Access Cards on Construction Sites: Why MIFARE Classic Is Insecure and How Secure Encryption Works

Access cards are part of everyday life on construction sites. Yet very few people know that most access cards can be copied in seconds – with devices costing less than 50 euros.

Whether for digital access control at turnstiles, doors or barriers – anyone who uses construction site passes without paying attention to the underlying encryption technology risks unauthorized access, theft and manipulation of attendance records. UID-based access cards and MIFARE Classic cards can be copied in seconds – with freely available devices costing less than 50 euros.

In this post, we explain why UID readout and MIFARE Classic pose a security risk and how a modern, encrypted access control solution for construction sites based on MIFARE DESFire EV3 completely eliminates this problem.

Copying Access Cards: Why UID-based RFID Cards Are Insecure

Most simple access systems merely read out the UID (Unique Identifier) of a card – a permanently burned-in serial number assigned during manufacturing. The problem: this UID is transmitted unencrypted with every read operation. No authentication takes place between card and reader.

In concrete terms, this means:

• Any NFC-capable smartphone can read out the UID of an access card in a matter of seconds.
• UID cloners are available online from around 30 euros and create a fully functional copy on a blank card.
• The access system cannot distinguish whether it is dealing with the original card or a copy.

On a construction site, this means: any person who comes even briefly within range of an access card can gain access unnoticed. Unauthorized persons, theft of building materials and manipulation of attendance records are the consequences.

MIFARE Classic Cracked: Why These Access Cards Offer No Security

Many providers rely on MIFARE Classic cards and advertise them as “secure” because, unlike pure UID readout, they offer encryption. But this security is deceptive.

MIFARE Classic uses the proprietary Crypto-1 algorithm, which was fully cracked back in 2008. Since then, several attack methods have been publicly documented:

• Darkside attack: Enables the keys to be read out even if not a single sector of the card is known.
• Nested attack: If one key is known (e.g. the factory default), all other keys can be calculated within a few minutes.
• Hardnested attack: Also works with individually set keys and only requires a Proxmark or Flipper Zero device.

Important to know:

All tools for cloning MIFARE Classic cards are freely available and require no expert knowledge. A Flipper Zero costing around 200 euros is enough to fully copy MIFARE Classic cards within a few minutes.

The result: MIFARE Classic no longer offers any meaningful security and is simply unsuitable for use in access control on construction sites, where hundreds of people come and go.

Forgery-Proof Access Cards: How MIFARE DESFire EV3 Encryption Works

Bausicht relies on MIFARE DESFire EV3 – the current industry standard for highly secure contactless access cards. In contrast to MIFARE Classic, DESFire EV3 is based on the AES-128 encryption standard, which is also used in banking and by government agencies.

The decisive security features:

• Mutual authentication: Card and reader authenticate each other before any data is exchanged. Simple readout or eavesdropping is thereby ruled out.
• Encrypted communication: All data between card and reader is transmitted AES-encrypted. Intercepting the radio link yields only unusable data.
• Diversified keys: Each individual card receives a unique, card-specific key. Even if an attacker were to succeed in extracting the key of a single card, no other card would be compromised.

What does Key Diversification mean?

In key diversification, a one-of-a-kind card key is derived from a secret master key and card-specific information (e.g. the UID) using NIST-compliant algorithms. The master key never leaves the Secure Access Module.

The procedure ensures that:

• No card key is identical to any other – even with thousands of cards in the system.
• The master key is never exposed – neither on the card nor in the reader.
• A copy of an access card is impossible, since the card key cannot be extracted from the card.

Secure Access Module (SAM) – Tamper-Proof Key Storage for Your Access Control

A central element of our security architecture is the Secure Access Module (SAM AV3) – a tamper-proof cryptographic chip with EAL5+ certification. This module is used both in the USB card reader on the PC and in the access controllers at the construction site.

