It Started With a Beep 🟢

It was an ordinary Tuesday morning. Jordan, a curious security researcher, walked into the building with the same plastic badge they’d used for years. The entryway beeped. A green LED flashed. The door clicked open.

This ritual was muscle memory. But that day, something shifted. A question sparked in Jordan’s mind like a flicker of static.

What if this badge isn't as secure as we think it is?

Later that evening, with a cup of coffee in one hand and a Flipper Zero in the other, Jordan set out to answer that question. What followed was a simple act of curiosity that unravelled a critical vulnerability—one that affected every door in the building.

Technology in Use: A Primer

The organisation relied on 125kHz HID Prox cards—a legacy technology still widely deployed in corporate offices, industrial sites, and government buildings.

These badges are not smart. There’s no encryption, no authentication, no cryptographic handshake. When powered by a reader’s field, they simply broadcast a fixed identity—unchanging, unprotected.

Think of it like shouting your name into a dark room every time you enter. Anyone with an ear to listen can repeat what they hear.

The system reads and accepts badge IDs based on these broadcasts. That’s it.

Phase 1: Scanning the Card

Jordan started with a simple scan of their own badge using a Flipper Zero.

Output:

H10301 145046 (26-bit HID Prox format)
Raw: 01 A5 Y2 5D 48 D0

To most, this hex code would look meaningless. But to Jordan, the structure suggested something systematic. They asked a few coworkers for permission to scan their badges, too. Just a handful of samples was enough to see the emerging pattern

Phase 2: Mapping Card Numbers to Hex

With a growing spreadsheet of badge scans, the puzzle pieces came together. Each card's output shared a common structure:

• The first three bytes (01 A5 Y2) were always the same.

• The final three bytes changed in a perfectly linear fashion.

• For every card number increase by 1, the hex value is incremented by exactly 32 (decimal).

The relationship between card numbers and raw RFID data was fully linear and predictable.

For example:

The math checked out. The system was using a base hex value and incrementing it in a straightforward, deterministic manner.

Phase 3: Cracking the Algorithm

Jordan translated this behaviour into Python. The logic was embarrassingly simple:

def predict_hex(card_number, base_hex=0x01A5Y2200):
    offset = (card_number - 0) * 32
    full_code = base_hex + offset
    return full_code.to_bytes(6, 'big').hex().upper()

print(predict_hex(145046))  # Output: 01A5Y25D48D0

With this code, Jordan could take any hypothetical card number—seen or unseen—and generate a valid, fully functioning HID badge ID.

This wasn’t breaking encryption. There was no brute-force needed. No guessing. It was a math problem, and they had the equation.

Phase 4: Exploitation & Real-World Impact

The next morning, Jordan tested the prediction. They chose a card number of a different user—someone whose badge they had never physically seen—say, 145945.

Predicted hex with the script they had written earlier: 52 01 30.

Jordan entered the value into the Flipper Zero and walked up to a secured door.

Beep. Green light 🟢. The DOOR OPENED.

The reader accepted the emulated badge as genuine. Because in every technical sense, it was genuine.

This meant:

• Anyone with access to a single badge could generate others.

• Role-based access control was nullified.

• High-privilege areas could be silently accessed.

• Badge history and logging would show the wrong person.

All from a system still deployed across thousands of buildings worldwide.

Why This Happens: Legacy Assumptions

The HID Prox system was designed in a different era—one without widespread hardware hacking tools, smartphones with NFC capabilities, or affordable RFID sniffers.

It was built on obscurity, not security. The assumption was that no one could or would bother reverse-engineering the system.

But those days are long gone. Devices like the Flipper Zero, Proxmark3, and smartphone-based emulators have made RFID cloning not only possible but easy and accessible.

The real issue here isn’t a bug or a misconfiguration. It’s the intentional lack of security in the system’s core design.

Recommendations: What Needs to Change

The solution isn’t to patch or tweak the HID Prox system - it’s to retire it entirely.

Here’s what should happen immediately:

1. Replace Legacy Badges - Move away from HID Prox. Migrate to secure technologies like:

• HID iCLASS SE/SEOS

• MIFARE DESFire EV2/EV3

• Mobile credentials with mutual authentication and MFA

2. Log and Monitor Access - Implement logging systems that track badge use, anomalies, and impossible travel patterns (e.g., badge used in two locations at once).

3. Add Defense-in-Depth - Use two-factor access for sensitive areas: PIN + badge, or biometric + badge. Badges should never be the only gatekeeper.

4. Audit and Randomise Issuance - Ensure badge numbers are not issued sequentially. Add randomisation and entropy to prevent predictable encoding.

Final Thoughts

Jordan didn’t need a zero-day exploit or elite hacking skills. All it took was curiosity, a handful of data points, and a $150 tool available online.

This wasn’t an advanced persistent threat. It was a design flaw that went unnoticed for decades.

If your organisation still uses HID Prox cards, don’t ask if you’re vulnerable.

Assume you are.

Because the next time someone walks through your door with a valid beep and a green light, you may never know they weren’t supposed to be there.

And this isn’t a tale from the past. This was a real Red Team assessment I conducted in 2025 against a reputed multinational corporation—not a relic from 2015.

Meet you in the next one.......................