Cloning

RFID Tag Cloning

Cloning is an attack where an adversary reads the data from a legitimate RFID tag and copies it onto a blank or reprogrammed tag, creating a counterfeit that appears identical to readers. Cloning exploits the fact that basic RFID tags are essentially open-access memory devices — any reader can read their EPC, and any writer can programme a blank tag with the same value.

How Cloning Works

The simplest cloning attack requires only a standard RFID reader and a supply of writable blank tags:

1. The attacker reads the target tag's EPC Memory (96 or 128 bits).
2. The attacker optionally reads User Memory and TID Memory.
3. The attacker writes the captured EPC to a blank tag's EPC memory bank.
4. The cloned tag now responds with the same EPC as the original.

For basic EPC-only deployments, this clone is indistinguishable from the original in inventory operations. The reader reports the same EPC, and the middleware associates it with the same product record.

What Cloning Enables

Counterfeiting: A cloned tag on a counterfeit product passes basic RFID authentication checks. This is particularly dangerous in pharmaceutical supply chains where FDA DSCSA verification depends on valid RFID serial numbers.

Theft: In retail environments, an attacker could clone the tag from a low-value item onto a high-value item, allowing the expensive item to pass through checkout or EAS gates as the cheaper product.

Access fraud: In access control systems using cloned HF badges, an attacker gains the same access rights as the legitimate badge holder.

Countermeasures

TID Memory verification: The factory-programmed TID is read-only and unique per chip. While an attacker can copy the EPC, they cannot copy the TID to a different chip. Systems that verify both EPC and TID can detect clones — the cloned tag will have a different TID than the original.

Crypto Suite authentication: Tags implementing ISO 29167 cryptographic authentication contain secret keys that cannot be read from the tag. Even if an attacker copies all readable memory, they cannot replicate the key material. The reader's challenge-response authentication will fail on the clone.

Permalocked memory: Serialised data in permalocked memory blocks provides additional verification points. If the original tag's User Memory contains permalocked application data, a clone written to a blank tag (which has different or empty User Memory) will fail verification.

Risk Assessment

The vulnerability to cloning depends on the tag type and deployment architecture. Basic passive UHF tags with no authentication are trivially clonable. NXP UCODE DNA tags with AES-128 crypto suite authentication are resistant to cloning because the secret key cannot be extracted. System designers should match the anti-cloning investment to the value and risk of the tagged assets.