Access badges audit

During an access badge audit, the objective is to verify the ability of an attacker to:

  1. Impersonate a badge
  2. Clone a badge
  3. Replay successful authentication
  4. Retrieve personal information
  5. Elevate access zone privileges

Possible scope :

  • Physical badge (wireless card)
  • Dematerialized badge (Android / iOS mobile application)


  • Signal coding
  • Static and dynamic analysis
  • Maximum badge communication distance
  • Sectioning of sectors and blocks
  • Header sectors and data sectors
  • Access rights on each block (protected, read-only, read-write)
  • Block protection with access password
  • Authentication protocol (password, Challenge / Response)
  • Type of block modification at each authentication
  • Known constructor vulnerabilities
  • Analysis of stored permissions
  • Backoffice software

Attack scenarios

  • Generation of a valid UID (copy of block 00 in sector 00)
  • Block password bruteforce (protected block access)
  • Card clone (copy of all blocks)
  • Revalidation of a temporary access badge (modification of a timestamp block)
  • Elevation of badge privilege (modification of a privilege block)
  • Attack on middleware (SQL injection)
  • Authentication replay (Challenge / Response Capture)
  • Communication password theft (Authentication capture)