Powerful and Pocket-Sized NFC Emulation and Analysis
The Chameleon Mini RevG RDV2 by RFID Research Group
The Chameleon Mini may have began its career in infosec as a breadboard hot glued to a coffee mug wrapped in copper wire, but ever since the first official build of the device in 2013, it has become a very popular and powerful addition to the toolkit of pentesters and researchers alike. Originally developed by Kasper and Oswald (aka: KAOS), the device was intended to serve as a field-capable NFC and RFID tag reader, emulator, and sniffer to analyze the security of these systems in the wild. Thanks to the continued development of the project in the open source community, the Chameleon Mini has seen several major improvements in both hardware design and firmware capabilities.
In 2018, RFID Research Group released the RevE Rebooted, which leveraged the hardware design of the Proxmark3 RDV4 to provide a smaller and sleeker version of the 2016 update to the project. Up until this point, the Chameleon was only available as bare-board device that looked much more like a prototype than a field-ready device.
RRG continued development on the device and incorporated the recent Rev. G fork of the firmware, culminating in the 2019 release of the Chameleon Mini RevG RDV2, the Chameleon Tiny, and the corresponding Chameleon Android App. The device features several upgrades from the previous models, including a rechargeable lithium ion battery and on-board BLE module allowing for wireless connection to the client software. And because it is completely compatible with the official open-source firmware, the device will continue to grow in capability as the community further develops the project.
Covert Form-Factor
The RevG RDV2 is the most discreet and feature-rich variation of the device currently on the market – with the height and width of a typical RFID card and a depth of only a quarter inch, it is very easy to hide in a pocket or in the palm of the hand. It utilizes the same PCB and Antenna housing as the Proxmark3 RDV4 (also made by RRG), making the device less conspicuous in the field. It even features a loop for attaching the device to a lanyard or key ring for quick and discreet access.
Beyond the advantages provided by its physical size and design, the ability to control the device remotely from an Android App via Bluetooth makes deployment of the device even more flexible in live engagements. By eliminating the need to physically interact with the Chameleon Mini while in use and opening up the full capabilities of the firmware thru the App, a wider range of attack techniques typically reserved for the lab can now be performed covertly in the field.
Android App
The primary benefit of the RevG RDV2 by RRG is the custom Android App that allows you to control the device remotely with a few taps on your smartphone, tablet, or netbook. The application provides a simplified UI that lets the user program card data to the 8 different card slots, customize the functionality of the device buttons, and view live readings when sniffing traffic to name just a few of its capabilities. Just as in the Proxmark3 RDV4, the firmware required for use with the Android App is a custom fork available directly from RRG in both pre-compiled and source formats. The device is however fully compatible with the official project firmware.
For more information on setting up and using the Chameleon Mini RevG RDV2 with the Chameleon App, check out our article or read the documentation on RRG’s GitHub page.
Scenarios/Usage
While the Proxmark3 was designed specifically for research in RFID proximity card systems, the Chameleon Mini was developed for use in NFC applications of RFID technology. This does result in a substantial amount of overlap in functionality between the two devices, especially with respect to the ISO14443A RFID chips used in Mifare-type cards. In this respect the Chameleon Mini is more versatile and easy to-use-version of the Promxark3’s standalone mode for HF RFID tags – the device is not compatible with LF cards like HID, EM4100, T5577, etc.
One of the primary distinctions between the Chameleon Mini and other RFID tools like the Proxmark3 is the ability to easily program and run pre-scripted commands from the device at the push of a button. The device also requires a much lower threshold of experience in RFID to get started with compered to the PM3, allowing the user to implement attacks in the field with much less effort and setup time. This has made the Chameleon uniquely valuable in the field as a quick and stealthy way of capturing, cracking, and replaying encrypted card data in a live engagement.
The Chameleon Mini RevG RDV2 amplifies all the best qualities of the device by making it both completely wireless, but also very easy to reconfigure the device on the fly during a live engagement. The simplicity of the UI makes responding to a change in strategy and the implementation of a variety of attack techniques as simple as pressing a few buttons on your Android device while within BLE range of the Chameleon. The range of capabilities combined with the price point also makes it an ideal starting place for newcomers to RFID research/pentesting.
This introduction only scratches the surface of field utility the Chameleon Mini RevG RDV2 by RRG provides its user and definitely should be considered a must-have for any RFID researcher or redteamer’s toolkit. We will continue to explore the capabilities of this device through tutorials and tradecraft – including how to set the Chameleon Mini with the Android App and programming the device to crack Mifare Classic cards in the field. For more information on how to setup and use the Chameleon Mini RevG RDV2, make sure to check out the rest of the articles in this series.