RFID, Risk, and the Law Firm: What Leaders Actually Need to Know

May 28

Cloneable badges, courtroom-ready logs, and the bigger tracking threat hiding in your pocket.

In a recent ALA MN session for small and mid-size law firm administrators, Element’s CTO, Craig Sixta, unpacked one of the most misunderstood technologies in the modern office: RFID. With more than 25 years in IT and cybersecurity, including incident response for ultra-high-net-worth clients and expert witness work, Craig has seen firsthand where RFID helps, where it fails, and where it shows up unexpectedly in legal matters.

Here is what every law firm leader should take away from the conversation.

RFID Is A Family Of Technologies, Not A Security Rating

RFID, or Radio Frequency Identification, is a broad category of wireless tagging technology. It is in building badges, credit cards, enhanced driver's licenses (the optional border-crossing variant issued by a handful of states, not standard licenses), toll tags, hotel key cards, passports, library books, asset tags, and even pet microchips. Most of these tags are passive: they have no battery and only respond when a reader energizes them. A backend system then logs the tag ID along with the time and place it was seen.

NFC (Near Field Communication), the tech behind Apple Pay and tap-to-pay cards, is a more sophisticated subset of RFID. It uses very short range plus, in payment applications, tokenization and one-time cryptograms that make it significantly more secure than older “dumb” RFID. The takeaway: RFID itself is neither secure nor insecure. The specific implementation is what matters.

Real Risks vs. The Myths

RFID does not constantly track you. Tags only transmit when energized by a nearby reader. Typical read ranges are short: older proximity cards read at a few inches, contactless smartcards typically at an inch or two, and passive UHF inventory tags from roughly 10 to 30 feet (longer with specialized antennas).

That said, when readers are placed at doors, elevators, server rooms, and other checkpoints, an organization can absolutely infer movement patterns over time. Where governance and retention policies are weak, those logs can be misused.

The 10-year Problem: Legacy Badge Systems

The single biggest practical risk Craig sees in law firm environments is the legacy badge system. Many offices still rely on 125 kHz prox cards that were installed a decade or more ago. These cards broadcast a static, unencrypted ID with no authentication, and the credential itself cannot be revoked at the card level — only at the access control system. And the problem is the technology generation, not the calendar age: a brand-new 125 kHz card purchased today has the same vulnerability as one issued ten years ago. Most firms keep these in service simply because “they still work.”

They are also trivially cloneable. Craig demonstrated live with a Flipper Zero: press “read,” tap a card, and the device captures the credential in seconds. Hit “emulate” and the device itself now functions as that badge. The same vulnerability applies to many hotel key cards and older access systems still in production.

The consequence for law firms is significant. Badge logs show which credential opened a door, not who held the credential. Without cameras or other corroborating evidence, those logs alone make weak proof of anything.

Where RFID Shows Up In Legal Matters

Craig walked attendees through several common scenarios where RFID data lands in litigation or investigation:

Employment disputes: entry/exit logs used to evaluate attendance, tardiness, or presence in the building.

Premises liability and security: who accessed buildings, floors, or server rooms, and when. Visitor badges extend this to guests.

Criminal defense, divorce, and timeline cases: toll tags, building access, and other RFID checkpoints used to corroborate or challenge a timeline.

Supply chain disputes: RFID custody data in warehouses, ports, and logistics chains.

Healthcare: asset tracking for devices and equipment within hospitals and clinics.

The critical caveat: RFID logs prove a specific tag ID was seen at a time and place by a particular system. They do not prove who physically possessed the tag, that the tag was not cloned, or that the system's clocks and logs are trustworthy. Log integrity (immutability, retention, access control, and time synchronization) is what makes RFID evidence credible — or not.

Bluetooth Is Often The Bigger Tracking Risk

One of Craig's most pointed observations: from a tracking standpoint, Bluetooth is usually a bigger concern than RFID. Phones, watches, wearables, AirPods, AirTags, hearing aids, fitness bands, and in-car systems broadcast nearly continuously. Modern iPhones, Android phones, and premium wearables from major vendors randomize their Bluetooth identifiers to make passive tracking harder — but that protection is uneven across the ecosystem. Many cheaper smartwatches, older fitness trackers, Bluetooth Classic peripherals, and generic IoT devices either don’t randomize at all or implement it poorly, and even strong randomization has been defeated by physical-layer fingerprinting techniques. RFID is checkpoint-based and intermittent; the collection of Bluetooth devices on a typical person is continuous, the attack surface is larger, and at least some of those devices are almost certainly trackable.

Practical Protections

For individuals

Use RFID-blocking wallets, sleeves, or cases for credit cards and enhanced IDs. US passport covers already provide some shielding, but extra sleeves help.

When traveling, watch for card skimmers on gas pumps, ATMs, and POS devices. Prefer terminals where you do not surrender the card out of sight, and wiggle readers — if a slot feels loose, treat it as suspicious.

Consider disabling Bluetooth and NFC in high-risk or high-traffic environments, and using RFID/EMI-blocking pouches for phones during highly confidential discussions. Note that on iOS, the Control Center toggle does not fully disable Bluetooth — use Settings › Bluetooth to turn it off completely.

For law firms and offices

Assess current badge technology. If you are still on 125 kHz prox cards, plan a migration to modern, encrypted smartcard or mobile-credential systems.

Modernize access carefully. App-based, MFA-backed mobile access with biometrics is meaningfully more secure than legacy prox — but implementation quality matters. Several webinar attendees flagged reliability issues, so vet vendors and pilot before rolling out firmwide.

Tighten offboarding. Disable credentials immediately on departure and, where possible, physically retrieve badges.

Govern your logs. Define retention, enforce immutable storage for critical systems, control who can read or alter logs, and keep clocks synchronized.

Watch for anomalies. Periodically review access logs and use tooling — including AI-driven anomaly detection — to surface unusual patterns.

Key Takeaways

RFID is everywhere, but it is a family of technologies, not a single security rating.

Legacy 125 kHz badge systems are the dominant practical risk in most law firm environments.

RFID logs are useful but limited as evidence; cloning, time sync, and log integrity all matter.

From a tracking standpoint, Bluetooth and smartphones are usually the bigger concern.

Sensible mitigations: upgrade outdated badge systems, enforce strong governance, and use RFID-blocking and phone hygiene where it counts.

Ready to find out where your firm actually stands?

Element Technologies helps law firms assess physical and digital access controls, modernize legacy badge systems, and build the log governance that holds up under scrutiny. If you would like a security assessment tailored to your firm — including a review of your current badge technology, access logs, and overall risk posture — our team is ready to help.

Contact Element Technologies to schedule a confidential security assessment.