The SAM handles the following tasks:

• Secure key storage: The master keys are stored exclusively in the SAM and never leave it – even in the event of a physical attack on the reader.
• Cryptographic operations: All encryption and decryption processes take place directly in the SAM. The key is never stored in the working memory of the controller or PC at any time.
• Tamper protection: The EAL5+ certification confirms that the chip is protected against physical attacks (side-channel attacks, probing, fault injection).

Even if an attacker dismounts an access reader from the wall and completely disassembles the device, they cannot read out the stored keys.

Encrypted Access Control on the Construction Site: From Card to Server

Security does not end at the access card. Bausicht ensures a fully encrypted communication chain from the moment the card is read to processing on the server:

1. Card → Reader (contactless)

Communication between the MIFARE DESFire EV3 card and the reader takes place via an AES-128 encrypted session with mutual authentication. Eavesdropping or replay attacks are ruled out.

2. Reader → Controller (OSDPv2 Secure Channel)

The reader communicates with the access controller via the OSDPv2 protocol with Secure Channel. OSDPv2 is the successor to the outdated Wiegand protocol and offers:

• AES-128 encrypted data channel between reader and controller
• Mutual authentication of reader and controller
• Protection against tampering, replay attacks and man-in-the-middle attacks

Good to know:

The outdated Wiegand protocol, which is still used in many access systems, transmits data unencrypted. With a simple Wiegand sniffer costing around 20 euros, card data can be intercepted directly at the cable – without any access to the card itself.

3. Controller → Server (TLS)

Communication from the access controller to the Bausicht server takes place via a TLS-encrypted connection. All access data is transmitted encrypted and securely processed on the server.

Creating Secure Construction Site Passes: Plug & Play Despite Critical Infrastructure Security Standards

Despite this extensive security architecture, the setup is remarkably simple for you as a customer. Bausicht provides a Microsoft Windows app as well as a Chrome browser plugin, with which you can assign new access cards in encrypted form within seconds:

• Connect the USB card reader with integrated SAM to the PC
• Open the Bausicht app or Chrome plugin
• Select the employee and place the card on the reader – done

The entire key derivation, encryption and card writing process runs automatically in the background. You need no expertise whatsoever in cryptography or IT security. The system performs all security-relevant steps fully automatically.

Summary: Secure Access Control for Construction Sites at a Glance

In contrast to UID-based or MIFARE Classic systems, Bausicht offers a seamlessly encrypted access control solution for construction sites in which copying an access card is impossible. At the same time, operation remains as simple as with any other system – just secure.

Ideal for Critical Infrastructure Projects and High-Security Areas

Bausicht’s fully encrypted security architecture is suitable not only for conventional construction sites, but is particularly well suited to critical infrastructure projects and high-security areas. Wherever the highest demands are placed on access control, our system provides the necessary security foundation:

• Data centers: Operators of critical IT infrastructure are subject to strict requirements under IT security legislation and the NIS-2 Directive. Forgery-proof access control with AES-256 encryption and tamper-proof SAM modules meets these requirements.
• Military facilities: During the construction and maintenance of military installations, access is strictly regulated. Card-specific keys and EAL5+-certified cryptographic chips ensure that no unauthorized access is possible.
• Banks and financial institutions: From the construction of a new bank branch to the conversion of a vault room – the combination of DESFire EV3, OSDPv2 Secure Channel and TLS encryption meets the security standards of the financial industry.
• Energy supply and utility infrastructure: Power plants, substations and waterworks are among the most sensitive areas of public services. Access control that rules out card copies is indispensable here.

Good to know:

Bausicht’s access control meets the security requirements of the German BSI baseline protection (BSI-Grundschutz) and is suitable for projects subject to critical infrastructure regulations and the NIS-2 Directive.

Secure Access Control for Your Construction Site with Bausicht

Would you like to secure your construction site or critical infrastructure project with forgery-proof access cards based on MIFARE DESFire EV3? With Bausicht’s digital access control, you get a fully encrypted solution – from card to server. See for yourself and test it free for 14 days!