Yes — 125kHz EM4100 fobs (the cheap blue or white fobs common in apartments and gyms) can be cloned in under 10 seconds with a $15 duplicator. They have no encryption and broadcast a fixed ID that any duplicator can copy. 13.56MHz fobs with proper encryption (MIFARE DESFire EV2, HID iCLASS SE) cannot be practically cloned. If you're in a building and not sure which type you have, assume it's clonable unless you know otherwise.
The Two Types — and Their Security Gap
| Fob Type | Frequency | Encryption | Can Be Cloned? | Cost per 100 |
|---|---|---|---|---|
| EM4100 (generic) | 125kHz | None | Yes — trivially | ~$25 |
| HID Prox | 125kHz | None | Yes — easily | ~$80 |
| MIFARE Classic | 13.56MHz | Weak (48-bit) | Often yes | ~$40 |
| MIFARE DESFire EV2 | 13.56MHz | AES-128 | No | ~$80 |
| HID iCLASS SE | 13.56MHz | AES-128 | No | ~$100+ |
| HID SEOS | 13.56MHz | AES-128 + PKI | No | ~$120+ |
How 125kHz Fob Cloning Works
A 125kHz EM4100 fob is essentially a read-only barcode in radio form. When brought near a reader, the reader's antenna energises the fob chip, and the chip broadcasts its fixed ID number — the same number, every single time, with no challenge and no cryptographic proof of identity.
A $15–$20 RFID duplicator works exactly the same way: it energises the fob and reads the ID. It then writes that ID to a blank T5577 writable fob card. The clone is electronically indistinguishable from the original because both broadcast the same static number — and the reader has no way to tell them apart.
The entire process takes about 8 seconds and requires no technical knowledge whatsoever.
How Building Managers Should Respond
Identify what fob technology you're running
Check the model number on your RFID readers. If they say "Prox", "125kHz", or show EM4100 compatibility only, you're running clonable fobs. If your readers show "iCLASS", "DESFire", "SEOS", or "13.56MHz", check the specific card format — MIFARE Classic is still partially vulnerable.
Enable access logging
Any networked access control system should log every entry event with a timestamp and fob ID. If you have logging, review it periodically for anomalies — the same fob ID used within minutes at two different locations is a strong indicator of a clone in use.
Delete lost fobs immediately
Establish a policy requiring occupants to report lost fobs within 24 hours. Delete the lost fob ID from the system the same day and issue a replacement. A lost fob that stays active in the system is a standing vulnerability.
Upgrade to encrypted fobs
For buildings where security matters — healthcare, offices handling sensitive data, high-value residential — upgrade to MIFARE DESFire EV2 or HID iCLASS SE. This requires replacing both the readers and the fobs, but eliminates trivial cloning risk entirely. Costs $40–$80 per door for readers plus $0.80–$1.50 per fob at scale.