RFID Hacking in the Field – A Comparison of the Proxmark3 RDV4 and the ProxmarkPro – Part 1 of 3

Featured Image

The past few years have seen somewhat of a renaissance in RFID research, with major developments in both hardware capabilities and attack techniques creating a surge in interest among information security professions all over the world. Since 2018, the Proxmark3 RDV4 from RRG has represented the gold standard for RFID researchers and red teamers alike with its incredibly small form factor, interchangeable modular antennas, and the integration of Iceman’s cutting-edge firmware fork.

In the second half of 2019, two new iterations of the PM3 hit the market in an attempt to bring greater standalone functionality and field utility to the fairly wide array of hardware options currently on the market. One of these is the Blue Shark BLE and Battery module for the Proxmark3 RDV4 from RRG, making your PM3 totally wireless. This hardware improvement coincided with their release of an Android app that allows you to remotely connect and interact with the device using a full version of the client terminal.

The second device to hit the market was the ProxmarkPro by Rysc Corp, which features a smaller form factor than other PM3 RDV2/3 types on the market, interchangeable antennas, an internal power supply, built-in character LCD display, and four-button navigation pad. This device is basically the same as Rysc Corp’s previous Proxmark Pro released after a crowd-funding campaign in 2016, with the addition of the plastic housing and an internal power supply. As stated by Rysc Corp, the product is intended to be used in the field or at the desk without a client connection or setup. It is marketed as being designed to meet the requirements of red teamers and security research professionals and is specifically not designed to be used as a development tool.

Considering the comparatively esoteric nature of RFID security technology, the ProxmarkPro seems to be positioning itself as more accessible and easier to use than other PM3s on the market. Utilizing the ProxmarkPro’s unchained mode, the user can sniff, read, write, and emulate proximity cards with a few button pushes and very minimal training. For professionals in the field, the promise of this convenience and functionality could make for a very powerful addition to any tool kit.

With more and more people in the community picking up interest in RFID technology and limited entry-level resources available to users getting started with the PM3, it may prove difficult to make an informed choice on what hardware variant to start with. With that in mind, we decided to pick up both the RDV4 and the ProxmarkPro and put them head-to-head in a series of test scenarios to identify the extent of each device’s capabilities in both the field and the lab.

Over the next three articles, we will test the functionality of these two devices through three primary lenses: out of the box performance; field utility; and lab utility. In each of these levels of analysis, we will share all of the data that we collected and impressions of our experience using the device, summarizing the relative performance in each category before making a final analysis weighing all of the factors together.

Disclaimer/Conflict of Interest

It should be noted that the we, the conductors of this research and writers of this article, are affiliated with RFID Research Group (RRG) as exclusive distributors of the Proxmark3 RDV4 in North America and that Rysc Corp (RC) is a direct competitor in the info sec device retail market. That said, the aim of this article is to provide an objective analysis of the above-mentioned device’s capabilities based on accurate measurement, thoughtful consideration, and above all, an honest representation of the facts and data collected herein. It is our hope that the information presented in this article will help those in our community interested in RFID technology make a more informed choice when purchasing their Proxmark3, no matter what device they choose or who they purchase that device from.

Device Load-Outs

Both the Proxmark3 RDV4 and the ProxmarkPro feature interchangeable antennas allowing for extended range in LF and HF applications. Unless otherwise specified, the device configuration for each of the products we are testing will be as follows:

Proxmark3 RDV4.01 from RRG with the included hybrid LF/HF antenna and the RRG Blue Shark module, which is sold separately. The total price excluding tax and shipping for this load-out was $400 US – $310 for the device itself and another $90 for the Blue Shark module.

ProxmarkPro from Rysc Corps with the ProxmarkPro Hybrid LF/HF antenna, which is sold separately. The total price excluding tax and shipping for this load-out was $450 US – with the device itself priced at $400 and the hybrid LF/HF antenna at an additional $50.

Each of these devices and their accessories were purchased directly from Hacker Warehouse and Rysc Corp respectively in late 2019 and this research was conducted over December 2019 and January of 2020 in a home RFID research lab. Use of any other device accessories and research materials used will be noted where necessary and relevant.

Out-of-the-Box Performance

One of the biggest selling points of the ProxmarkPro is the device’s ability to be put to immediate use with no setup or interaction with a client. From a field-ready perspective, the four primary factors we will investigate include form factor, hardware setup, firmware/client setup, and standalone functionality. These factors are largely qualitative in nature, but they represent some of the core aspects of quick, reliable, and covert functionality integral to use in live engagements.

Benchmarks

Both the Proxmark3 RDV4 and the ProxmarkPro cite the small and discreet form factor of the device as being one of it’s primary advantages in the field, especially when compared to the RDV2 and 3. Below is breakout of the physical dimensions of the devices with our load-outs:

ProxmarkPro vs Proxmark3 RDV4 Size Comparison

Proxmark3 RDV4
Width: 2 1/16th inches (53 mm)
Length: 3 9/16ths inches (91 mm)
Height: 5/8th inch (15 mm)
Weight: 2 ounces (55 g)

Proxmark3 RDV4 Form Factor

The RDV4 is the smallest PM3 currently on the market. Roughly the size of a standard RFID card, it is slim enough to slip into a pocket without adding substantial bulk. The whole device easily fits into the palm of the hand and can be worn discretely along with other tags or ID badges, minimizing risk of visual contact with the device while in use.

