Choosing Your RF Security Research Toolkit: Proxmark3, Flipper Zero, and HackRF Compared

Four of the more popular questions I get from readers getting into hardware security research all boil down to the same thing: which tool do I actually need? Proxmark3, Flipper Zero, HackRF, RTL-SDR — they overlap enough on paper that it’s genuinely unclear from the marketing copy which one solves your specific problem, and buying the wrong one first is a common, avoidable $200-400 mistake.

I’ve written deep-dive articles on each of these tools individually, plus the wireless-security landscape they operate in. This page is the map: a decision framework for which tool fits which job, a realistic budget for building a complete kit, the legal ground you need to understand before you touch any of it, and links out to the full technical detail on each piece.

The RF Landscape You’re Actually Working In

Before the tool question, it helps to know what frequency territory you’re in, because that’s what actually determines which device you need — not brand reputation or unboxing videos.

Low frequency (LF, 125 kHz). The oldest and least secure tier of RFID: EM4100, HID Prox, and similar protocols with no cryptographic protection at all. This is what most corporate and residential access-control badges still run. Both the Proxmark3 and Flipper Zero handle this well.

High frequency (HF, 13.56 MHz). NFC territory — Mifare Classic, DESFire, ISO 14443/15693, and modern contactless payment. Security varies enormously by chip generation: Mifare Classic is thoroughly broken, DESFire EV2/EV3 and modern EMV payment cards are not. The Proxmark3 has the deepest capability here; the Flipper Zero covers the basics.

Sub-GHz (300-928 MHz). Garage door remotes, gate systems, and a wide range of proprietary IoT and industrial protocols. Both the Flipper Zero and the HackRF work here, but for different jobs — the Flipper for quick capture-and-replay against fixed-code systems, the HackRF for actually reverse-engineering an unknown protocol.

Broad spectrum (1 MHz-6 GHz and beyond). Wi-Fi, Bluetooth, cellular, aircraft transponders, pagers, GPS — anything outside the narrow RFID bands needs a true software-defined radio. This is HackRF (or RTL-SDR for receive-only work) territory, not Proxmark3 or Flipper Zero territory.

Wi-Fi specifically sits a bit apart from the rest of this cluster — it’s RF, but the tooling (aircrack-ng, hashcat, hostapd-wpe) and attack surface (handshake capture, PMKID, rogue AP) are their own world, covered in wireless security in 2026: WPA2, WPA3, and what actually gets attacked.

Software vs. Hardware: Where the Real Learning Curve Is

A mistake I see constantly in people getting into this field: treating the hardware purchase as the hard decision and the software as an afterthought. It’s backwards. The hardware in this cluster is mature, well-documented, and largely interchangeable at the margins. The software stack is where the actual skill lives, and it’s also where most people underestimate the time investment.

For RFID/NFC (Proxmark3, Flipper Zero): the PM3 client and its Lua scripting environment is the serious tool here — repeatable attack workflows, custom protocol handlers, automated key recovery. The Flipper’s firmware ecosystem (official, Unleashed, Momentum) matters less for capability than for which frequency restrictions and safety guardrails you’re willing to live without; running custom firmware is legal on hardware you own, but it removes some of the factory guardrails around what the device will let you do.

For broad-spectrum SDR (HackRF, RTL-SDR): GNU Radio is the deep end of the pool — a full signal-processing framework where you build flowgraphs block by block. It’s genuinely difficult to learn and genuinely necessary for serious protocol reverse-engineering. Universal Radio Hacker (URH) and Inspectrum exist specifically to soften that curve for the common case of “I have an unknown signal and need to figure out its modulation and structure” — start there, not with GNU Radio, if you’re new.

For Wi-Fi specifically: the aircrack-ng suite, hashcat, and hostapd-wpe form a different, smaller toolchain — command-line utilities rather than a GUI-driven signal analysis environment, because Wi-Fi’s structure is already well-understood and standardized. The skill here is less about signal processing and more about understanding the protocol handshakes and knowing which attack (handshake capture, PMKID, rogue AP) fits which target configuration.

