The Proxmark3 has been the standard tool for RFID and NFC research since its original release by Jonathan Westhues in 2007. Nearly two decades later, the hardware has been updated (the RDV4 is the current reference platform), the firmware has been extensively developed by the open-source community, and the tool remains the most capable general-purpose RFID research device available outside of professional lab equipment.
Here is an accurate picture of what it does well, where it falls short, and how the landscape has changed in 2026.
What the Proxmark3 Actually Is
The Proxmark3 is a hardware-software system for reading, analyzing, emulating, and cloning RFID and NFC devices. It operates across the main frequency bands used in access control, transit, payment, and identification cards:
- Low frequency (LF, 125kHz): EM4100/EM4200 (common in cheap access cards), HID Prox, AWID, Indala, T5577 (the standard clone chip)
- High frequency (HF, 13.56MHz): Mifare Classic, Mifare Ultralight, DESFire, iCLASS, NTAG, ISO 14443-A/B, ISO 15693, NFC Forum types
The hardware can act as both a reader (interrogating cards/fobs) and a tag (emulating a specific card to a reader). This makes it useful for both assessment and demonstration — you can both capture a card’s data and prove that data is usable by cloning it to a T5577 blank.
What It Does Well in 2026
Low-frequency access control assessment. This is where the Proxmark3 is still unmatched. The vast majority of deployed corporate and residential access control infrastructure runs on LF protocols — HID Prox and EM4100 are the dominant ones. These protocols have no cryptographic protection and have been fully reversible for over fifteen years. Reading a badge at moderate range (several inches to a foot, depending on antenna) and cloning it to a T5577 is a well-documented, reliable process. The Proxmark3 handles it cleanly.
If your engagement involves a facility running HID Prox or EM4100 — which is most facilities — this tool covers the physical access credential portion of the assessment completely.
Mifare Classic analysis. The Mifare Classic cryptographic weakness (the CRYPTO1 cipher) has been known since 2008. The Proxmark3 implements multiple attack vectors — nested attacks, hardnested attacks, darkside attacks — for recovering keys from Mifare Classic cards. This is still relevant because a substantial fraction of deployed transit, parking, and loyalty cards globally still run Mifare Classic.
NFC research and protocol analysis. The Proxmark3 supports the ISO 14443 and ISO 15693 standards used in NFC, including the ability to sniff and analyze transactions (with appropriate hardware setup). For understanding how a specific NFC system works or what data is being exchanged, it provides a level of visibility that phone-based NFC tools cannot match.
Scripting and automation via Lua and the PM3 client. The firmware includes a full Lua scripting environment. Repeatable attack workflows, custom protocol handlers, and automated key recovery sequences can all be scripted. For assessment work where you are doing the same analysis across many cards, scripting is essential.
What It Does Not Do Well (Or Cannot Do)
EMV payment cards. Modern Visa/Mastercard NFC payment cards implement EMV with dynamic transaction cryptograms. The Proxmark3 can read the static data from these cards (card number, expiration date) but cannot clone them for functional payment use. The dynamic cryptogram generated per transaction is not replayable. This is the correct answer to “can you clone my credit card with a Proxmark3” — you can read some data, you cannot produce a functional clone.
DESFire EV2/EV3. The newer DESFire variants (EV2, EV3) use 3DES or AES encryption with mutual authentication. No known practical attack on these implementations exists. The Proxmark3 can identify and communicate with DESFire cards but cannot bypass the cryptographic protection without the application key.
iCLASS Seos. HID’s Seos platform (used in newer enterprise deployments) uses AES-128 and proper cryptographic controls. The original iCLASS (using a 40-bit DES key that was reverse-engineered in 2012) is attackable; Seos is not practically so.
Long-range reading. The Proxmark3 with standard antennas reads cards at conversational distances — a few inches to a foot, depending on card type and antenna quality. Purpose-built long-range LF readers with larger antennas can read at several feet. The Proxmark3 is not a long-range skimming tool in its standard configuration.
The Flipper Zero Comparison
The Flipper Zero has become the accessible alternative for basic RFID work. It handles common LF protocols (EM4100, HID Prox) and basic HF work (Mifare Classic with limitations). For simple read-and-clone of common access cards, it works and is far more portable.
The Proxmark3 RDV4 remains superior for:
- Full Mifare Classic attack suite (nested, hardnested, darkside)
- Protocol sniffing and raw frame capture
- Custom scripting and automation
- Research work that requires understanding what is actually happening at the protocol level
The Flipper is the right tool for fieldwork where portability matters and the card type is predictable. The Proxmark3 is the right tool for lab assessment, protocol research, and anything requiring the full attack surface.
Firmware in 2026
The Iceman fork (RRG/Iceman) is the current active firmware for the Proxmark3, maintained at a much higher cadence than the official firmware. Run the Iceman fork. It has better protocol support, more attack commands, better documentation, and active bug fixes. The official firmware has not been meaningfully updated in years.
The pm3 client runs on Linux, macOS, and Windows. Linux is the most straightforward environment; the serial communication is cleaner and the build toolchain is simpler.
Practical Starting Point
For someone new to the Proxmark3: the RDV4 is the reference platform worth buying if you are doing real assessment work. The older versions (Easy, V3) are cheaper but have lower-quality antennas and less extensibility. The antenna matters — the RDV4’s modular antenna design is a significant practical improvement.
Start with the Iceman firmware, work through the basic LF and HF read commands, practice on cards you own, and learn what the protocol information the tool returns actually means. The tool is only as useful as the operator’s understanding of the underlying protocols.
—
Looking for a Proxmark3? Search for the Proxmark3 RDV4 on Amazon — make sure you are buying from a reputable seller, as counterfeit units are common in this product category.
Sources:
- Proxmark3 RRG/Iceman firmware repository — https://github.com/RfidResearchGroup/proxmark3
- Nohl, Karsten, et al. “Reverse-Engineering a Cryptographic RFID Tag.” USENIX Security 2008.
- Garcia, Flavio, et al. “Wirelessly Pickpocketing a Mifare Classic Card.” IEEE S&P 2009.
- Westhues, Jonathan. Original Proxmark documentation — http://cq.cx/proxmark.pl