So you can take the dollar→bitcoin→ dollar. Of course, just like the analogy, there is a cost associated with the conversion steps. Since the magnetic field goes in all directions, and the receiving coil can only be on one side of the sending coil, a significant amount of energy is wasted. This is similar to how we can’t capture all the energy from the Sun.

To mitigate the efficiency problem, a similar electric circuit, transformers(not The Transformers) use a magnetic core to constrain the magnetic field to prevent energy loss. However, while magnetism still serves as a bridge between coils(electricity), we no longer have a wireless solution.

Regardless, the technology used in wireless charging enables RFID, where two devices can couple with each other wirelessly.

Additional reads: https://medium.com/practicum-by-yandex/how-wireless-charging-works-1b8f3e40be5c

RFID

RFID is the bucket term for Radio-frequency identification, which includes NFC. Typically RFID system has a reader and a tag that the reader is trying to read. Think of the reader as the wireless charging pad and the tag as the smartphone waiting to be charged.

However, in addition to the simple charging relationship (yes, RFID reader typically supplies power to the tag), both the reader and the tag can encode information using the electro-magnetic frequency (typically a sine wave from the time-varying electromagnetic field).

Now, it makes sense that the reader can modulate information in its electromagnetic wave (since it’s the producer), but how does the tag modulate its response? It turns out, once the tag is coupled with the reader through the magnetic field, it can “shunt” its own coil (shunt meaning added or removing power to), which increases or decreases the amplitude to the shared wave.

By strategically shunting the wave, the tag(wirelessly powered by the reader) can also tack on its own message for the reader to receive. An analogy for this process is: think of the reader as a drummer playing some beats on a loop, and the tag as a person holding a magic cup that can either amplify or dampen sound. The reader provides power(sound) and reader→tag data (beats by the drum). The listener, upon hearing the beats, wants to send a message back. Thus the listener holds out the cup to either amplify or dampen the sound. The drummer would then hear its beats’ loudness getting louder or quieter. Based on the locations of the beats changed, the drummer(reader) can decipher the messages from the listener(tag).

Following the above analogy, there are certainly many ways the drummer can play the beat (message broadcasted by the reader), and use drums with different pitches (carrier frequency). Similarly, the listener can decide to send different messages(tag data) and send the same message by different systems of cup-holding (data encoding).

Most of the time, the reader simply expects the tag to sequentially send out all the data (with an agreed encoding) it contains in memory and make decisions based on those data.

In the case of ID cards, the less-secure systems read all the tag data and check certain chunk in tag data that represents an identifier. If the identifier matches what is white-listed in the database, access is granted.

Additional reads:http://ftp.it.murdoch.edu.au/units/ICT219/Papers for transfer/Passive RFID Basics.pdf

Proxmark

Proxmark, at its core, is a configurable RFID reader. It can read and write RFID tags (only if the tag is writable).

For the simple RFID systems that only check tag memory and either match or reject, cloning RFID tags is as simple as putting the right piece of data in the right place.

For example, if we have an RFID tag that holds 8 bits of information (xxxx xxxx), and the reader checks if the 7th(0-indexed) bit is 1. Then we just need to make the modification (xxxx xxx1) to grant access.

In reality, tag memory is longer and usually structured into sectors and blocks (like your hard drive!)

For each “protocol,” certain blocks are designated to contain information like card type, facility code, identifier, etc. If you know where these data are located and what data you want to write onto the card, then it’s straightforward to change how a tag appears to the reader.

Proxmark’s libraries contain the work of many experts and abstract away many of the complexities. For example, to clone an ioProx tag, all it needs to know is the id, and it will place the id data in the correct position for the reader to understand.

proxmark> lf search # searching low-frequency RFID card
>>> <GET SOME ID VALUE IN RETURN>proxmark> lf io clone <ID HERE> # write the ID value to another card using the "io" format

Of course, this is a very rudimentary authentication scheme and too quickly clone-able. With a high-powered RFID reader that can read cards beyond just a few centimeters, a hacker can “swipe” the cards of anyone walking past his reader on the street.

A more advanced communication protocol would be more than just data field checking. Instead, the reader would send some message for the tag to process with a predetermined algorithm using an encryption key. If the correct encryption key computes the message returned from the sender, then the tag is likely authentic. Because the reader message and the tag response sent is different each time, a hacker can’t simply replicate the tag response to gain access. That is unless the encryption scheme is as simple as applying a simple operation as adding a constant to the input:

And that’s exactly why the more advanced RFID security protocol, such as the Mifare DESFire EV2 that UPenn uses, employed cryptographically secure algorithms as well as multiple (3) handshakes. In my research, I also found that NXP (the manufacturer of DESFire cards) implemented something called Proximity Check to prevent relay attacks (and I am shocked).

A relay attack is when two malicious devices are separately installed near the reader and the tag. Then, without actual authorization, the device relays each device’s signal to each other to gain access remotely. Proximity Check leverages the physical constraint — electromagnetic signals can not travel faster than the speed of light — to check the delay in response to ensure the authorization (tag) is being used locally. (this has been hacked, too. By manipulating the clocking on the tag.)

Additional reads: https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/

Closing

Anyways. I hope you learned a bit more about wireless charging, RFID, and Proxmark. Perhaps next time, you won’t need to pay the 150$ for the apartment key fob!