Can HID iCLASS Legacy Cards Be Cloned? Standard vs Elite Key
Standard-keyed HID iCLASS legacy cards can be cloned in practice — the authentication key HID shipped as the factory default was publicly exposed by security researchers between 2010 and 2012, and inexpensive tools can now read and copy a standard-keyed card in under a minute. Elite-keyed iCLASS cards are harder to attack but are not immune. American Key Cards supplies compatible standard-keyed iCLASS replacement cards (2000 series) for facilities running legacy readers — and if your organization is assessing its exposure or planning a migration, this guide gives you the honest technical picture you need to make that decision.
What Is HID iCLASS Legacy?
HID iCLASS (legacy) is the first generation of HID Global’s 13.56 MHz contactless smart card platform, introduced in the late 1990s and widely deployed through the 2000s. It operates at 13.56 MHz using the ISO 15693 / ISO 14443B air interface — a step up in frequency from the older 125 kHz proximity cards, and it added mutual authentication and onboard memory.
The chip at the heart of every iCLASS legacy card is the INSIDE Contactless PicoPass (2KS and 32KS variants). The 2KS is the workhorse of the product line: 2 kilobits of memory — enough for a single access control application. The 32KS extends this to 32 kilobits and supports up to 16 independent application areas, useful for facilities combining door access with cashless vending or biometric template storage.
Common Part Numbers
The iCLASS legacy product line covers ISO card, composite card, and key fob form factors:
| Part Number | Form Factor | Memory |
|---|---|---|
2000 | Standard ISO PVC card | 2k bit |
2002 | Standard ISO PVC card (printable, gloss) | 2k bit |
2003 | Standard ISO PVC card (printable, matte) | 2k bit |
2004 | ISO card, composite | 2k bit |
2080 | Standard ISO PVC card | 16k bit / 2 application areas |
2100 | Clamshell card | 2k bit |
2102 | Clamshell card (printable) | 2k bit |
2103 | Clamshell card (printable, matte) | 2k bit |
2104 | Clamshell card, composite | 2k bit |
205x | Key Fob II | 2k bit |
Most replacement orders are for 2000, 2002, 2100, or 2102 — the standard and clamshell ISO cards in 2k bit memory. American Key Cards supplies compatible equivalents to the full range, programmed to your facility code and card number.
Bit Formats Supported
iCLASS legacy cards can carry any standard HID bit format, field-programmable into the PACS data area of the PicoPass chip:
26-bit Wiegand H10301— 8-bit facility code, 16-bit card number (the most common deployment)37-bit H10302— no facility code, 35-bit globally unique card number37-bit H10304— 16-bit facility code, 19-bit card numberCorporate 1000 35-bit— managed format with a 12-bit company ID code
The Core Security Question: Can iCLASS Legacy Be Cloned?
The answer depends entirely on which key program your system uses.
Standard-Keyed iCLASS: Yes, Practically Cloneable
When HID shipped iCLASS readers and cards from the factory, they used a single proprietary default authentication key — what researchers and practitioners now call the “standard key” or “transport key.” For nearly a decade, this key was treated as a trade secret. In 2010 and 2011, academic security researchers (primarily Flavio Garcia and colleagues at Radboud University, and subsequently the team behind the LOCLASS attack) demonstrated through reverse engineering and cryptographic analysis that:
- The standard transport key could be extracted from the reader or the card.
- HID’s key diversification algorithm — based on DES — had structural weaknesses that made recovering per-card keys feasible.
- A “downgrade attack” allowed PACS credential data extracted from a higher-security format (such as an SE card) to be written onto a blank legacy card, fooling any reader left in legacy mode.
The practical outcome: tools like the Proxmark3 (particularly running the Iceman firmware) and, more recently, the Flipper Zero can read a standard-keyed iCLASS legacy card, extract the PACS data, and write a clone onto a compatible blank in under a minute — with no physical contact required beyond being within a few centimeters of the card for a moment.
This is not a hypothetical research exercise. The attack tools are freely available, widely documented, and require no specialized electronics knowledge to operate. Standard-keyed iCLASS legacy should be treated as having the same effective security posture as an unencrypted 125 kHz card for cloning purposes.
Elite-Keyed iCLASS: Materially Harder, Not Immune
HID offers an optional Elite Key program for iCLASS legacy installations. Instead of using the default transport key, the system administrator provisions the readers (and by extension, the cards) with a custom, organization-specific 64-bit master key. Cards programmed under the Elite program authenticate only to readers configured with the matching private key.
The LOCLASS attack (2012) demonstrated that Elite master keys can theoretically be recovered — but this requires extended physical interaction with an Elite-configured reader while issuing carefully crafted probe cards and recording the reader responses. The attack demands:
- Physical access to a reader configured with the target Elite key
- Specialized hardware (a Proxmark3 or equivalent)
- Significant time and skill to execute the cryptanalysis
This raises the practical barrier enormously compared to standard-keyed cards, where any commercially available Flipper Zero can do the job in seconds. Elite-keyed iCLASS is a reasonable choice for organizations that cannot immediately migrate to a stronger platform — but it is not cryptographically equivalent to iCLASS SE or Seos, and it should not be treated as uncloneable.
What This Means for Your Facility
If your system is on standard-keyed iCLASS legacy: the credential is effectively equivalent to an unencrypted card for security planning purposes. Cloning tools are freely available and require no specialized knowledge. The primary risk is an insider or visitor briefly bringing their card near a scanning device.
