Security & Privacy

RFID Security Audit and Forensics

Testing, Penetration, and Incident Response

How to conduct RFID security audits, penetration testing on tag and reader systems, and forensic analysis of RFID-related incidents.

| 6 min read
  1. RFID Security Audit and Forensics: Testing, Penetration, and Incident Response
  2. Scope of an RFID Security Audit
  3. Pre-Audit: Asset Discovery
  4. Penetration Testing: Tag Layer
  5. Penetration Testing: Reader Infrastructure
  6. Penetration Testing: Backend and EPCIS
  7. Forensic Investigation
  8. Reporting and Remediation

RFID Security Audit and Forensics: Testing, Penetration, and Incident Response

RFID systems present unique audit challenges: the attack surface is physically distributed across reader infrastructure, tags attached to physical objects, middleware, and backend systems. This guide covers the methodology for security auditing an RFID deployment, penetration testing techniques, and forensic investigation when an incident occurs.

Scope of an RFID Security Audit

An RFID security audit should cover all layers of the system:

Layer Audit Focus
Tag IC Memory protection, password strength, crypto capability
Air interface Eavesdropping exposure, replay potential
Reader infrastructure Network exposure, LLRP authentication, firmware version
Middleware Access controls, event log integrity, deduplication bypass
Backend / EPCIS API authentication, injection, privilege escalation
Physical Reader tamper protection, antenna placement vulnerabilities

A narrow audit focusing only on the tag IC — the most common error — misses the backend vulnerabilities that are often easier to exploit and have broader impact.

Pre-Audit: Asset Discovery

Before testing begins, enumerate all RFID infrastructure:

  1. Reader inventory — All fixed, handheld, and embedded readers; firmware versions; network addresses
  2. Antenna map — Physical locations of all antennas; which areas are covered
  3. Tag inventory — IC families in use; memory protection status; which tags have cryptographic capabilities
  4. Network map — VLAN segmentation; firewall rules between RFID VLAN and corporate network; MQTT/LLRP port exposure
  5. Backend systems — EPCIS repositories, WMS integrations, API endpoints

Discover readers on the network using active scanning (nmap -p 5084 for LLRP default port) and passive RF monitoring with a software-defined radio.

Penetration Testing: Tag Layer

Test 1: Eavesdropping assessment

Equipment: RTL-SDR or HackRF One; GNU Radio; sdr-rtlsdr-driver; gr-rfid GNU Radio RFID decoder.

Procedure: 1. Position passive receive antenna at realistic attacker distance (1 m, 3 m, 10 m) 2. Capture forward link (reader to tag) at 860–960 MHz 3. Capture reverse link (backscatter from tag) — requires more sensitive receiver 4. Decode captured traffic; extract EPCs, passwords (if transmitted in cleartext)

Pass criteria: EPCs visible at ≤ realistic attacker distance for the deployment context (e.g., ≤ 1 m for a pharmacy counter; ≤ 10 m for a loading dock is acceptable).

Test 2: Tag cloning

Equipment: Proxmark3 (for LF/HF) or UHF RFID cloner hardware.

Procedure: 1. Read EPC of a target tag 2. Program identical EPC onto a blank Gen 2 tag 3. Present clone to the reader infrastructure 4. Verify whether the system accepts the clone as authentic

Pass criteria: System detects clone via TID verification, cryptographic challenge-response, or other mechanism.

Test 3: Kill command replay

Procedure: 1. With authorised access, record the RF transaction of a kill command execution 2. Attempt to replay the captured kill command against a different tag 3. Verify the kill password in user memory is not the default (00000000)

Test 4: Memory access assessment

For each tag IC type in deployment: - Verify EPC bank lock status (should be locked post-commissioning) - Verify access password is not the factory default - Verify kill password is not the factory default - Test whether user memory is locked appropriately (read-only vs. read-write)

Use the RFID Tag Selector to identify which IC families in your deployment support password locking.

Penetration Testing: Reader Infrastructure

LLRP exposure test:

LLRP (port 5084/TCP) allows a connected client to fully control a reader: change power levels, start/stop inventories, configure antennas, and read all events. If LLRP is exposed beyond the RFID VLAN:

nmap -p 5084 --open {network_range}
# Identify readers with LLRP accessible from test host
telnet {reader_ip} 5084
# A successful connection confirms unauthenticated LLRP access

Pass criteria: LLRP is accessible only from authorised middleware hosts within the RFID VLAN. Firewall rules enforced.

Reader web interface test:

Most commercial readers expose an HTTP/HTTPS management interface on port 80/443. Test for: - Default credentials (admin/admin, admin/password) - Outdated firmware with known CVEs - Cross-site request forgery in management interface - Unauthenticated access to reader configuration export (may contain LLRP credentials)

Penetration Testing: Backend and EPCIS

EPCIS injection test:

Construct malformed EPC values (SQL injection payloads, XML injection for EPCIS 1.2 XML-based APIs) and submit them via the EPCIS capture interface. EPCIS 2.0 JSON-LD format reduces XML injection risk but JSON injection in string fields must still be tested.

Privilege escalation test:

  • Can a read-only EPCIS query role execute capture operations?
  • Can a site-level user query events from other sites?
  • Are EPCIS access controls enforced server-side or client-side?

Forensic Investigation

When an incident is suspected (counterfeit goods detected, inventory shrinkage pattern, tag death cluster):

Step 1: Preserve evidence

  • Export raw reader logs (LLRP event logs if available, or middleware logs)
  • Export EPCIS event store for affected EPC range and time window
  • Do not clear reader buffers or reconfigure readers before capture

Step 2: Timeline reconstruction

Using EPCIS events, reconstruct the movement history of suspect EPCs: - Which readers saw which EPCs and when - Identify EPCs that appeared in impossible sequences (e.g., seen at two locations simultaneously — possible clone evidence) - Identify EPCs with abnormal read-rate patterns (jamming: dramatic read-rate drop at a specific reader)

Step 3: TID forensics

For tags where cloning is suspected: collect TID values of all tags currently in the affected population. TID is factory-programmed and unique per physical die. If two tags share an EPC but have different TIDs, one is a clone. If a tag has a TID that does not correspond to a known IC vendor prefix, it is likely a counterfeit tag.

Step 4: Memory forensics

Read user memory of suspect tags. Compare against commissioning records — any deviation in write timestamps, serialisation data, or locked memory indicates tampering.

Reporting and Remediation

Audit findings should be reported using a standard severity matrix:

Severity Example Remediation Priority
Critical Default passwords on production readers Immediate
High EPC eavesdropping at > 5 m without crypto Short-term
Medium Outdated reader firmware with known CVEs Planned
Low LLRP accessible from corporate VLAN (not internet) Acceptable with compensating controls

See also: RFID Security Threats, Crypto-Enabled RFID Tags, RFID Privacy Guide.

Questions fréquemment posées

Our guides cover a range of experience levels. Getting Started guides introduce RFID fundamentals. Implementation guides help engineers design RFID solutions for specific industries. Advanced guides cover topics like dense reader mode, anti-collision algorithms, and EPC encoding schemes.

Most getting-started guides require only a basic UHF RFID reader (such as the Impinj Speedway or ThingMagic M6e) and a few sample tags. Some guides reference desktop USB readers for development. All hardware requirements are listed at the beginning of each guide.