Think about the last time you tapped your work badge against a reader. The light turned green, the door clicked open, and you walked through without giving it a moment's thought. But in that fraction of a second, your card and the reader were having a conversation, trading signals to establish who you are, and in a significant proportion of buildings worldwide, that conversation has serious problems. The Proxmark3 is the research device that has spent years making those problems visible. In 2024, the picture got considerably worse.

What It Is

The Proxmark3 is an RFID research platform. RFID is the technology inside every contactless card you carry. Your access badge, transit card, and hotel key all use it. The card carries no battery. It draws power from the reader's radio field, responds with data, and the reader decides whether to grant access.

The Proxmark3 can read that data, replay it, and impersonate either the card or the reader to see how the other side responds. It supports everything from older 125 kHz systems to modern 13.56 MHz NFC protocols, making it the closest thing the security research community has to a universal RFID diagnostic tool.

The Hardware: Proxmark3 Versions

The Proxmark3 has evolved significantly since its origins as an open hardware project. Each generation has improved on antenna design, processing power, and usability in the field.

The RDV4 is the version most commonly referenced in security research today. Its modular antenna design means researchers can swap between specialised antennas for different tasks, and Bluetooth connectivity makes it practical for fieldwork where connecting a laptop would be conspicuous.

Iceman Firmware: The Community Engine

The hardware is only half the story. What makes the Proxmark3 genuinely powerful is the firmware running on it, and the most capable option available is the community-maintained Iceman firmware, developed under the GitHub handle RfidResearchGroup.

The original Proxmark3 firmware was functional but limited and slow to receive updates. Iceman began as a fork and has since become the de facto standard. It is more actively developed than the official codebase, supports a significantly wider range of card protocols, and receives regular updates as new vulnerabilities and card types are discovered. When Quarkslab published their FM11RF08S findings in 2024, proof-of-concept tooling was incorporated into the Iceman firmware relatively quickly, giving researchers a practical way to test affected cards.

For anyone using a Proxmark3 seriously, running Iceman firmware rather than the stock firmware is standard practice. The difference in capability is significant.

MIFARE Classic: Broken Since 2008, Still in Use

MIFARE Classic, introduced by NXP Semiconductors in 1994, became the dominant card technology across corporate buildings, hospitals, universities, and transit networks. It used a proprietary encryption algorithm called Crypto1, kept secret on the assumption that secrecy was protection enough.

In 2008, academic researchers reverse-engineered the chip and found serious weaknesses throughout. The pseudo-random number generator was fragile. The keystream had exploitable patterns. The authentication process could be manipulated to recover the secret keys stored on a card. A working clone could then be produced that a reader had no way of distinguishing from the genuine card. The researchers demonstrated this on live hardware, in a real building, not in a lab.

By 2024, the security community's assessment of MIFARE Classic was clear: the protocol is intrinsically broken regardless of card variant. // Quarkslab, August 2024

The reason this matters today is that MIFARE Classic is still widely in use. Replacing card infrastructure is expensive and disruptive, and many organisations have deferred it. Systems installed years ago continue running the same broken cipher behind modern-looking hardware.

The Fudan Finding: What Quarkslab Discovered in 2024

In August 2024, security researchers at Quarkslab published a paper examining MIFARE Classic-compatible cards made by Shanghai Fudan Microelectronics, designated FM11RF08S. These cards have been found in access control and hotel key systems outside China, including in Europe and the United States, though the full extent of their deployment has not been publicly quantified.

A follow-up update in late 2024 found a similar undocumented command in a related Fudan chip variant. FM11RF08S cards are visually indistinguishable from other MIFARE Classic-compatible chips, so organisations cannot determine the manufacturer by inspection alone.

e-Passports: How It Should Be Done

Electronic passports offer a useful contrast. Where Crypto1 was kept secret and collapsed when examined, e-Passport cryptography was designed using open, internationally reviewed standards. The chip will not respond without a key derived from the physical document itself, specifically the machine-readable zone on the photo page, so simply being near a passport gets an attacker nothing. The data inside is cryptographically signed, making tampering detectable.

Newer passports use PACE (Password Authenticated Connection Establishment), a stronger protocol that addresses weaknesses in the earlier Basic Access Control standard. The trajectory from Crypto1 to BAC to PACE is what happens when security systems are exposed to sustained scrutiny and updated accordingly. It is a standard the access card industry has been slow to match.

Where Things Stand

Modern card systems using AES-based authentication, such as MIFARE DESFire and iClass SE, are significantly stronger. Per-card key diversification means one compromised card reveals nothing about the others. Mutual authentication, where both card and reader verify each other, closes the attack vectors that Crypto1 left open.

The problem is that much of what is actually running in buildings today is not modern. MIFARE Classic remains widely deployed. FM11RF08S cards with undocumented commands have been found in systems across multiple countries. The Proxmark3 did not create either of those problems. It makes them demonstrable, which is the first step towards addressing them.

The reader beeps the same way whether the system behind it is solid or broken. That gap between appearance and reality is exactly what this research exists to close.