 

ProxmarkPro
Width: 2 7/16th inches (53 mm)
Length: 7 1/16ths inches (178 mm)
Height: 11/16th inch (17 mm)
Weight: 3.4 ounces (96 g)

ProxmarkPro Form Factor

The ProxmarkPro shares many of the same advantages as the RDV4 when it comes to portability/pocketability – the device itself is only a fraction of an inch larger in any dimension. However the external mounting of the antenna effectively doubles the length of the ProxmarkPro when in use, making it less discrete when handling and interacting with the device. Antennas aside, it is still considerably smaller than many other PM3 variants on the market.

Back to Benchmarks

Both the Proxmark3 RDV4 and the ProxmarkPro come in a fully-assembled and ready to use state, however our load-out required one additional piece of hardware for each device that were sold separately. Each one comes as a part of a kit that include various accessories for use with the device.

PM3 RDV4

The Proxmark3 RDV4 comes with an included and pre-installed hybrid LF/HF antenna, a SIM/SAM card reader adapter, a USB cable, a prying tools and screwdriver for taking the device appart, and 2 blank RFID cards – one T5577 LF Proxcard, and one MiFare Gen1A 1K S50 with changeable UID. 

For the RDV4, we have installed the Blue Shark module, adding bluetooth connectivity and an internal power supply to the device. This required approximately 2 minutes of installation, as we had to remove the antenna housing, separate the two halves of the PCB casing, and then connect the module to the primary board via ribbon cable before snapping the housing back together. (A full video of this procedure in our PM3 RDV4 Guide to Hardware and Accessories.)

ProxPro

The ProxmarkPro comes with a branded soft, buckled case to tote the device and its accessories, one HF antenna, one LF antenna, one micro SD card and SD card slot adapter, one USB cable, and a set of 6 blank proximity cards – one HID II card, one each of Mifare Ultralight, 1K and 4K, one T5577 card, and an EM4100 card.

Installing the ProxmarkPro Hybrid LF/HF antenna we purchased for this device only required plugging it in to the built-in USB connection. The setup time for this device with any combination of antenna is virtually non-existent.

Back to Benchmarks
PM3 RDV4

The Proxmark3 RDV4 does come with the most current firmware as of the time of manufacturing and can technically run standalone mode right out of the box. However, in order to use the Blue Shark module included in our load-out, flashing a slightly different fork of the firmware was required, which took approximately twenty minutes from start to finish. We have a full walk-through of this procedure for Linux in another article, located in our Proxmark3 Knowledge Base. Flashing the firmware can also be done on a Mac or Windows, with documentation for this widely available.

The scope of the setup process to get your device running does require some knowledge in computing that may seem daunting to those not familiar with Linux or similar command terminal interfaces. However, the time invested in setup is more than justified by the functionality it unlocks. No other variation of the PM3 on the market can run the full client wirelessly from your mobile device. Those with any experience using this device in the lab can now be an unstoppable force in the wild.

ProxPro

The ProxmarkPro is explicitly designed for use without a terminal client and therefor, does not require any firmware flashing or client installation to use. In fact, attempting to flash any other firmware to the device other than that provided by Rysc Corp is not recommended, as the hardware is not compatible with any open source firmware available to the community. As of the time of writing this article, this firmware is only available pre-compiled and there is no real documentation or support in any open-source forum.

The impact of this firmware choice will be further explored in a later article, however it is a crucial component to the easy-to-use and out-of-box utility of this tool. Providing the simplified UI in lieu of the traditional client command system eliminates the steep learning curve associated with the Proxmark3 and requisite knowledge of firmware compiling and flashing that can be extremely intimidating to new users. Only a basic understanding of RFID proximity cards is required to access the full functionality of the device.

Back to Benchmarks

From the very start, most Proxmark hardware and firmware setups have included a standalone mode that allows the device to perform certain combinations of commands without a connection to the client at the push of a button. There are various configurations of standalone mode available in the community, and different versions can be easily compiled and flashed to the device in advance of a security engagement. The RDV4 is no different in this respect, and by default comes pre-loaded with a standalone mode that will read and emulate LF tags with the push of a button.

PM3 RDV4

There are currently ten different standalone modes available through RRG’s Proxmark repository providing a wide variety of attack options accessed by the single button located on the RDV4 itself. Using a combination of long and sort presses of this button allows you to engage the functionality of these modes, utilizing the four read LEDs on the device to indicate the status of these functions. Although the set up time and practice required to effectively implement each of these modes is not insignificant, the customization of the tool for unique scenarios provides increased utility in the field.

