What is badge cloning?

Key takeaways

• Most mid-market manufacturers in 2026 are running badge technologies that can be cloned at conversational distance with off-the-shelf hardware.
• The vulnerable technologies (HID Prox, MIFARE Classic, EM4100) were industry-standard for decades; their installations are still everywhere.
• Cloning is fast, silent, and requires no contact with the card. An operator stands near the target for less than a second.
• Migration to authenticated badge technology (DESFire EV2/EV3, iCLASS SEOS, HID Mobile Access) closes the attack, but is rarely budgeted as a security priority.
• Evidence of vulnerability is straightforward to gather in a physical engagement; it is one of the most concrete findings to put in front of an executive who has not seen physical security data before.

How does badge cloning work, technically?

The mechanism depends on the badge technology in use.

Low-frequency (125 kHz) cards: HID Prox, EM4100, similar. These cards transmit a fixed identifier when energized by a reader's field. There is no authentication, no challenge-response, no cryptography. A handheld reader (commodity hardware, $30 to $300) reads the identifier when held within several centimeters of the card. A blank card is then written with the same identifier, producing a working clone. The cloned card is indistinguishable from the original to the building's reader.

High-frequency (13.56 MHz) cards: MIFARE Classic. MIFARE Classic uses a proprietary stream cipher (CRYPTO-1) that was broken academically in 2008 and is exploitable in seconds to minutes with widely available tooling. Despite the public weakness, MIFARE Classic remains deployed widely because of installed-base inertia. Cloning hardware ranges from purpose-built devices (Proxmark3, Chameleon Mini, Flipper Zero) to custom builds; none of it is exotic.

High-frequency cards with strong authentication: MIFARE DESFire EV2/EV3, iCLASS SEOS, Seos. These use AES or 3DES with mutual authentication. Cloning at the protocol level is not practical with current public technique. Attacks against these systems shift to other approaches: stolen cards, social-engineering of badge issuance, or attacks against the back-end access control system.

Mobile credentials. HID Mobile Access, Apple Wallet, Google Wallet issued credentials use authenticated BLE or NFC protocols. The credential is bound to the device, can be remotely revoked, and is not readable without device interaction. This is the strongest current state of practice.

The operator selects the attack based on which technology is in use. Reconnaissance happens first: a quick view of a badge during a public interaction usually tells the operator whether the card is Prox, MIFARE, or something else.

Which badge technologies are vulnerable and which are not

A practical reference for mid-market manufacturer environments:

Technology	Frequency	Vulnerable?	Notes
EM4100 / EM4102	125 kHz	Yes	Generic, no auth. Common in early access systems.
HID Prox / Prox II	125 kHz	Yes	Industry standard for two decades. Still common.
Indala	125 kHz	Yes	Older HID-family Prox variant.
MIFARE Classic 1K/4K	13.56 MHz	Yes	Broken since 2008. Widely deployed.
MIFARE Plus (Security Level 1)	13.56 MHz	Yes	Same as MIFARE Classic in compatibility mode.
MIFARE DESFire EV1	13.56 MHz	Marginal	Some attacks exist; better than Classic but dated.
MIFARE DESFire EV2/EV3	13.56 MHz	No	AES with mutual auth. Current good practice.
HID iCLASS Standard	13.56 MHz	Yes	Older variant. Vulnerable.
HID iCLASS SE / SEOS	13.56 MHz	No	Current HID secure option.
HID Signo (mobile)	13.56 MHz BLE	No	Modern mobile credential.
Apple/Google Wallet credentials	13.56 MHz BLE	No	Device-bound.

A facility running primarily Prox or MIFARE Classic should treat all employee badges as effectively cloneable. The remediation is migration, not training.

Why most manufacturing facilities still run cloneable badge systems

Three reasons drive the installed-base inertia:

1. Cost and disruption. Migrating a facility from Prox to DESFire EV3 involves new readers at every entry, new badge stock for every employee, programming for the new access control records, and disruption to the daily flow during the transition. For a 200-employee facility, the project is six-figure and quarter-long.
2. No driving incident. Mid-market manufacturers rarely have a documented badge-cloning incident in their own history. The risk is abstract until a physical engagement makes it concrete. Without the engagement, the upgrade is competing against more visible spend.
3. Compliance does not require it. NIST CSF 2.0, CMMC 2.0, and most insurance underwriting do not specifically require authenticated badge technology. Compliance pressure does not move the budget.

The combination produces facilities where every other element of the security stack has been refreshed in the last five years (EDR replaced, MFA enabled, SIEM modernized) and the badge technology is still 2008-era. Attackers know this distribution and target physical entry accordingly.

Examples of badge-cloning attacks in physical pen tests

Patterns from ARG physical engagements:

• Conversational distance cloning during public lunch. A pretexted operator sits in a public restaurant near a manufacturing facility's regular lunch spot. Engineers sit at adjacent tables with badges clipped to belts or in front pockets. A concealed reader captures Prox credentials over the lunch period. Several working clones produced from a single visit.
• Cloning during trade-show or industry-event badge contact. Conference and trade-show settings put employee badges in close proximity to strangers regularly. A pretexted attendee with a concealed reader collects credentials during normal show interactions.
• Smoking-area or break-area cloning. Outdoor areas where employees gather are ideal cloning environments: badges visible, attention elsewhere, conversational distance routine.
• Pretext interaction at the gate or reception. A pretexted vendor approaches the reception desk with a clipboard and questions. During the interaction, the operator stands at conversational distance with a reader running. The receptionist's own badge or a visiting employee's is captured.
• Drop-off and pickup interactions. Delivery and pickup zones produce sustained close-distance contact between delivery drivers and badged staff. A pretexted driver with a hidden reader produces working clones from a single delivery cycle.

