Using your Apple device as an access card in unsupported systems
32 comments
·January 19, 2025ShakataGaNai
talldayo
The fact that Apple even considered "closing" a general purpose standard like NFC is a testament to how much they are willing to drag their feet on any innovative customer-facing features.
You'd think that it was common sense to avoid that, but we are talking about the company that invented DRM for the USB protocol...
dijit
This is a common trope, and given that they don't speak about these things publicly people will take whatever negative opinion they think up and consider them completely valid.
I'm aware of this myself, because I work in games, and sometimes we literally can't comment on things; which leads to the speculation being very often the absolute most negative possible interpretation of what is happening, and completely invalid.
To take another more obvious example; imagine OpenBSD was, well, not open. Yet they didn't support Bluetooth. (they don't).
From and outside perspective, is this: because they don't consider it open source? Because they're not capable? Because they hate bluetooth headphones or interfacing with audio devices? Is it due to security- maybe related to file sharing or something... it could be privacy.
And if we thought they were just pure-through-and-through bastards, we'd think up more.
There's another perspective, ironically that covers your point as well as OpenBSD's lack of bluetooth support:
What if; it's actually much harder than we realise to make it easy to use and secure?
It's totally possible that a standardised format has only hacky, rushed and dangerous implementations. It's not uncommon at all, actually.
jclulow
They're an absolutely staggeringly immense company and they fight tooth and nail to preserve their rent seeking and premium margins. Nobody owes them a positive interpretation of apparently poor behaviour, especially not when discoverable materials often show the principals are absolutely doing the wrong thing (e.g., Jobs and the anti-labour wage fixing racket).
If the company wants people to have positive thoughts, they should do positive things! If indeed there are positive reasons for an apparently negative thing, they should explain them.
If they can't or won't explain them, then people absolutely should assume if they feel like they're getting screwed, that they probably are.
int0x29
Years after nfc was added to android I have yet to see anyone complain that I can write an android app that has raw NFC access.
hmottestad
Well, it’s not like anyone sued a Dutch university for finding security vulnerabilities in their NFC transport card solution…NXP would never rush their implementation to market and then try to sue their way out of any vulnerabilities.
https://freedom-to-tinker.com/2008/07/15/transit-card-maker-...
moritzwarhier
It's understandable in the context of Apple Pay I think.
int0x29
Google pay coexists with an open NFC API on the same devices and has since before IOS had NFC support
Havoc
I wonder why the Chinese transit card uses an unsecure method. Sounds like that is a lone outlier case so presumably intentional for some reason?
kormax
My guess is that there's some city or transit system which needs the UID to be static for one reason or another, like in order to avoid double charging the same user if they accidentally scan their card multiple times.
The T-Union card definitely has other means of doing that, like by checking the card serial, which is stored in one of the files, or by getting the same static UID value as it is also reported in RATS.
But in the end, seems like one of the important transit partners did not want to even bother fixing it, so Apple was forced to allow the static UID.
It really shows how big companies like Apple, who like to talk about "privacy" and "security", are willing to bend over backwards, if this means getting access to the revenue stream. AFAIK they get a percentage cut of transit card top ups, and Chinese market is obviously massive.
For comparison, from what I've heard, when it comes to implementing the same transit feature in the US or in the EU, Apple is extremely strict with their partners. They may even tell their partners that they're unwilling to work with them unless they fully re-implement their transit card standard stack using other technology, or to format their cards differently, even if they are fully secure. The reasoning is, depending on how big the project is, is that Apple may not want to bother with porting the Applet implementation (in case of niche card standards), or writing a new card state parser (for existing card types like Mifare, which can be 'formatted' and store data differently, even if they use the same protocol).
atonse
Given the UID is the same every time, I can assume it’s to make surveillance easier?
jtbayly
I’m curious what the security of these NFC lock systems looks like. (I’m talking about the commercial building systems mentioned like Brivo and Unifi, not home systems.)
In particular, I know unifi cards rotate keys. So you can’t simply clone them with a Flipper, and this also means third party cards don’t work. By default, this is true, but you can’t simply clone turn it off, as mentioned in the article.
Does this mean that the other systems’ cards are easily cloned? This seems very insecure, if so.
avianlyric
> Does this mean that the other systems’ cards are easily cloned? This seems very insecure, if so.
Broadly, yes, almost all NFC based access systems are insecure and pretty broken. They mostly operate via security via obscurity, and the fact that anyone serious about security that deploys these systems will put a huge amount of effort into identifying one of an actually secure systems. More likely they will pair the NFC element with multiple other secure elements, such as photo badges, big security humans that demand people keep their badges visible, and card + pin entry on all important access points.
A big part of the reason why these Apple Wallet systems have taken so long to appear is because Apple seems to refuse to integrate with any system that isn’t built using secure cryptography. Turns out there aren’t many systems out there that use strong cryptography, rather than cryptographic systems that have been broken for decades.