The Tool Comparison: Which One Do You Actually Need

Proxmark3 (RDV4) — the deepest tool for RFID/NFC research specifically. If your work is primarily about access-control cards, transit cards, or NFC protocol analysis, and you want the full attack suite (nested and hardnested Mifare Classic attacks, protocol sniffing, Lua scripting for repeatable workflows), this is the tool. It is a lab tool first — capable in the field, but its real strength is depth. See the Proxmark3 in 2026: what it can and can’t do for the full technical picture, including exactly where it stops working (EMV payment, DESFire EV2/EV3, iCLASS Seos).

Flipper Zero — the generalist and the field tool. Weaker than the Proxmark3 at any single protocol, but it covers sub-GHz, 125 kHz RFID, NFC basics, infrared, and iButton in one pocketable device. Its actual value is in fieldwork and client-facing demonstrations — showing a facilities manager that their badge system is cloneable in ten seconds is more persuasive than a slide deck. See Flipper Zero in 2026: what it can and can’t do for a clear-eyed read on what the media coverage got wrong (it does not clone modern payment cards or beat rolling-code garage systems) and what it’s genuinely good for.

HackRF One (or the 2026 HackRF Pro) — the tool for anything outside the RFID bands. If your research involves sub-GHz IoT protocol reverse engineering that needs real signal analysis (not just capture-and-replay), cellular research, or any wireless protocol from 1 MHz to 6 GHz, you need a true SDR. This is also the only tool in this list that transmits across that full range, which is both its value and its legal responsibility. See HackRF One: a practical introduction for security researchers for the software stack (GNU Radio, URH, Inspectrum) and the honest learning-curve warning that comes with it.

RTL-SDR — not covered by its own article on this site yet, but worth naming here because it’s the correct entry point for almost everyone before the HackRF. About $30, receive-only, covers 500 kHz-1.7 GHz, and lets you learn the SDR toolchain and signal-analysis fundamentals without the cost or the transmit-related legal exposure. Don’t skip this step to save time — most of the friction in learning SDR work is conceptual (understanding modulation, sample rates, filtering), not hardware-related, and the RTL-SDR teaches all of that for a fraction of the HackRF’s price.

What the RFID Skimming Panic Gets Wrong (and Right)

Before you buy any of this, it’s worth understanding what the tools in this cluster can and can’t actually do against modern cards — because the media narrative around RFID skimming has drifted well past the technical reality. RFID skimming in 2026: what’s real and what’s hype covers this directly: modern EMV contactless payment cards use dynamic transaction cryptograms that make simple replay attacks ineffective, and the “walk through a crowd cloning credit cards” scenario doesn’t match how current card generations work. Where the risk is real and underappreciated: corporate access-control badges running old LF protocols with no cryptographic protection at all — which is most facilities, and exactly the gap this whole tool cluster is built to find and demonstrate.

Building a Complete Kit: Realistic Budgets

Learning tier (~$30-50): An RTL-SDR dongle to learn the SDR toolchain, plus free software (GQRX or SDR# for exploration). This alone teaches you most of the conceptual foundation before you spend real money on anything else.

Field/demonstration tier (~$150-200): A Flipper Zero, for portable access-control assessments, client demonstrations, and quick RFID/sub-GHz reads. The right next purchase if your work is mostly facility assessments rather than protocol research.

Full lab tier (~$450-600): Proxmark3 RDV4 (~$300-400) plus HackRF One (~$300, or more for the Pro) if your work spans both RFID depth and broader-spectrum research. This is the complete toolkit — RFID/NFC covered in depth by the Proxmark3, everything else covered by the HackRF.

What you don’t need starting out: Multiple SDRs in the same frequency range, a USRP (unless you specifically need full-duplex operation or better ADC fidelity than the HackRF’s 8-bit converter provides), or the newest hardware revision the week it ships. The RDV4 and the original HackRF One remain fully capable; buy the current generation only if you’re starting from zero.

Consumables worth budgeting for separately: a stack of T5577 blank cards ($10-15 for a pack of 10) if you’re doing any LF cloning work with the Proxmark3 or Flipper — you’ll go through more than you expect during testing. A spare antenna or two for the Proxmark3 if you’re doing frequent fieldwork, since the connectors take wear. For the Flipper, a larger microSD card than the stock one is worth the $10 if you’re saving a lot of captured signals or running a custom firmware with expanded storage needs.