If your system is on Elite-keyed iCLASS: the risk is meaningfully lower, but you are still running a platform whose underlying cryptography (DES-based, 64-bit key) is outdated. For environments with serious security requirements, a migration to iCLASS SE or Seos is the correct answer.
Compatible Readers for iCLASS Legacy Cards
iCLASS legacy cards (including AKC’s compatible replacements) work with the following HID readers in standard or legacy mode:
- HID iCLASS R10 (
6100) - HID iCLASS R15 (
6120) - HID iCLASS R40 (
6120) - HID multiCLASS SE (
940) — with legacy mode enabled - HID iCLASS SE readers — with legacy mode enabled
- HID Signo readers — with legacy mode enabled
- Third-party readers with ISO 15693 iCLASS support
Note that when a multiCLASS SE or Signo reader operates in legacy mode to read iCLASS legacy cards, it is not applying the AES security protections that make those readers strong for SE and Seos credentials. The legacy mode communication is governed by the older iCLASS DES-based protocol. This is worth confirming with your system integrator before making assumptions about the security level of your reader installation.
Compatible vs. Cloned: What American Key Cards Actually Supplies
There is an important distinction between a cloned card and a compatible card — and American Key Cards supplies only the latter.
A cloned card is a direct copy made by reading an existing card’s data and writing it to a blank — bypassing authentication and exploiting the vulnerabilities described above. A compatible-by-specification card starts from the same information you give any legitimate supplier: your facility code, card number, and bit format. We program a blank PicoPass-compatible card with a standard-keyed configuration to your exact specifications — a legitimately issued credential, not a copy of an existing card.
American Key Cards is not affiliated with HID Global and does not produce Elite-keyed credentials. Elite re-issuance requires your system administrator’s involvement. Common replacements we supply include equivalents to the 2000, 2002, 2100, and 2102 cards and the 205x Key Fob II. See our full iCLASS Legacy format page for ordering details.
How iCLASS Legacy Compares to Related Formats
| Feature | HID iCLASS Legacy (Standard Key) | HID iCLASS Legacy (Elite Key) | HID iCLASS SE |
|---|---|---|---|
| Frequency | 13.56 MHz | 13.56 MHz | 13.56 MHz |
| Air interface | ISO 15693 / 14443B | ISO 15693 / 14443B | ISO 15693 / 14443B |
| Encryption | DES-derived (64-bit key) | DES-derived (org-specific key) | AES-128, Common Criteria EAL 5+ |
| Practical cloneability | Yes — tools freely available | Difficult — requires reader access | Not cloneable (no known attack) |
| Third-party supply | Yes (AKC) | Requires Elite master key | Not possible |
| Migration path | Upgrade to SE or Seos | Upgrade to SE or Seos | Current supported platform |
Standard HID Prox cards (125 kHz, H10301) share a similar cloneability profile to standard-keyed iCLASS — the data is reproducible from facility code and card number. iCLASS legacy with standard key adds smart card protocol complexity but no meaningful real-world security advantage once the standard key was published. For the 125 kHz credential landscape, see our HID Prox H10301 format guide.
Planning a Migration
Most facilities with iCLASS legacy infrastructure are running a mixed fleet: some readers support SE and Seos alongside legacy mode, while hardware is phased in over time. American Key Cards can supply compatible standard-keyed iCLASS legacy cards to keep existing readers operational — including the R10, R15, and R40 family — without an immediate overhaul. Any doors upgraded to SE or Seos readers during the migration will accept the new, cryptographically secure credentials.
If you need to order replacement cards programmed to your facility code or want guidance on migration planning, contact American Key Cards. We will confirm the right part number and get your order processed without the OEM dealer-account requirements or minimum order quantities.
Frequently asked questions
Can HID iCLASS legacy cards be cloned?
Standard-keyed iCLASS legacy cards are practically cloneable. HID's default authentication key was exposed by security researchers circa 2010 to 2012, and tools such as the Proxmark3 (Iceman firmware) and Flipper Zero can read and clone standard-keyed cards in seconds. Elite-keyed cards use a custom organization-specific master key, which requires physical reader access and specialized hardware to attack — a materially higher bar, though not theoretically unbreakable.
What is the difference between iCLASS standard key and Elite Key?
Every iCLASS legacy card ships from the factory using HID's published default transport key — this is the standard key. The Elite Key program allows organizations to replace that default key with a private, organization-specific master key. Cards programmed under the Elite program will only authenticate to readers configured with the matching key, making casual duplication much harder.
Will American Key Cards iCLASS replacement cards work in my existing HID readers?
Yes. Our compatible iCLASS legacy cards are programmed with your facility code and card number and work in all HID iCLASS readers using the standard key in their default or legacy mode — including iCLASS R10 (6100), R15, R40, multiCLASS SE (940), and Signo readers with legacy mode enabled. Elite-keyed re-issuance requires your system administrator to hold the Elite master key.
Should I migrate from iCLASS legacy to iCLASS SE or Seos?
If your facility is on standard-keyed iCLASS legacy and security is a meaningful concern, migration to iCLASS SE or Seos is the correct long-term answer. Both use AES-128 encryption with Secure Identity Objects and have no known practical cloning attack. In the meantime, American Key Cards can supply compatible standard-keyed iCLASS replacement cards while your organization plans the transition.