Actually getting information on how any particular system actually provides its “security” is extremely difficult. Mostly you have to figure it out by being familiar with the different systems out there, and different NFC systems. Then it’s possible to parse the marketing terms into actual technical specifications that might give a hint at how a system works. The only sure fire way to find out, is to buy parts of the system (such as access tokens or readers), and evaluate the hardware using various NFC and RFID hacking tools to figure what manner of awful design this particular system uses.
hmottestad
They specifically write that this only supports UID based authentication. So, the card answers with the same unique ID every time.
UniFi has support for this, but seemingly not by default.
This solution also doesn’t allow you to clone an existing card. You actually need the admins to add the UID of your Chinese transport card to their system.
data_ders
Love seeing the Xiamen City Metro card! Would recognize the scenery from anywhere
agos
this is cool but the limitations make it almost unusable
withinboredom
Does this work with ANY card set as the transit card in iOS? Or just this one type of transit card?
noja
Your question is answered in the article.
withinboredom
I'm not sure that it is. It goes to great lengths to explain how to get this particular card + says 'any transit card' in so many words.
It doesn't seem explicit.
sgt
Would be cool to get into the office like this. We have RFID tags.
akersten
I was really excited about the new UniFi G3 access card reader claiming support for iPhone unlock until I realized it's $5/year/device. It just seems like a slow boil into subscriptions for a company whose entire value prop is prosumer networking without the contracts.
I don't know if it's Apple or UniFi to blame for this fee, but it turned me off entirely of what would have been a day 1 purchase. Other, cheaper junky IoT home locks support Apple HomeKit for unlocking for free, why can't UniFi figure it out?
Really glad to see hacking in this space.
kormax
Hi, I'm the author behind the article referenced in this post.
As far as I know, Ubiquiti is not responsible for this 5$ per year "tax".
Apple takes about 3$ per user per year for usage of "Apple Access Platform", and the rest is spent for licensing the credential technology, like to NXP for Mifare DESFire in this case.
ValentineC
This is amazing. :) Small world!
I was testing my new Hikvision keypad against every card I have and wondering if I could use Apple Express Transit, when I stumbled upon your writeup. Looking forward to trying out a T-Union card later!
kormax
They could not implement "Home Key", because Apple requires that compatible devices are implemented as a single unit, containing reader + lock.
This limitation was added precisely as to prevent HomeKey from cannibalizing that sweet recurring revenue from "Apple Access Platform" targeted at business customers, as companies want detached readers which can be hooked into existing PACS architectures.
There was a device which did not follow that rule - the Aqara U200 but it seems like they had spent a lot of time arguing with Apple to get approval, as there were multiple occasions where they promised HomeKey (thus generating lots of hype and pressure), and then came back on that promise. Although they delivered on it in the end, good for them.
ShakataGaNai
It's SSO tax applied to hardware devices. But at the same time, it's clearly a more premium feature and if you're a business you've got the $5000/year to pay for 1000 devices. $5/device/year is not exactly expensive. Heck, I'd pay Ubiquiti $15/year for my family to be able to use it at home. That's less than I pay for almost any subscription for anything.
eastbound
$5/year… this year. They will add a “No SOC2 compliance, please upgrade to our $19pm solution and benefit from 10% if you subscribe annually”.
jtbayly
What I can’t figure out is why the old readers, which clearly read NFC cards, can’t work to read iPhones, which emit NFC.
I understood in the past that iPhones weren’t supported because of the limitations described in the article. I figured once Apple opened up the system and Ubiquiti actually implemented it (both of which have now happened) that the old readers would work.
Although irritating, I’d consider paying $5/user/year, but I’m not about to rip out 6 card readers that I just installed.
mschuster91
> It just seems like a slow boil into subscriptions for a company whose entire value prop is prosumer networking without the contracts.
On the other side... look at the status quo in access control systems. If you never did, be happy you never had to because the status quo is shit because the entire ecosystem is suffering from a severe lack of money - for physical locks, most people buy the cheapest shit they can get at Home Depot or whatnot, and for "fancy" stuff involving smartphones they do just the same, or order right from Alibaba. And that is a damn horror show.
Ubiquiti, for all I dislike the trend for recurring revenue everywhere, at least makes high quality and secure stuff - but with anything interconnected, keeping updates available costs recurring expenses. So it's either "the product is cheap ass and will likely have multiple bypasses in a year or two", "the product is extremely expensive but you will get updates for a reasonable time" or "the product is affordable, but costs recurring money".
null
rubatuga
Or ... maybe we should take a step back and stop trying to shove everything into phones - like drivers license or all forms of payment.
CrimsonRain
Just because you like you walk with 1000 things in your pocket doesn't mean everyone else likes it too. Stop being a luddite.
null
This is cool, do love the hacking ingenuity. And not that I want to give Apple extra credit, but they are slowly opening up NFC: https://www.macrumors.com/guide/apple-nfc-chip-ios-18-1/ - Is is very restrictive (probably) and very late - most certainly. But at least it's slowly coming.