Which Article Do You Actually Need? A Quick Reference

Given how technical this cluster gets, here’s the fast lookup if you don’t want to read the whole page above:

“I want to test my office badge/access card”the Proxmark3 for full depth, or the Flipper Zero for a quick field demo

“Can someone actually clone my credit card by walking near me?”RFID skimming: what’s real and what’s hype

“I want to reverse-engineer an unknown IoT device’s radio signal”HackRF One, but start with an RTL-SDR first

“My home/office Wi-Fi — is it actually secure?”wireless security in 2026

“I keep hearing Flipper Zero can steal cars, is that true?”Flipper Zero: what it can and can’t do — short answer, not against modern rolling-code systems

“I’m completely new to this, where do I start?” → the RTL-SDR entry point and the first-project walkthrough above

The Legal Ground You Need to Understand First

This is not optional reading, and I’d put it before the shopping list if I thought anyone would read it in that order.

Reading and cloning cards you don’t own or have authorization to test is generally illegal regardless of how trivial the tool makes it. Testing your own access-control badge, or a client’s system under a signed engagement, is legitimate research. Reading a stranger’s badge on the train is not, even if the Proxmark3 makes it technically effortless.

Transmitting is more legally sensitive than receiving. The HackRF’s transmit capability across 1 MHz-6 GHz means you can, mechanically, transmit on licensed frequencies you have no authorization to use. In the US, this is an FCC regulatory violation, not just a terms-of-service issue — and equivalent regulations exist in essentially every jurisdiction. Passive receive-only work (an RTL-SDR, or the Flipper/HackRF used in receive mode) carries much less legal exposure than transmission.

Intercepting communications you’re not a party to — pager traffic, ACARS, GSM captures — may violate wiretapping statutes even where the signal itself is unencrypted and technically easy to receive. “It was transmitted in the clear” is not automatically a legal defense. Know your jurisdiction’s specific wiretapping law before doing passive-intercept research, not after.

GPS spoofing research — technically possible with a HackRF and the right software — carries some of the most serious legal exposure in this entire space, given the safety-critical nature of GPS and the breadth of systems that depend on it. This is authorized-research-only territory, full stop, and the authorization needs to be explicit and documented, not assumed.

None of this is legal advice — the specific statutes vary by jurisdiction and change over time. If your research is going to involve anything beyond testing equipment you personally own, get real legal guidance specific to your situation before you start, not after something goes wrong.

A First Project Worth Actually Doing

If you’ve bought the RTL-SDR and want a concrete first exercise rather than aimlessly scanning frequencies: identify and analyze your own garage door remote or a spare gate/car-fob transmitter you own. It’s a genuinely good teaching project because it forces you through the full workflow in miniature — capture the signal, visualize it (Inspectrum is the right tool here), identify whether it’s a fixed-code or rolling-code system, and understand why one is trivially replayable and the other isn’t.

This single exercise teaches you more about the practical difference between “I can receive a signal” and “I can do something useful with it” than reading about the concept ever will. It’s also completely legal and low-stakes, since you own the device and aren’t touching anyone else’s infrastructure — a good template for how to structure your own future research: pick a target you own or have explicit authorization for, and work the full pipeline end to end before moving to more ambiguous territory.

What This Cluster Doesn’t Cover

Being direct about the gaps: this page and its linked articles focus on RFID/NFC and the sub-6 GHz SDR range covered by the Proxmark3, Flipper Zero, and HackRF. A few adjacent areas that come up constantly in reader questions but aren’t covered in depth here yet:

Bluetooth and BLE security specifically — a large enough topic (GATT enumeration, BLE sniffing with dedicated hardware like the Ubertooth or Sniffle, pairing vulnerabilities) that it deserves its own treatment rather than a paragraph here.

Modern cellular (4G/5G) protocol research — genuinely specialized territory requiring tooling (srsRAN, Open5GS) and RF hardware well beyond what a HackRF alone provides, plus a much more serious regulatory environment than anything else in this cluster.

Full-duplex and high-fidelity SDR platforms (USRP and similar) — relevant once you outgrow the HackRF’s 8-bit ADC and half-duplex limitation, but a significant cost step up that most researchers in this cluster’s audience won’t need.

My Own RF Research Setup

My working kit has settled into the Proxmark3 RDV4 for anything RFID/NFC, a HackRF One (not yet upgraded to the Pro — no pressing reason to when the original still does everything I need), and a Flipper Zero that mostly lives in my bag for client-facing access-control demonstrations rather than serious lab work. That division of labor took me longer to arrive at than I’d like to admit; I originally expected the Flipper to replace the Proxmark3 for most of my RFID work, and it just doesn’t have the depth once you’re past basic LF cards.

