Proxmark3 RDV4: The Professional Standard for RFID Security Research
If you do physical penetration testing, RFID security is unavoidable. Door access systems, employee badges, hotel key cards, parking gates — almost every physical security layer in a corporate environment relies on RFID or NFC technology. The Proxmark3 RDV4 is the tool the professionals use to audit all of it.
This guide breaks down what the Proxmark3 can do, how to get started with the Iceman firmware, and how it fits into a physical penetration testing engagement.
What Is the Proxmark3 RDV4?
The Proxmark3 is an open-source RFID research tool originally developed by Jonathan Westhues in 2007. The RDV4 (Research and Development Version 4) is the latest hardware iteration — an evolution that adds a modular antenna system, improved signal quality, Bluetooth connectivity, and a LiPo battery port for standalone field operations.
The RDV4 runs the community-maintained Iceman firmware (also called RRG firmware), which is significantly more capable than the original Proxmark3 firmware. It supports hundreds of RFID protocols and is updated constantly by the security research community.
Hardware Overview
- Dual-frequency support: Low Frequency (125/134.2 kHz) and High Frequency (13.56 MHz)
- Swappable antennas: Separate LF and HF antenna modules for optimized read range
- Bluetooth module: Wireless connection for field work
- Battery port: Connect a LiPo battery for portable standalone operation
- USB-C connectivity: Modern interface for desktop/laptop connection
- FPGA-based architecture: Real-time signal processing for complex protocol decoding
Low Frequency (LF) Capabilities
LF RFID (125 kHz) is used extensively in older access control systems and is notoriously insecure. The Proxmark3 handles all major LF protocols:
HID Proximity Cards
HID is the dominant standard in corporate access control. HID Prox cards transmit their facility code and card number in the clear — no encryption, no authentication. The Proxmark3 can:- Read and decode HID card data
- Clone a card to a T5577 blank
- Brute-force facility codes in authorized testing
- Simulate a specific card ID without a physical clone
EM4100 / EM4200
Older and extremely common in budget access control systems, parking gates, and time-and-attendance readers. No security whatsoever — read, clone, and simulate in seconds.Other LF Protocols
- Indala, Pyramid, Viking, Noralsy, Honeywell
- Animal microchips (FDX-B, AVID, Trovan)
- ASK, FSK, PSK modulation types
High Frequency (HF) Capabilities
HF RFID (13.56 MHz) includes modern cards with real security — but the Proxmark3 exposes the weaknesses in many implementations.
MIFARE Classic
MIFARE Classic is one of the most widely deployed smart card standards in the world, used in transit systems, building access, and loyalty programs. It's also one of the most thoroughly broken.The Proxmark3 with Iceman firmware can:
- Darkside attack: Recover a sector key when you know nothing
- Nested attack: Recover remaining keys once you have one sector
- Hardnested attack: Attack cards with randomized nonces
- MFOC/MFCUK integration: Automated key recovery tools
- Clone a fully dumped card to a magic card (UID-changeable MIFARE clone)
MIFARE DESFire
A significantly more secure card standard. The Proxmark3 can analyze communication, attempt known-key decryption, and read non-authenticated data sectors where misconfigured.
ISO 14443 / ISO 15693
General-purpose NFC and smart card protocols used in passports, government IDs, and industrial systems. The Proxmark3 can read, analyze, and in some cases manipulate data.EMV (Payment Cards)
The Proxmark3 can read public EMV data from contactless payment cards — demonstrating that card number, expiry, and recent transactions may be readable without authentication. This is useful for demonstrating information leakage risk in client assessments.Getting Started: Iceman Firmware
The Iceman firmware is what makes the modern Proxmark3 as powerful as it is. Installation is straightforward:
# Clone the Iceman repo
git clone https://github.com/RfidResearchGroup/proxmark3.git
cd proxmark3
Build for RDV4
make clean && make -j4 PLATFORM=PM3RDV4
Flash the device (Linux)
./pm3-flash-all
Launch the client
./pm3Essential Commands
# Detect card type
hf search
Read a MIFARE Classic card
hf mf reader
Run automated key recovery
hf mf autopwn
Read an HID card
lf hid read
Clone HID to T5577
lf hid clone --r <raw_data>
Simulate an HID card
lf hid sim -r <raw_data>Field Operations: Bluetooth + Battery
For actual physical penetration testing, the RDV4's Bluetooth capability is invaluable. Connect to your smartphone or laptop wirelessly, conceal the Proxmark3 in a bag or jacket, and read cards without being tethered to a laptop.
Combined with a LiPo battery pack, you can run the Proxmark3 for hours in the field without any external connection. Some testers integrate it into custom enclosures or cases for extended covert operations.
Legal and Ethical Considerations
RFID cloning and access control bypass are powerful techniques that require explicit written authorization. Physical penetration testing without a signed statement of work and rules of engagement is trespassing and fraud. The Proxmark3 is a professional tool — use it professionally.
In authorized engagements, findings like "all HID access cards are cloneable within 3 inches using commercial tools" are exactly the kind of concrete, demonstrable vulnerability that drives remediation. Clients upgrading to HID iClass SE or MIFARE DESFire based on your findings is a successful engagement.
Conclusion
The Proxmark3 RDV4 is not a toy — it's a precision research instrument for a field where precision matters. If physical security is any part of your assessment scope, this is the tool. Its combination of dual-frequency support, Iceman firmware capability, and field-ready hardware puts it in a category by itself.
For authorized security professionals and researchers only. Always obtain written permission before any RFID security testing.