Your Access Control Cards Can Be Cloned in Seconds. Here is What to Do About It
Is Your Building One Gadget Away From Being Bypassed? A small orange device the size of a TV remote has been making waves in corporate security circles. It is called the Flipper Zero, and it costs around £150. In the right hands — or the wrong ones — it can read and clone the access card in an employee’s pocket without them noticing, then use that cloned card to walk through your front door.
This is not hypothetical. It is happening. And if your building is running older access control technology, there is a reasonable chance your cards are vulnerable.
This post explains how card cloning works, which systems are at risk, and what a practical upgrade path looks like for London businesses and facilities managers.
What Is the Flipper Zero and Why Does It Matter? The Flipper Zero is a portable multi-tool designed for security researchers. It can read, store, and transmit a wide range of wireless signals, including the radio frequency signals used by most legacy access control cards.
It went viral online partly because it looks like a toy. It is not. In the context of access control security, the device can interact with low-frequency 125kHz cards and many high-frequency 13.56MHz cards — the same frequencies used by tens of millions of access cards currently deployed in offices, hotels, and commercial buildings across London and the UK.
The broader point is not that the Flipper Zero is uniquely dangerous. It is that tools capable of cloning access cards are now cheap, widely available, and require minimal technical skill to operate. The threat that once required specialist equipment now fits in a jacket pocket.
How Card Cloning Works Most access control cards work by broadcasting a unique ID number wirelessly when held near a reader. The reader picks up that ID, checks it against a list of permitted IDs, and unlocks the door.
The vulnerability is straightforward. If the card simply broadcasts its ID without any encryption or authentication, anyone with the right equipment can listen, record that ID, and write it onto a blank card. The reader has no way to distinguish between the original card and the copy — because from the reader’s perspective, they look identical.
Think of it like a photocopied key. A padlock cannot tell whether it is being opened by the original or a perfect copy. Older access control systems have the same problem.
Which Systems Are Vulnerable? Not all access control technology carries equal risk. The systems most exposed to card cloning are:
EM4100 and 125kHz proximity cards (HID Prox, HID iCLASS legacy). These are among the oldest and most widely deployed cards in UK offices. They transmit a fixed ID with no encryption whatsoever. They are trivially cloned with the Flipper Zero and dozens of other widely available devices. If your cards feel like thin flat discs and were installed before 2015, this is likely what you have.
MIFARE Classic. Widely used from the late 1990s onward, MIFARE Classic operates at 13.56MHz and was considered secure for years. It is not any more. The encryption used (Crypto-1) was broken over a decade ago. MIFARE Classic cards can be cloned with consumer hardware in seconds.
Older HID iCLASS (standard, not SE or Elite). Standard iCLASS cards have known vulnerabilities and have been demonstrated to be cloneable in field conditions.
If your building uses swipe or tap cards installed before roughly 2015 without a security review since, there is a real chance they fall into one of these categories.
What Can an Attacker Do With a Cloned Card? Once someone has a working clone of a valid access card, they have everything the original cardholder has — without triggering any alarm.
They can enter the building outside business hours, access restricted floors or server rooms, move through internal doors, and leave no trace in most basic audit logs, because the system records the legitimate card ID rather than the person actually using it.
For hotels and hospitality businesses, the risk extends to guest room access and staff-only areas. For corporate offices, it is server rooms, executive floors, and sensitive data. For any business, it is the physical security of assets, people, and information.
What Secure Modern Access Control Looks Like The technology to prevent this is available, widely deployed, and not dramatically more expensive than legacy alternatives.
MIFARE DESFire EV2 and EV3. The current standard for high-security card-based access control. Uses AES-128 encryption with mutual authentication, meaning both the card and the reader verify each other. Cloning is not currently feasible with available tools.
HID SEOS. A credential platform designed for high-security environments. Supports mobile credentials (phone as card) and uses layered encryption. Widely used in corporate and hospitality settings where security requirements are high.
Mobile credentials. Increasingly the most practical option for many London businesses. Using a smartphone as an access credential via Bluetooth or NFC removes the physical card entirely. No card means nothing to clone. Paxton’s Switch2 platform supports mobile credentials natively.
Paxton Net2 and Paxton10 with encrypted cards. For businesses already using Paxton access control, upgrading to encrypted MIFARE DESFire credentials within the existing infrastructure is often the most cost-effective upgrade path. The readers, cabling, and back-end software may remain in place — only the cards change.
A secure access control system today should use encrypted credentials, support timestamped audit logging, and allow remote management of permissions so that when a staff member leaves, their access is removed immediately rather than when someone remembers to cancel their card.
What Building Managers Should Do Now Start with an audit. Find out what card technology you are currently running. If you do not have that documentation, your access control installer should be able to tell you — or we can assess it during a site visit at no cost.
If you are running 125kHz proximity cards or MIFARE Classic, treat this as a priority. An upgrade does not necessarily mean replacing your entire system. In many cases, replacing the readers and re-issuing encrypted cards is sufficient. The door hardware, cabling, and back-end software may stay in place.
Set a timeline. Legacy access control vulnerabilities are not theoretical. The tools to exploit them are widely available and require no specialist knowledge. A site that is still running HID Prox cards today has an open door — it just has not been walked through yet.
Book a Free Access Control Site Survey Slam Systems designs, installs, and maintains access control systems for hotels, offices, and commercial premises across London, Surrey, Kent, Buckinghamshire, and Middlesex. We are Paxton-certified installers and work exclusively with our own in-house engineers — no subcontractors.
If you are unsure what technology your building is running, or you know it is time to upgrade, we will survey your site, assess your current risk profile, and give you a clear recommendation. There is no charge for the survey and no obligation.
Book your free site survey at slamsystems.co.uk/contact