The RTL-SDR-first advice above is something I wish someone had told me directly rather than something I figured out the slow way. I bought a HackRF before I really understood modulation schemes or sample rates, and the first few weeks were spent fighting the concepts rather than doing useful research. Going back and working through RTL-SDR fundamentals after the fact felt like a step backward at the time; in hindsight it’s the step that should have come first, and it would have saved real frustration.

The legal-framework section above isn’t theoretical for me either — I’ve turned down informal requests from friends and acquaintances to “check” a badge or a system that wasn’t mine or under a signed engagement, more than once. The tools make it trivially easy to cross a line that has real consequences on the other side, and the ease of doing something is not the same as the legality of doing it.

Common Mistakes

Buying the HackRF before the RTL-SDR. The conceptual learning curve is the expensive part, not the hardware. Learn the fundamentals on cheap hardware first.

Expecting the Flipper Zero to replace the Proxmark3. It’s a generalist field tool, not a replacement for depth. If your work is genuinely RFID/NFC-focused, you’ll hit the Flipper’s ceiling faster than the marketing implies.

Assuming modern cards work like the RFID systems from a decade ago. EMV contactless payment and DESFire EV2/EV3 are not the Mifare Classic and EM4100 systems that made RFID cloning famous. Know which generation of technology you’re actually looking at before assuming a capability exists.

Treating “I can receive it” as “I’m allowed to.” Passive reception of an unencrypted signal is not automatically legal to act on. This is the single most common way researchers get themselves into trouble with SDR work specifically.

Skipping the isolated lab environment. RF research — especially anything involving transmission or protocol emulation — benefits from the same isolated-network discipline covered in the complete home cybersecurity lab guide. Don’t run this work on your production home network any more than you’d run malware analysis on it.

Frequently Asked Questions

Do I need all four tools (Proxmark3, Flipper Zero, HackRF, RTL-SDR)?
No. Start with an RTL-SDR to learn fundamentals, then add the tool that matches your actual work — Proxmark3 for RFID/NFC depth, HackRF for broader-spectrum protocol research, Flipper Zero if portability and client-facing demos matter more than either. Most people don’t need all four; I use all four because my work spans the full range.

Is the Flipper Zero actually as dangerous as the media coverage suggested?
No. It reliably demonstrates real vulnerabilities in legacy systems (old access-control badges, fixed-code remotes), but it does not clone modern contactless payment cards or defeat rolling-code garage systems, contrary to a lot of the coverage. See the Flipper Zero article linked above for the specific claims that didn’t hold up.

What’s the actual difference between the Proxmark3 and a Flipper Zero for RFID work?
Depth and attack surface. The Proxmark3 implements the full Mifare Classic attack suite (nested, hardnested, darkside), protocol sniffing, and a scripting environment. The Flipper handles the common cases — basic LF cards, simple NFC reads — well enough for fieldwork, but hits a ceiling well before the Proxmark3 does.

Can I do this research legally without any special license?
Receiving is generally unrestricted in most jurisdictions for signals not specifically protected by wiretapping law. Transmitting on licensed frequencies without authorization is a separate and more serious problem — see the legal section above. When in doubt, stay in receive mode until you’ve specifically researched the transmit-side rules for your jurisdiction and use case.

Where should a complete beginner actually start?
RTL-SDR plus GQRX or SDR#, spending real time just identifying and visualizing signals before trying to decode or replay anything. The instinct to jump straight to an “attack” undersells how much of this field is signal-analysis literacy first.

Where to Start: An RTL-SDR dongle on Amazon is the right first purchase for almost everyone in this cluster. For the full lab buildout, search for the Proxmark3 RDV4 and the HackRF One on Amazon.

Sources:

  1. Proxmark3 RRG/Iceman firmware repository — https://github.com/RfidResearchGroup/proxmark3
  2. HackRF One documentation — greatscottgadgets.com
  3. Flipper Zero official documentation — flipperzero.one
  4. EMVCo contactless payment specification — https://www.emvco.com/
  5. FCC regulations on radio transmission, Title 47 CFR Part 15
Scroll to Top