image image
Adam Laurie
Philippe Teuwen

Hacking RFID & NFC Under The Hood

27th to 29th April 2020 | 3 Days


Adam Laurie & Philippe Teuwen

Day 1:

  • morning: intro + setup
  • afternoon: LF

Day 2:

  • morning: LF
  • afternoon: HF

Day 3:

  • morning: HF
  • afternoon: UHF and free time for challenges


  • covers LF (125-134KHz), HF (13.56MHz) and UHF (868-915MHz) spectrum
  • covers RFID and NFC
  • covers security and privacy
  • covers reading, writing, cracking, emulating, cloning
  • covers theory and hands-on, including challenges
  • covers opensource tools and readers

Topics Covered During the Course:

  • frequencies, active/passive, physics, standards
  • tag identification
  • reader identification
  • commercial readers with opensource support, PCSC compatibility
  • debunking some myths
  • anti-collision
  • NFC, relations with RFID, implicit user consent
  • Introduction
    • Modulation schemes
    • Tag types
    • RFIDler capabilities
    • Proxmark3 capabilities
    • Reading / Writing
    • Emulation
    • Cracking
  • T5577
    • cloning
    • datasheet, possibilities...
    • eeprom tearing-off theory and practice
    • hands-on challenge
    • Reading / Writing
    • Emulation
    • Cracking
  • Hitag2
    • crypto attacks & RFIDler
    • other crypto attacks
  • Wiegand
    • Access Control back-end (Wiegand / Clock & Data)
    • several readers/formats, sniffer, replayer
    • also HF...
    • UID confusions
  • Libnfc
    • compatible devices and their limitations
    • resources
    • hands-on!
  • Proxmark3 RDV4
    • hands-on!
    • repo, compilation
    • config PM3RDV4/PM3OTHER/...
    • search files automatically
    • flashing, button, jtag
    • client mode for inline cms, scripts,...
    • modes standalone, faire son mode
    • BT
    • RPi, ESP32... (& bridges ESP wifi...)
    • USART... FPC extension... PN532
    • SPIFFS
    • antennas
  • Sniffing
    • theory and maximal distances
    • with pm3
    • with hydrabus
    • reader <> reader + tag (mitm)
    • also LF: cheap sniffing 125khz with home made circuits
  • Mifare Classic
    • Memory Organization, Access Keys and Bits, Security
    • Hacks
    • with libnfc
    • with the Proxmark3 RDV4 (auto <> hardnested <> fchk)
    • attack when sniffing
    • attack on reader only (pm3 sim & magic2)
    • Cool Chinese stuff (also ntag, df, ulc, 7b, iso15693,...)
    • use cases: nfc toys
    • hands-on challenges
  • Desfire
    • Memory Organization, Security
    • Security audit with Proxmark (probing for defaults, sniffing auth)
  • UltralightC
    • Memory Organization, Security
    • cheap RFID using 3DES crypto
    • hands-on to authenticate from bash and OpenSSL
    • hands-on challenge
  • relay attacks
    • theory, the different kinds, their possibilities and limitations
    • practical considerations
  • Payment systems
    • EMV
  • Android
    • Introduction on HCE and its threats
    • revew of useful apps
  • ePassports
    • security features
    • known hacks
    • BAC online and offline brute-force
    • Fingerprinting: error codes, timing, ATS, etc
    • MAC timing attacks
    • Early Active Authentication = traceability attack
  • UHF
    • theory of operation
    • implementation with SDR

About Trainers:

Adam Laurie

Adam is Global Security Associate Partner, IBM X-Force Red Hardware Hacking Lead.
He is a security researcher working the in the field of electronic communications who specialise in reverse engineering of secure embedded systems. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. Downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world's first CD ripper, 'CDGRAB'. At this point, he became interested in the newly emerging concept of 'The Internet', and was involved in various early open source projects, the most well known of which is probably 'Apache-SSL', which went on to become the de-facto standard secure web server. Since the late Nineties he has focused his attention on security, and has been the author of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres housed in underground nuclear bunkers as secure hosting facilities. Adam aka "Major Malfunction" has been a senior member of staff at DEFCON since 1997 and is the POC for the London DEFCON chapter DC4420. Over the years has given presentations on forensics, magnetic stripe, EMV, InfraRed, RF, RFID, Terrestrial and Satellite TV hacking, and, of course, Magic Moonbeams. He is the author and maintainer of the open source python RFID exploration library 'RFIDIOt', which can be found at
Twitter: @rfidiot

Philippe Teuwen

Philippe Teuwen is Security Researcher at Quarkslab.
He’s one of the libnfc and Proxmark3 RDV4 maintainers and gave about 20+ workshops on RFID & NFC security and privacy issues at Troopers,, Brucon, RFIDsec, Hackito Ergo Sum, RMLL, etc. along with talks on other security topics such as Wi-Fi Protected Setup, eBanking, eVoting, reverse-engineering, Side-channel and fault injection, White-Box cryptanalysis etc.
He’s in the editorial team of the International Journal of PoC/GTFO and makes hardware-oriented CTFs.

Twitter: @doegox