Below is a breakdown of standalone modes currently available for use with the RDV4, including LF-ICERUN, which provides a template from which the user can write their own standalone functionality:

Proxmark3 RDV4 Standalone Mode Chart

All of these standalone functionalities can be easily added to your firmware’s file structure, re-compiled, and flashed to device in preparation for a specific application. From there, accessing the standalone mode only requires a single button on the device, with its four LEDs indicating the function’s status. Below is an example of how LF_ICEHID is used with the RDV4 in standalone mode:

Proxmark3 RDV4 Low Frequency Standalone Mode LED Operations

The RDV4 combined with the Blue Shark module essentially renders standalone mode obsolete in that this functionality was originally designed as a work-around for using the device without being connected to a computer in spite of on-board hardware restrictions. The full client terminal provided wireless via the Android App and the programmable “Easy Button” functionality it offers far surpasses the capabilities and flexibility of the device on its own. Anything you would normally use the PM3 for in the lab, can now be accomplished discreetly in the field without even needing to touch the device. A full breakout of the client functionality will be explored in the third article of this series.

ProxPro

The ProxmarkPro responds to the limitations of standalone mode by replacing it with a simplified version of the client via the character LCD screen and navigation buttons. This is referred to as Unchained Mode and is unique to the ProxmarkPro. Although this requires you to manipulate the device while being able to read the screen, it allows for accessing all of the device’s functions and running the commands with the push of a few buttons.

ProxmarkPro Character LCD User Interface

With no training specific to the device, it is very easy to access LF and HF functions, which include reading/writing/simulating HID and EM4100 tags, sniffing ISO14A, and reading/simulating Mifare Ultralight. These functions are available through standalone mode in other PM3, but not simultaneously in the same firmware build. Furthermore, the micro SD card allows the device to save and load an almost limitless number of tags for use with these functions. This feature set provides much greater flexibility, but sacrifices the ability to load any of the custom standalone modes available in the community. Below is a full breakout of the ProxmarkPro’s unchained mode:

ProxmarkPro Unchained Mode Menu and Functionality Chart

Note that all three of the card-side attack commands are accessible within just a little scrolling through the UI, 2 or 3 levels deep at most and the labeling is very intuitive. The single reader-side attack provided in unchained mode does require manual configuration through a series of sub-menus that are going to be difficult to decypher without some existing knowledge in RFID technology. This is the only aspect in which the ProxmarkPro does not provide an edge in usability over the RDV4, which can run the same attack through a few button pushes in standalone mode, or single line of command sent wirelessly from the Android App. You would of course still need to have at the least the same level of knowledge to set up the attack.

Back to Benchmarks

Analysis

From the perspective of raw, out-of-the box performance, the ProxmarkPro definitely provides a field-ready device that can read and emulate certain types of RFID cards. The range of card types is small compared to the dozens of protocols used in the wild, but they do represent some of the more common off-the-shelf systems used in commercial settings. Although the visible antenna and the retro look of the housing make the device a bit of an eye sore, the small size and easy-to-use UI does provide a good deal of utility with minimal training or specialized knowledge. When comparing this device to many of the PM3s on the market, it’s only real drawback is in the lack of ability to program custom standalone functionality into the device for specific target applications.

The Proxmark3 RDV4 on the other hand, does require a minimum of 20 minutes in set up time and a substantial amount of research and practice with device before you will be ready for the field. The RDV4 was not designed with the beginner in mind. Instead, you will have to explore the forums, dive into the help files, and learn how to input commands manually via the command line – but in the process you will discover attack techniques and workflows that grant you access to decryption, brute force, and other attack techniques completely unsupported by the ProxmarkPro.

What it lacks in a friendly user interface, it more than makes up for in performance capabilities – the ability to interact with the device over bluetooth via an app makes the entire world your personal RFID lab while the device secretly sits in your pocket (or someone else’s…) and you’re just looking at your smart phone like any human. This is arguably much more inconspicuous than using the ProxmarkPro if your engagement takes place in a public location, giving you much more tactical flexibility in addition to the increased capabilities profile.

If our analysis was limited to this data alone, it would be difficult to assess the value of each of the two devices. The Proxmark3 RDV4 certainly packs more features into a smaller package, but the ProxmarkPro can be used with almost no special training or knowledge and is ready to deploy out of the box. So far, the primary difference between the two devices lies in the target user, with the ProxmarkPro optimized specifically to accommodate entry-level info sec professionals and RFID hobbyists.

With the slightly lower price point of the RDV4 and its significantly larger set of functionality, initial impressions may lean towards this option – especially for more experienced users. But the real measure of a tool is in how well it gets the job done. In the next series of tests, we will collect quantitative measures of each device’s performance with respect to the needs of red teamers and security professionals in the field.

In the next article of this three-part series, we will continue our heads-up comparison of the Proxmark3 RDV4 by RRG and the ProxmarkPro by RC by testing antenna performance with a wide-spectrum of proximity cards from the lab and the wild. We will also put the reading and cloning capabilities of each device to the test as we attempt to defeat an array of commercial and residential RFID locks. Stay tuned and until then, remember to keep it between the laws.

Leave a Reply

Your email address will not be published. Required fields are marked *

Send this to a friend