Choosing the Right Frequency for RFID Keyfobs

Choosing the Right Frequency for RFID Keyfobs

 

March 2024, a group of security researchers dropped a bomb on the hotel industry. Lennert Wouters from KU Leuven and Ian Carroll published what they called Unsaflok-a chain of vulnerabilities in Dormakaba Saflok locks that let them open any door in a hotel with two forged keycards. Over 3 million locks. 131 countries. 13,000 properties.

 

The kicker? Those locks had been sold since 1988.

 

WIRED covered it. So did BleepingComputer, The Hacker News, and SecurityWeek. Dormakaba scrambled to patch systems, but as of their March 2024 disclosure, only 36% of affected locks had been fixed. The rest are still out there.

 

What made the attack possible? The locks used MIFARE Classic chips running Crypto-1 encryption-a system cryptographers had been warning about for over a decade. The researchers cracked it with a Flipper Zero. Cost of equipment: a few hundred dollars.

 

This is what frequency selection actually means for access control.

 

 

The 125 kHz situation

 

Here is the uncomfortable part.

 

Low-frequency RFID at 125 kHz is the oldest technology still in widespread use. EM4100, TK4100, HID ProxCard-names that show up on spec sheets everywhere from apartment buildings to corporate campuses.

 

These chips do one thing: broadcast a fixed number when they get near a reader. No handshake. No challenge-response. No encryption at all.

 

ICT, a New Zealand access control company, posted a demonstration in 2023 showing their team clone a 125 kHz card in five seconds with a $30 device. Kisi, another security vendor, published documentation showing Flipper Zero can copy credentials through wallets and pockets in under a second. TikTok is full of videos. This is not theoretical.

 

So why does anyone still deploy 125 kHz? Mostly legacy infrastructure. A building with 500 readers and 10,000 credentials cannot rip everything out overnight. Also cost-bulk pricing on EM4100 keyfobs can hit $0.15 per unit or lower. For a gym or a storage facility where the threat model is "someone might sneak in," that math can make sense.

 

For anything with actual security requirements, it does not.

 

13.56 MHz is not automatic safety

 

The Unsaflok incident shows exactly why "upgrade to high frequency" is not a complete answer.

 

MIFARE Classic runs at 13.56 MHz under ISO 14443. It has encryption. It has authentication. And it got cracked anyway, because Crypto-1 was proprietary and weak. The researchers who broke Dormakaba's locks did not discover a new vulnerability-they exploited one the security community had known about since 2008.

The pattern here: 13.56 MHz gives you the infrastructure to do encryption properly, but the chip inside matters more than the frequency printed on the label.

 

MIFARE DESFire with AES-128 remains secure against known attacks. NTAG series chips for simpler applications. These have held up. MIFARE Classic has not.

 

 

Read distance and interference

 

People sometimes ask whether 13.56 MHz keyfobs work through clothing the same way 125 kHz does.

 

Short answer: yes. Both frequencies use inductive coupling at typical access control distances. Range sits around 1-10 cm for most keyfob form factors. Metal objects nearby-phones, keys, belt buckles-can detune the antenna and require a second tap. Nothing dramatic.

 

UHF at 860-960 MHz is different physics. Electromagnetic backscatter instead of inductive coupling. Read ranges of several meters. Useful for parking gates or warehouse inventory, problematic for door access where you want the credential to authenticate only when the user intends it to.

 

Regional frequency allocations also split UHF bands differently between North America and Europe, which complicates international deployments.

 

Migration without chaos

 

Dual-frequency keyfobs exist specifically for phased transitions. A single housing contains both 125 kHz and 13.56 MHz chips. Legacy readers see one, upgraded readers see the other. Credentials stay with users throughout the swap.

 

The constraint is antenna design. Both chips need to read reliably without interference. Not every keyfob factory gets this right. Verify performance before committing to volume orders.

 

The actual question

 

Frequency selection is a proxy for a different decision: how much do you care if someone copies a credential?

 

• 125 kHz has no defense. Anyone with $30 and ten minutes of YouTube can clone a keyfob.
• 13.56 MHz with MIFARE Classic looked secure but was not. Hotels are still dealing with the fallout.
• 13.56 MHz with DESFire or equivalent holds up-for now.

- The Unsaflok researchers

 

Thirty-six years of vulnerable locks. That is the cost of getting frequency and chip selection wrong.