This project describes a method to use an Apple device (iPhone or Apple Watch) as an access card even with unsupported access control systems. It leverages the device's NFC capabilities to read the card's data, then emulates the card using an Arduino and RFID reader/writer. The user taps their physical access card on the RFID reader connected to the Arduino, which then transmits the card data to an Apple device via Bluetooth. The Apple device then stores and transmits this data wirelessly to the Arduino when presented to the reader, effectively cloning the original card's functionality. This allows users to unlock doors and other access points without needing their physical card.
This GitHub repository, titled "Apple device as an access card in unsupported systems," details a method for leveraging the NFC capabilities of Apple devices, specifically iPhones and Apple Watches, to emulate access cards, even in systems that do not natively support Apple Wallet or Apple Pay. The author highlights the limitations of Apple's official access card functionality, which restricts usage to specifically partnered systems and requires explicit integration with Apple's ecosystem. This project aims to bypass these restrictions, allowing users to utilize their Apple devices as access cards in a wider range of scenarios, such as accessing buildings, garages, or other secured areas that rely on traditional NFC card readers.
The core functionality revolves around reading the data from an existing physical access card using an NFC-enabled Android device and an app like NFC TagInfo by NXP. This process extracts the card's unique identifier and other relevant data. This extracted information is then carefully formatted and encoded into an NFC Data Exchange Format (NDEF) message. This NDEF message is designed to mimic the communication protocol of the original access card.
The formatted NDEF message can then be written to an iPhone or Apple Watch using an app that supports custom NDEF writing, such as Shortcuts on iOS. The author provides detailed, step-by-step instructions, including screenshots, outlining the precise process for creating the necessary Shortcuts automation. This automation effectively transforms the Apple device into a virtual representation of the original access card.
Once configured, the user can present their Apple device to the NFC reader, just as they would with the original physical card. The NFC reader interacts with the NDEF message stored on the Apple device, effectively receiving the same identification data as it would from the physical card, hopefully granting access.
The author acknowledges that this method may not work with all access card systems, particularly those employing advanced security measures like cryptography or challenge-response authentication. The success of this approach depends on the simplicity and reliance on static card identifiers within the targeted access control system. Furthermore, the author emphasizes the ethical considerations and potential legal implications of cloning access cards, urging users to only apply this technique to systems they own or have explicit authorization to access. The provided instructions are intended for educational and experimental purposes, and the author disclaims any responsibility for misuse or unauthorized access attempts.
Summary of Comments ( 92 )
https://news.ycombinator.com/item?id=42759557
HN users discuss the practicality and security implications of using an Apple device as an access card in unsupported systems. Several commenters point out the inherent security risks, particularly if the system relies solely on NFC broadcasting without further authentication. Others highlight the potential for lock-in and the difficulties in managing lost or stolen devices. Some express skepticism about the reliability of NFC in real-world scenarios, while others suggest alternative solutions like using a Raspberry Pi for more flexible and secure access control. The overall sentiment leans towards caution, with many emphasizing the importance of robust security measures in access control systems.
The Hacker News post titled "Using your Apple device as an access card in unsupported systems" (https://news.ycombinator.com/item?id=42759557) has generated a moderate number of comments discussing the project and its implications.
Several commenters express enthusiasm for the project, praising its ingenuity and potential usefulness. They appreciate the ability to leverage existing Apple Wallet functionality for access control systems that haven't officially integrated with Apple's platform. The relative simplicity of the setup and use, particularly the NFC reading aspect, are also highlighted as positive aspects.
Some users share their existing experiences and challenges with various access control systems, including issues with proprietary apps, key fobs, and the desire for a more unified solution. The Apple device integration is seen as a potential step towards this unification.
A significant point of discussion revolves around security concerns. Some commenters question the security implications of essentially cloning access cards, particularly regarding the potential for unauthorized duplication and misuse. The developer's response within the comments clarifies that the project does not actually clone or crack the card's security, but rather emulates the card's behavior using the NFC functionality of the Apple device. They emphasize that any existing vulnerabilities in the original card system would remain regardless of this project. This sparked further discussion on the inherent vulnerabilities of certain access card systems themselves.
There are technical discussions regarding the capabilities and limitations of the NFC functionality in Apple devices, particularly related to reading certain types of cards. Some users inquire about specific card compatibility and the potential for expanding the project's support.
Finally, a few comments touch upon the legal and ethical considerations of using this approach, with some raising concerns about potential misuse and the need for responsible usage within the bounds of existing access control system regulations. There's also a brief discussion about open-sourcing the hardware component of the project.
Overall, the comments reflect a mixture of excitement about the project's potential, tempered by pragmatic concerns about security, compatibility, and responsible use. The discussion highlights the ongoing desire for improved and more integrated access control solutions, while acknowledging the inherent complexities and potential pitfalls involved in achieving this goal.