Your Access Control Cards Can Be Cloned in Seconds. Here's What to Do About It.

Is Your Building's Access Control One Gadget Away From Being Bypassed?

A small orange device the size of a TV remote has been making waves in corporate security circles. It's called the Flipper Zero, and it costs around £150. In the right hands or the wrong ones it can read and clone the access card in your employee's pocket without them noticing, then use that cloned card to walk through your front door.

This isn't a hypothetical. It's happening. And if your building is running older access control technology, there's a reasonable chance your cards are vulnerable.

This post explains how card cloning works, which systems are at risk, and what a practical upgrade path looks like for London businesses and facilities managers.

What Is the Flipper Zero and Why Does It Matter for Access Control?

The Flipper Zero is a portable multi-tool designed for security researchers. It can read, store, and transmit a wide range of wireless signals including the radio frequency signals used by most legacy access control cards.

It went viral online partly because it looks like a toy. It is not a toy. In the context of Flipper Zero and access control, the device can interact with low-frequency (125kHz) cards and many high-frequency (13.56MHz) cards the same frequencies used by tens of millions of access cards currently in use across offices, hotels, and commercial buildings.

The broader point isn't that the Flipper Zero is uniquely dangerous. It's that tools capable of cloning access cards are now cheap, widely available, and require minimal technical skill to operate. The threat that once required specialist equipment now fits in a jacket pocket.

How Card Cloning Works — In Plain English

Most access control cards work by broadcasting a unique ID number wirelessly when held near a reader. The reader picks up that ID, checks it against a list of permitted IDs, and unlocks the door.

The vulnerability is straightforward: if the card simply broadcasts its ID without any encryption or authentication, anyone with the right equipment can listen, record that ID, and write it onto a blank card. The reader has no way to tell the difference between the original card and the copy because from the reader's perspective, they look identical.

Think of it like a photocopied key. A padlock can't tell whether it's being opened by the original key or a perfect copy. Older access control systems have the same problem.

Which Systems Are Vulnerable?

Not all access control technology carries equal risk. The systems most exposed to card cloning are:

• EM4100 and 125kHz proximity cards (HID Prox, HID iCLASS legacy) — These are among the oldest and most widely deployed cards. They transmit a fixed ID with no encryption whatsoever. They are trivially cloned with the Flipper Zero and many other devices. If your cards say HID Proximity or feel like thin flat discs, this is likely what you have.
• MIFARE Classic — Widely used from the late 1990s onward, MIFARE Classic operates at 13.56MHz and was considered secure for years. It isn't any more. The encryption used (Crypto-1) was broken over a decade ago. MIFARE Classic cards can be cloned with consumer hardware in seconds.
• Older HID iCLASS (standard, not SE or Elite) — Standard iCLASS cards have known vulnerabilities and have been demonstrated to be cloneable in the field.

If your building uses swipe or tap cards and they were installed before roughly 2015 without a subsequent security review, there is a real chance they fall into one of these categories.

What Can an Attacker Do With a Cloned Card?

Once someone has a working clone of a valid access card, they have everything the original cardholder has — without triggering any alarm.

They can enter the building outside of business hours. Access restricted floors or server rooms. Move through internal doors. Leave no trace in most basic audit logs, because the system records the legitimate card ID, not the person using it.

For hotels and hospitality businesses, the risk extends to guest room access and staff-only areas. For corporate offices, it's server rooms, executive floors, and data. For any business, it's the physical security of assets, people, and information.

What Secure Modern Access Control Looks Like

The good news is that the technology to prevent this exists, is widely available, and is not dramatically more expensive than legacy alternatives.

MIFARE DESFire EV2 and EV3 — The current standard for high-security card-based access control. Uses AES-128 encryption with mutual authentication, meaning both the card and the reader verify each other. Cloning is not currently feasible with available tools.

HID SEOS — A credential platform designed for high-security environments. Supports mobile credentials (phone as card) and uses layered encryption. Widely used in corporate and hospitality settings where security requirements are high.

Mobile credentials — Increasingly the most practical option for many businesses. Using a smartphone as an access credential via Bluetooth or NFC removes the card entirely. No card means nothing to clone. Paxton's Switch2 platform supports mobile credentials natively.

Paxton Net2 and Switch2 with encrypted cards For businesses already using Paxton access control, upgrading to encrypted MIFARE DESFire credentials within the existing Paxton infrastructure is often the most cost-effective path. The readers and software may remain; only the cards change.

A secure access control system in London today should use encrypted credentials, support audit logging with time-stamped access records, and allow remote management of permissions so that when a member of staff leaves, their access is removed immediately.

What Building Managers Should Do Now

Start with an audit. Find out what card technology you are currently running. If you don't have that documentation, your access control installer should be able to tell you, or we can assess it during a site visit.

If you are running 125kHz proximity cards or MIFARE Classic, treat this as a priority. An upgrade does not necessarily mean ripping out your entire system. In many cases, replacing the readers and re-issuing encrypted cards is sufficient the door hardware, cabling, and back-end software may stay in place.

Set a timeline. Legacy access control vulnerabilities are not theoretical. The tools to exploit them are widely available and require no specialist knowledge. A site that is still running HID Prox cards in 2025 has an open door it just hasn't been walked through yet.

Book a Free Access Control Site Survey

Slam Systems designs, installs, and maintains access control systems across London for hotels, offices, and commercial premises. If you are unsure what technology your building is running, or you know it's time to upgrade, we will survey your site, assess your current risk, and give you a clear recommendation at no cost.

Book your free site survey at slamsystems.co.uk/contact