Door unlocking with NFC on iOS and Android smartphones; Reading UID of NFC chip

Question

I came across this discussion Get Static NFC Tag Id with HCE mode and I have some questions on how NFC technology works in card emulation mode on smartphones, particularly when it comes to unlocking doors.

How do iPhone devices differ from Samsung devices in this regard? The phone models I am mostly interested in are iPhone 13, Samsung Galaxy S21 and Samsung Galaxy A32.

1. Does an NFC-enabled smartphone need an application in order to emulate a card that opens a door?
2. Is the UID of the secure element of the NFC chip in the phone static or dynamic?
3. When using an application that emulates a card, is the UID read by the reader an UID specific for that card or is it the same as the UID of the NFC chip in the smartphone?
4. If “the device generates a new random UID whenever it is turned on” does that mean that we can emulate more than one card with the same UID?
5. Can a smartphone copy the content of a tag (key) and then emulate it?
6. What security measures need to be added to a door-unlocking system relying on the UID of an NFC chip?

Answer 1

First off a NFC UID is not designed to be Unique or have any level of security attached to it. It just has to be likely to be different when multiple Tags are in range.

Thus a lot of phones now generate a random UID as a security feature to prevent it's use in tracking phones.

Some Tag types have a programmable UID's or where not normally programmable there are clones available with programmable UID's

So forget about using UID's for a door lock.

But to try and answer your questions

1. Yes and No, both iPhones and Android phones have built in software (usually in the secure element) to do emulate Tags but that software is very restrictive in what it will emulate (mostly credit cards and loyalty cards)

There re companies like Passkit that have commercial solutions that work with the built in software.

But as a normal developer on iPhone you don't have access to this on Android it allows you to emulate the behaviour of a Type 4 Tag (you need and app to provide this functionality and install the service but it does not need the app to be running for it to work).

2. UID is not something the secure element usually does and the UID is mostly dynamically generated. The secure element most handles emulation of AID's (Application ID's) of Type 4 Tags.

3. UID's are mostly randomly generated as explained before.

4. Mostly UID's are unimportant to Tag emulation, therefore you can emulate more than one Type 4 Tag (having Tags with the same AID is more difficult but you are less likely to have that)

5. If the data is freely readable or it has the necessary password and or decryption keys then yes it can read a tag and copy the data. And emulate it if it is a Type 4 Tag. (Not all Tags are Type 4)

6. Lots of security measures need to be added and it is quite difficult/impossible to actually make a secure NFC door lock. (yes you can make it more difficult to hack but never impossible, there are too many ways like "man in the middle" type attacks, custom hardware, even rooted Android phones)

You can also reverse your thinking and it's the door lock that emulates the Tag and the phone just needs be a NFC reader/writer which all NFC enabled phones can do.

Or more common is to use bluetooth in the door lock as that is more ubiquitous in phones.