What’s in Larry’s RFID hacking box?

We’ve been asked a number of times for advice on RFID equipment that can be used to start experimenting with RFID technologies. We’ve heard your request loud and clear; I’m going to give you a rundown of what is in my current kit.


Start at the Beginning

The first reader that I picked up was the PhidgetRFID board.


It was inexpensive, included all the bits and pieces I needed for interfacing (USB built in) along with some sample applications and open community. It reads uniqely numbered EN4x02 series tag quite well. This reader is read only, and operates in the 125 kHz spectrum.

Moving On Up

Shortly there after I realized that I wanted to write tags. Of course I was familiar with the RFIDIOt project and I wanted a writer that would work with that particular code. I picked up an ACG reader with USB interface from Major Malfunction (the author of RFIDIOt) in order to help support the project.


It was expensive and it needed to be imported to me from the UK but I couldn’t find an equivalent reader elsewhere that could come close to the cost. I picked up the ACG LF USB reader, which works like a champ reading and writing to all manners of tags. If I had to do it again, I’d upgrade to the ACG LAHF USB which wasn’t available at the time. While I was there, I also picked up the ultra cheap USB Keyboard Wedge Verification LF Reader just for fun.


Unfortunatley the next project that I wanted to purse involved the reading of ISO 14443A/B tags, which wasn’t supported by my ACG reader (the upgraded model does, hence my recommendation for the upgrade). In order to support the reading of ISO 14443A/B tags, I picked up the Omnikey Cardman 5321, which also has a smart card reader as well.


Ooh, two hacking tools in one! I did acquire this reader much cheaper here in the US. The supplier no longer has them available but there are several that are Google-able. In typical fashion I wanted to be able to read ISO 14443A/B tags in order to read PayPass RFID tags which I found out isn’t supported by RFIDIOt…yet. A chat with Major Malfunction at Defcon revealed that he is close to being able to support the PayPass chips.

Going Standalone

I was also fortunate to be able to acquire some Parallax modules form the Defcon Wireless village RFID scavenger hunt a few years ago. Thorn put them together in a kit to build a standalone EN4X02 reader with serial LCD display.


It worked great, but I’ve got some new plans for the modules, such as integrating them with an Arduino and a few extra goodies for good measure.

The Latest Goods

A few weeks ago I picked up a VivoPay Paypass 3000 reader off of ebay for a few dollars (under $10).


It was “tested and working” and it does appear to be that way. Unfortunatley I need to construct a serial adapter for it and my tools seem to be missing. I have some headed my way this after noon, so this is an ongoing project.
The neat option with this reader is the PayPass support. It will read the card and handle all of the over the air encryption. The module handles all of the decryption, and hands off the clear text of the tag voa serial; this is the paort that would be handed to the Point of Sale System. Bonus, let’s use the intended purpose of the hardware do the crypto for us, and interface with 3ric’s pwnpass script. Stay tuned for more goodies with this one.
[Update: During the writing of this post, I was successful in building the serial adapter and testing it with the tools from VIVOtech, as well as the pwnpass script. However, I think that this reader has an old version of firmware that cannot understand the commands issued to it. I have to call VIVOtech to get ahold of the latest firmware, which I’m told is fairly easy to do.]
You’ll note that I don’t have any inventory of active RFID equipment; all of my gear is passive. I haven’t had any experience with any active gear, and for me, the cost is more prohibitive.
Right now, that’s what I’ve got in my kit and I’ve found I can read just about any type of tag that I can encounter, from passports to physical security cards. Some are a work in progress, but they are just a matter of time. Scan away! Also, I’m more than willing to let you scan my RFID implant in person should we meet.
Larry “haxorthematrix” Pesce

Larry Pesce

A self-professed, lifelong “tinkerer and explorer,” Larry always wanted to know how things work. “I found myself getting to engage in deep dives of technology from an early age: My dad built the family television from a kit, and I helped. It caught fire. Twice. I helped fix it both times.”

The help and advice received from the infosec community throughout his career inspired him to share what he had learned to help others secure their networks and improve their craft. Part of that ongoing sharing has been as the co-founder and co-host of the international award winning Paul’s Security Weekly podcast for more than 19 years.

Larry has spent the last 15 years as a penetration tester, spending lots of time focused on Healthcare, ICS/OT, Wireless, and IoT/IIoT/Embedded Devices, but now focuses his efforts on securing the software supply chain at Finite State.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.