Door security (Desfire?)


I was going to “just buy an implant and secure my home with it”, so I did a little research and at the moment I feel like there isn’t any other way than complete DIY to unlock/open doors at my home if I take security into account.

Most solutions (NFC keypads, locks, doorknobs, door handles,…) just seem to read the card (or implant) ID and unlock if the ID matches the expected ID ( = the card is in the system). So anyone who ever scans my implant (or backup card) will have access to my flat. I’m not saying that this is a HUGE deal, but I personally would like my door to be a bit more secure than that.

The only other way I found possible is to use Desfire implant/cards so that the communication is encrypted (edit: and using it properly; I’m aware that the card itself doesn’t “provide security”). This seems like a no-brainer to me, but I haven’t found ANY solution that works like that and that would be integrate-able with OSS smart home solutions like Home Assistant or OpenHAB.

So my questions are:

  • I’m I completely blind to something obvious, and the majority of solutions are actually secure?
  • Is there ANYTHING commercially available, that is secure and usable (and something that I wouldn’t need to sell my kidney for)?

At the moment I’m at the last “turning point” before I’m gonna start building a custom product with security and OSS as priorities. I would love to not do that because I know that it will be hard as hell (actually manufacturing the thing).

I’m from Czechia (EU), but if you have US (or other) products/examples, please post them as well. Thank you!

To be clear, use of a desfire chip doesn’t automatically mean anything about security. Unfortunately. Yes you can create files (called applications, but they are just files) on the chip which use AES or DES to protect access to the content, but this is only protecting access.

Channel encryption… protecting the communication between reader and chip… that is a mode that must be explicitly selected and negotiated by the reader and chip.

Bottom line… security is about implementation as much as it is about capabilities. Your car door has a lock in it but it’s useless if you don’t lock it. So many security failures are not for lack of capability.


Thanks for the reply!

To be clear, use of a desfire chip doesn’t automatically mean anything about security.

Yes, I know that (and I actually wrote something like that in the OP and then decided to remove it so that it isn’t unnecessarily long :smile: )

Bottom line… security is about implementation as much as it is about capabilities.

Exactly! So … is there anything with a good (= secure) implementation? :smiley:

As of now, I think there isn’t (other than proprietary systems for securing factories, offices, and stuff like that where clients can afford to pay insane amounts of money for such a basic thing like encryption), but I’d love to be proven wrong (JUST LET ME BUY SOMETHING THAT WORKS FOR F*** SAKE :joy:).

Possibly… I’ve had to do some conversions for people of a desfire based keyfob for a home door lock before… but… somehow I doubt it was for security reasons they used desfire. Chances are they chose it to enable an entrapment model to force customers to have to buy additional keyfobs from them exclusively… so I don’t know if the channel was secured or what.

Problem is… I can’t remember what the damn lock was called. I’ll update if I remember.

1 Like

Actually I think it was some sort of lock from Salto… but depends on the lock model because I’ve definitely seen Salto locks that just do mifare classic ID based too.

Most burglaries are done either due to homeowner negligence (unlocked or open doors or windows) or by physically damaging the building to gain entrance.

I am not excusing the locking mechanisms used here, but trying to point out that you can spend a lot of money devising the most secure door and someone will break your window. Most NFC enabled locks could be more secure by removing the backup cylinder that they contain. But people want that mechanical backup reassurance.

I don’t even think that most commercial access control systems do more than check some sort of some ID.


Yeah, you are right. I just don’t feel that this is enough for me (I’m simply afraid of a smarter burglar who will find out that I’m not exactly poor and that he can open my door any time he wants just by standing near me in the elevator some day in the past). Maybe it’s my “unique” situation that I’m trying to secure a flat and the only entrance is the door or a wall (last floor of 10 floor building, the only other neighbor on the floor is my close friend).

Most NFC enabled locks could be more secure by removing the backup cylinder that they contain.

Yes, this bugs me as well :smiley: I think I’ll go with “having the most secure cylinder money can buy” and “never ever having the physical key with me, and only storing it somewhere safe”. I’d love to not have that weak link there, but I can’t think of any other backup that would work. I mean I can provide battery pack for the lock/reader/server, but still if the motor gets stuck, I’m done. That’s the only reason why I want the backup :confused:

Have you seen Unifi access? That supports desfire :slightly_smiling_face: just requires a bit of installation but it’s not difficult by any means


No, I did not :slight_smile: Thanks! It looks great (like all Ubiquity products I would say) but it has a few drawbacks for me, particularly that it controls the lock directly (via relay or whatnot). That would mean that I would have to buy a new door that has an electric lock. I had that calculated and it would be something like 6,400 USD (great prices here in Czechia, lol), so I decided I’ll have to make it work with “August/Nuki”-like lock. And then … after a quick search … I don’t think that Unifi could be integrated into the rest of the smart home system (Home Assistant, openHAB).

What about a 2FA
One HF lock and one LF lock

Not impossible for somebody with a “grabber” to get, but less likely they would get both, as they would need to know to “look” for both, and have a grabber for both.

You could require to scan the LF reader first, which powers the HF…

You could hide the location of the LF reader, so only you know…

Just some quick thoights


2FA is certainly an option. There are products on aliexpress which are readers built into keypads. They can be stand alone or function as a reader to a controller. Having to enter a PIN as well as present a card or implant might be more effective. Just be careful that you don’t get something which can be factory reset by unscrewing and shorting the external reader/keypad.


I don’t want to rain on anyone’s parade about ubiquiti/unifi but you might want to read this Twitter thread …

1 Like

lol I love how simple this idea is and how elegant the solution could be with with NeXT implant :smiley: It’s almost like “security” of the first Mifare cards - “let’s hope no one figures that out”, but way more elegant and creative :smiley:

Yeah, that would be Good Enough™ for most people…I don’t want to waste time. From a security point of view, I think it would be adequate…it just fails the convenience bar for me.

Oh man, I was quite sure that Ubiquity will be my future WiFi solution and all, but now I’m a bit skeptical. Thanks for the link, it definitely is something to look out for.


any update?

maybe with the soon available Apex?

I currently use UniFi Access with my Flex DESFire arm implant. I use the magic ring as well.

UniFi cards have two antennas and chips inside. I haven’t checked if both get used, if one is LF etc.

I swapped my exterior doors with commercial storeroom locksets and installed AdamsRite fail-secure electric strikes. Worth it, but it was a lot of work.

You can always use a drop of super glue if you want to permanently disable the mechanical cylinder. Or maybe take the whole thing apart to see if there’s a less permanent solution for a particular lock?

Can you use any Desfire or do still have to buy their cards if you want the additional security?

Also, don’t forget that some all-in-one keypads place the relay outside and are terribly insecure.

You can use any desfire you want, but it will use UID only, unless you use one of their unifi access cards (or a flexUnifi conversion :wink:)


Looks like that silly Tomogotchi dolphin will be able to hack my door. Well shucks.

Edit: I could be wrong but it seems after erasing my implant, and having a successful door unlock, I can determine an encrypted key isn’t actually being saved to the implant. The manufacturer of my access reader, could be gently pushed at supporting the latest NFC security standards including AES-128 encrypted MIFARE DESFire (not only on their own cards, but also on third party access cards and implants).

Well, it had been requested a while back to collaborate with them in making a javacard applet for the apex, but unfortunately it seems they only want people to use their cards if you want to use more than UID only in securing your lock.