Security Analysis: A Closer Look at the CAME Entrotec ETAG-HF Key Fob

by

Security Analysis: A Closer Look at the CAME Entrotec ETAG-HF Key Fob

CAME ENTROTEC ETAG-HF

Introduction

In the world of physical access control, the security of key fobs is paramount. Manufacturers often highlight advanced features like encryption and specific radio frequencies to assure customers of their product’s integrity. This article examines the CAME Entrotec ETAG-HF key fob, comparing its advertised security claims with practical findings from a hands-on scan. The goal is to educate users on RFID security and the importance of verifying claims, not to disparage the manufacturer.

A crucial disclaimer: The key fob analyzed in this article is my own, used for my home access system. No unauthorized scanning or cloning of others’ property was conducted. This analysis is for educational and informational purposes only.

About CAME Entrotec

CAME Entrotec is a established player in the access control market, known as a “trusted pioneer and leading manufacturer of door entry solutions” in the UK residential and commercial sectors. They design and supply a wide range of products aimed at various housing environments, positioning themselves as a provider of secure and compliant solutions.

Advertised Claims for the ETAG-HF

According to the official product page, the ETAG-HF key fob makes several specific security and technical claims:

· Compliance & Frequency: ISO/IEC 14443 Type A, operating at 13.56 MHz (High Frequency/HF).
· Security Feature: “Encryption Protects Against Cloning.”

These specifications would typically describe a tag like a MIFARE chip, which operates at 13.56 MHz and can incorporate cryptographic authentication.

Testing Methodology & Findings

To verify these claims, I scanned my own ETAG-HF fob using a standard NFC/RFID reader application on a smartphone, a common tool for identifying tag types.

The results were surprising and directly contradicted the advertised specifications:

  1. Frequency Discrepancy: The reader detected the tag as Low Frequency (LF), not High Frequency (HF).
  2. Chip Identification: The software identified the chip as an EM410X (64-bit) device.
  3. Data Exposure: The tag’s unique identifier (UID) was displayed in plain text with no authentication required.

Technical Analysis: What EM410X Means for Security

The findings point to a significant security implication. The EM410X is a well-known 125 kHz Low Frequency RFID chip. Unlike modern HF chips that can support encryption, EM410X tags have no built-in security mechanisms:

· No Encryption or Authentication: The chip does not rely on any advanced authentication. It broadcasts its UID in the clear every time it is powered by a reader.
· Easy to Clone: As noted in security resources, “Cloning the card ID is enough to replicate the card” for EM410X tags. This can be done cheaply with widely available cloner devices.
· Outdated Technology: This chip type is considered legacy technology and is notoriously insecure for access control purposes where cloning resistance is needed.

The claim of “Encryption Protects Against Cloning” is inherently incompatible with the operational design of an EM410X chip, which lacks any cryptographic capability.

Background: NFC/RFID Security Basics

To understand the discrepancy, it’s helpful to know the basics:

· Low Frequency (LF – 125 kHz): Tags like EM410X and HID Prox have longer range but very simple functionality. They are primarily ID transmitters with no security features like encryption, making them highly vulnerable to cloning.
· High Frequency (HF – 13.56 MHz): This includes NFC standards and chips like MIFARE. HF tags can have memory sectors, support cryptographic protocols (e.g., MIFARE DESFire), and require authentication before data access, making them far more secure against casual cloning.

The difference between LF and HF is fundamental and not interchangeable—a tag cannot be both.

Implications and Discussion

The gap between the advertised HF/encrypted tag and the detected LF/EM410X tag creates several concerns:

  1. Misleading Specifications: Users and installers may believe they are deploying a system with a higher level of security than actually exists.
  2. Real-World Risk: A key fob based on EM410X can be cloned in seconds by anyone with brief physical access to it, compromising the access point it controls.
  3. Vendor Trust: Such a fundamental mismatch between claim and reality can erode confidence in product documentation and the overall security posture of a solution.

It is unclear if this discrepancy is due to a product mislabeling, a batch error, or an issue with the specific fob obtained. However, the finding underscores a critical point: claimed security features must be independently verified.

Recommendations for Users and Installers

  1. Verify Your Own Tags: Use a basic NFC tool on your phone to check the chip type in your own access control fobs. Look for identifiers like “MIFARE Classic,” “DESFire,” or “NTAG” for HF, and be wary of “EM410X” or “HID Prox” for LF.
  2. Demand Transparency: When purchasing access control systems, ask vendors for detailed technical specifications and evidence of security claims.
  3. Consider Upgrading: If your system relies on LF technology like EM410X, discuss upgrading to a modern, cryptographically-secure HF system with your security provider.
  4. Physical Security Matters: Regardless of the technology, treat key fobs like physical keys. Limit their exposure and report losses immediately.

Conclusion

Independent verification is a cornerstone of security. The analysis of the CAME Entrotec ETAG-HF key fob revealed that the physical device operated as a low-frequency, easily-clonable EM410X chip, which contradicts its advertised high-frequency, encryption-protected specifications.

This case serves as a valuable reminder for all stakeholders in physical security—homeowners, building managers, and installers alike. Do not take security claims at face value. A simple, self-conducted check can reveal the true technology in use and help make informed decisions to protect people and property.