Each cloning event is silent. The target has no signal that the credential was captured. Detection happens only when the cloned credential is used in an unexpected pattern (off-hours entry, unusual gate, two simultaneous reads on the same badge), if the access control system is configured to surface those anomalies.

How to identify whether your badge system is at risk

Three checks any organization can run without specialist tooling.

1. Look at the card. HID Prox cards are usually marked with a generic logo, often with a numeric identifier visible. MIFARE Classic cards may have a 4-byte UID printed. Mobile credentials display in a wallet app on the user's phone. A facility manager who does not know which technology is in use is at risk by default.

2. Look at the reader. HID and MIFARE readers carry model numbers and capability indicators. A facility using readers from the early 2010s and earlier is almost certainly running cloneable cards. Modern readers (HID Signo, MIFARE DESFire readers) carry different model numbers and often display mobile-credential capability indicators.

3. Ask the access control vendor. The vendor knows what technology is deployed and what an upgrade path looks like. A quick conversation produces an answer in days.

If the answer to any of these is "Prox" or "MIFARE Classic", the system is exploitable. The next question is migration timeline, not whether to migrate.

Best practices for migrating to phishing-resistant badge technology

A migration plan typical for a mid-market manufacturer:

1. Inventory current state. Cards in circulation, reader locations, access control panels, head-end software version. The inventory is the foundation for sequencing.
2. Pick the target technology. MIFARE DESFire EV3, iCLASS SEOS, or HID Mobile Access. The target should support both physical cards and mobile credentials so the long-term posture is mobile-first.
3. Phase by zone, not by user. High-value zones (engineering, control rooms, server rooms, executive offices) migrate first. The visitor entrance and main employee entrance migrate next. Lower-value zones follow.
4. Roll out mobile credentials in parallel. Employees with smartphones get mobile credentials; physical cards remain available for those who need them. Over time, mobile becomes the default and physical the exception.
5. Decommission the legacy reader as the zone is fully migrated. Until the legacy reader is decommissioned, the legacy credentials still work; the migration is not complete.
6. Track the change in the access control system. Audit logs should distinguish legacy reads from modern reads during the migration window. Anomalies (legacy reads after a zone is supposed to be migrated) surface drift.
7. Pair with continuous physical simulation. During and after the migration, re-test the previously vulnerable zones to confirm cloning no longer succeeds.

The full migration usually runs six to twelve months for a single facility, depending on size and complexity.

Badge cloning FAQs

How long does it take to clone a typical employee badge?

For low-frequency 125 kHz cards (HID Prox, EM4100), a clone takes a fraction of a second at conversational distance with off-the-shelf hardware. A motivated operator can collect credentials in a public lunch setting near a manufacturing facility in an afternoon. High-frequency MIFARE Classic cards are cloned in seconds to minutes depending on the read attack used.

Does a smart-card system stop cloning?

Only if the smart-card system uses modern, authenticated technology and the readers are configured to require it. MIFARE DESFire EV2/EV3, iCLASS SEOS, and HID Signo on Mobile Access provide strong cryptographic authentication. Many facilities deployed smart cards a decade ago and run vulnerable variants today; the label "smart card" alone is not protection.

What is the difference between low-frequency and high-frequency badge tech?

Low-frequency (125 kHz) technologies like HID Prox and EM4100 transmit a fixed identifier with no authentication. They are trivially cloneable. High-frequency (13.56 MHz) technologies range from cloneable (MIFARE Classic) to strongly authenticated (DESFire EV2/EV3, iCLASS SEOS). The frequency is a hint; the underlying protocol is what determines security.

Are mobile credentials more secure than physical badges?

Generally yes. Mobile credentials issued through HID Mobile Access, Apple/Google Wallet, or equivalent use authenticated protocols, are bound to the device, and can be revoked instantly. They are also harder to clone at conversational distance because they do not transmit until activated. Mobile credentials are not invulnerable, but they raise the bar substantially over legacy Prox cards.

How ARG tests badge resilience and recommends migrations

Badge cloning is a standard component of ARG physical engagements at mid-market manufacturers. Testing is conducted by David Ashby on infrastructure ARG carries during on-site engagement weeks.

In each engagement, the operator first identifies the badge technology in use through visual inspection of cards and readers. Where authorized in the rules of engagement, the operator then attempts a small set of controlled cloning attempts at appropriate distance during normal facility interactions (lunch settings near the facility, reception interactions, public-area observation). Successful clones are documented with evidence: the original credential ID, the cloned card, the read distance, and the time and place of the read.

The cloned credentials are not used to enter the facility during the engagement; the evidence package is sufficient. The proof of exploitability matters more than the actual unauthorized entry.

Findings consolidate into the engagement report alongside tailgating, pretexting, and physical security audit findings. Where badge cloning succeeded, the report includes a specific remediation plan: target technology, sequencing, vendor options, and rough budget. The plan is sized for the client's facility, not a generic prescription.

Re-testing in subsequent engagements after migration confirms that the cloning attack no longer succeeds. For founding clients still on legacy badge technology, the migration plan is included in the engagement deliverables.

Apply as a founding client or see how the engagement works for the full delivery cycle.