In particular, I know unifi cards rotate keys. So you can’t simply clone them with a Flipper, and this also means third party cards don’t work. By default, this is true, but you can’t simply clone turn it off, as mentioned in the article.
Does this mean that the other systems’ cards are easily cloned? This seems very insecure, if so.
Broadly, yes, almost all NFC based access systems are insecure and pretty broken. They mostly operate via security via obscurity, and the fact that anyone serious about security that deploys these systems will put a huge amount of effort into identifying one of an actually secure systems. More likely they will pair the NFC element with multiple other secure elements, such as photo badges, big security humans that demand people keep their badges visible, and card + pin entry on all important access points.
A big part of the reason why these Apple Wallet systems have taken so long to appear is because Apple seems to refuse to integrate with any system that isn’t built using secure cryptography. Turns out there aren’t many systems out there that use strong cryptography, rather than cryptographic systems that have been broken for decades.
Actually getting information on how any particular system actually provides its “security” is extremely difficult. Mostly you have to figure it out by being familiar with the different systems out there, and different NFC systems. Then it’s possible to parse the marketing terms into actual technical specifications that might give a hint at how a system works. The only sure fire way to find out, is to buy parts of the system (such as access tokens or readers), and evaluate the hardware using various NFC and RFID hacking tools to figure what manner of awful design this particular system uses.
UniFi has support for this, but seemingly not by default.
This solution also doesn’t allow you to clone an existing card. You actually need the admins to add the UID of your Chinese transport card to their system.
No, basically all stored-value/transit cards and access cards use cryptographic two-way authentication, and for newer ones, the algorithms used are even decent (AES, 3DES etc.)
Essentially all old MIFARE Classic cards can be cloned with little effort these days, and some older access control and transit payment systems are still using these, but modern cards are much more robust.
Even if you have a system which is more secure than UID-only (i.e. not at all), e.g. using DESfire EV1/EV2 (and assuming they use it correctly) to have a non-trivially clonable access token, 99.9% still use what the industry calls "non-transparent readers" (simply because "transparent readers" were invented in like 2023), which is to say the actual card/NFC reader out in the insecure area has the DESfire master key in it and performs the challenge/response and only reports the decoded UID back to the access controller over some wires. Which is obviously completely insecure and open to all sorts of tampering. The physical access industry puts tamper contacts on the card readers for this reason.
The physical access industry is generally extremely tight-lipped about how their garbage actually works. Half the reason is that they know they're selling insecure garbage for a lot of money, the other half is that the industry genuinely believes not documenting stuff increases security. The third half is that having documented and open systems would mean their franchise/installer people would maybe not be able to take their fat cut in some cases.