Using your Apple device as an access card in unsupported systems

Original Article ↗ Hacker News Discussion ↗

Project & Practical Limitations

  • Many find the hack clever but too constrained to be broadly usable.
  • Some say it’s easier to just tape a regular RFID/NFC tag or sticker to the phone.
  • Still, people are excited about the idea of using phones as office access cards, especially where RFID badges are already used.

Apple Wallet, UniFi, and Fees

  • New UniFi readers support iPhone unlock but require ~$5/device/year, which frustrates people expecting “no contracts” prosumer hardware.
  • Clarification: roughly $3/user/year goes to Apple’s “Apple Access Platform”; the rest is licensing (e.g., NXP/MIFARE DESFire).
  • Some see the fee as reasonable for business and ongoing security updates; others fear subscription creep and lock‑in.

NFC Hardware & Protocol Constraints

  • Older UniFi readers can’t support Apple Wallet because their NFC controller (PN7160) lacks Apple’s proprietary “Enhanced Contactless Polling” (ECP).
  • Newer readers use a special NXP SKU (PN7161) that is functionally identical but “unlocked” for ECP via licensing.
  • Apple requires certified ECP readers; using Wallet credentials with non‑certified readers is prohibited.

Openness, Security, and Platform Control

  • Strong criticism of Apple for locking down NFC and charging recurring fees, contrasted with Android’s long‑standing open HCE NFC API.
  • Others argue Apple faces higher scrutiny and legal/media risk (e.g., “clone your access card” apps, Flipper‑style tools), so it tightly controls NFC.
  • Debate over whether restrictions are about real security or primarily rent‑seeking and ecosystem control.

Transit Cards, UID Behavior, and Privacy

  • The featured Chinese T‑Union transit card is special because, when set as default transit:
    • It stops UID randomization.
    • It responds in “express” mode to all readers.
    • Its UID/serial stay constant across devices.
  • This makes it suitable for UID‑based access systems; many other Wallet transit cards change UIDs when moved between devices.
  • Some worry this enables tracking and requires Alipay/Chinese transit registration; others note NFC range and existing surveillance realities.
  • It’s noted that other Express Transit options (including EMV‑based cards) also expose stable identifiers, so privacy is already imperfect.

Security of Commercial Access Systems

  • Many NFC access systems are described as “broadly insecure,” often relying only on static UIDs or legacy MIFARE Classic.
  • Better systems use DESFire and cryptographic authentication, but are often implemented poorly:
    • “Non‑transparent” readers keep master keys at the door, making tampering easier.
  • Industry is described as opaque, proprietary, and incentive‑misaligned, with security through obscurity common.

Regulation and Recent Changes

  • EU pressure is credited with pushing Apple to open NFC for payments and, more recently, deeper NFC/SE APIs (iOS 18.1).
  • New APIs still require Apple agreements, special entitlements, and third‑party lab certification, making them inaccessible for hobbyists.
  • Some see EU rules (e.g., NFC access, common charger) as genuinely promoting innovation and interoperability rather than hindering it.