At roughly 60% of the facilities we physically assess, the RFID badges that secure mechanical rooms, cross-connect spaces, and even data halls are 125 kHz low-frequency credentials — most commonly HID Prox. Those credentials were considered legacy when I started doing this work 15 years ago. They are trivially cloneable today.
This post is neither a vulnerability disclosure nor a hacking tutorial. It is an operational reality check for anyone who assumes their badge system is "secure" because it is badge-based.
Why 125 kHz is broken
Low-frequency 125 kHz credentials transmit a fixed facility code and card number in the clear. There is no cryptography. There is no challenge-response. A reader placed near a badge for a fraction of a second can capture the full credential.
The tools for cloning are widely available, inexpensive, and designed to be pocket-sized. A 40-dollar device sold on any major online marketplace reads and writes 125 kHz credentials. The skill floor is roughly "can you press a button?"
What this means in practice
During physical assessments, the following scenarios are common:
- Reading a staff member's badge through clothing or a thin backpack, from tailgating distance, in a lobby or parking garage
- Writing the captured credential to a blank card and using it to open the same doors as the original
- Keeping the cloned card active indefinitely, because nobody knows the clone exists
This has been true for years. The only thing that changes annually is the price of the equipment, which keeps falling.
What secure looks like
13.56 MHz high-frequency credentials that support cryptographic challenge-response — specifically, DESFire EV2 or EV3 with diversified keys — raise the cost of cloning by many orders of magnitude. A DESFire credential with diversified keys cannot be cloned by reading it; the credential derives a unique response per transaction using a site-specific master key.
Important qualifier: with diversified keys. A DESFire credential deployed with the factory default key is no more secure than a Prox card. We have seen this. Make sure your integrator used a site-specific key, and make sure you know how that key is protected.
The realistic upgrade path
Most facilities cannot rip and replace the entire access control system overnight. But most can:
- Inventory which doors are 125 kHz only, which are dual-technology, and which are already 13.56 MHz
- Prioritize upgrades starting with the highest-consequence doors — mechanical rooms, MMRs, data halls, IDF/MDF rooms
- Transition readers to dual-technology, then issue DESFire credentials with diversified keys, then decommission 125 kHz
- Implement tailgating detection or mantraps at the most critical entrances
The transition is typically a 6–12 month project at a mid-size facility. We have led it at several PNW data centers and manufacturers; the cost is modest compared to the risk it retires.
The takeaway
If your facility still has 125 kHz credentials on any door that protects operationally critical space, assume those credentials are cloneable. Prioritize the upgrade accordingly.
We include RFID credential assessment in every physical security consulting engagement. If you have not had yours independently reviewed, consider it.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.