NFC and security - Best practices?

Hi there,

I found some NFC stickers laying around and tried them with OpenHAB.
The configuration is a breeze: select the item you want to command, select ON/OFF/Toggle and write it to the tag. The tag is then containing the URI to OpenHab and it just works.
When my phone is locked it does nothing, when I unlock it and scan the tag, it fires the command.

Then I wondered if that is the best way to do it? Because anyone can read the NFC tag and read the full URI, containing for instance ‘door_lock’. They would still need access to my internal network first, but still … that is not something I like. Security by obscurity :wink:

Does anyone have any ideas or practices about this?
I was thinking about assigning the NFC a random number and then proxying that number to the actual item? That would require some serious maintenance.

Wondering how other people are using this.

Kind regards,

Use https instead of http with a Jason Web Token for authentication.

1 Like

The way I see it, the NFC tag is just another UI, and it’s harder to use than openHAB’s web-based UIs. As you noted, for an NFC tag to work, you have to be connected to the same WiFi network as the openHAB server. But more than that, you need to have the openHAB app installed and configured.

Sure, you can read the tag, but all it gives you is the app name and the item name/command. There’s no server/login information, so they would still have to figure that out. And if they can figure that out (and access your network), they might as well just open a web browser to access your system. This also requires them to have a decent amount of knowledge about openHAB.

So, if you’re confident in your network security, then I think the NFC tag is fine. If you’re not confident, then I would say you shouldn’t expose your door lock on any UI at all. It’s a question of security versus convenience.

I would probably use a proxy item that runs a rule to check for one or more parameters, such as your phone being identified on your WiFi and/or your GPS coordinates, before unlocking the door.

Is that possible in this case? The NFC tag triggers the openHAB app, so there isn’t an HTTP command.

1 Like

How does it communicate? Since it is external it must use some sort of protocol.

The NFC tag triggers the command via the openHAB app, and the openHAB app communicates with the server.

OK so communication is BTLE to the phone. That hinges on security in the phone OS and how BTLE is implemented.

There appears to be some level of security in the protocol itself.

I agree with Russ (and through my own experimentation with tags), that the NFC doesn’t offer much ease of use over a regular UI. If your phone is locked you still have to unlock the phone and that’s already most of the way to just pushing a button on the home screen for you most used controls (which can also be configured via the andriod app). If you have a setup where your phone is unlocked (e.g., unlocks with home wifi or stays unlocked when connected to smart watch - neither of which I endorse), then there’s a possibility of slightly improved ease of use (but in the case of the wifi you’re already home and thus not worried about unlocking the door).

If you must have the NFC tag then I would implement it through something like Tasker. You can write tags that will trigger a Tasker action and tasker can then communicate with the android app to send the unlock command to the lock item. But anyone scanning the tag without the exact tasker action (difficult to duplicate without direct knowledge) would not be able to unlock the door.

(A side effect of this system is that you can also make device/user specific responses to the scanning the tag by creating different tasker actions for different people. For example, if you, your kid, and your friend all have slightly different versions of the tasker action, then you scan the tag the and tasker action unlocks the door, but if your kid scans the tag it unlocks the door and sends you a text with the timestamp of the door unlock, and if your friend scans the tag it triggers an OH proxy item that only unlocks the door if during daylight hours).


Great idea. I actually did this at first when I was playing with NFC tags, because I didn’t realize NFC read/write was built into the openHAB Android app. The only downside is that Tasker adds lag (in my testing), but it’s not significant.

Also a great idea. Mind you, everyone has to have the openHAB app installed/configured, so I’m not sure the effort is worth the payoff. But I like the possibilities.

I don’t think NFC is BTLE, but I admittedly don’t know a ton about how it works.

NFC (Near Field Communication) is not BLE (Bluetooth Low Energy).
A NFC card / sticker is passiv, means it has no own energy source (battery). Examples would be Hotel Key cards, Nintendo Amiibo, …
BLE is an active device, most often running on batteries. Examples would be heart rate sensors, bicycle sensors, Bluetooth Beacons…

Enough ‚Kligscheissen‘ without answering the actual question? :sweat_smile:


Not BTLE, Near-Field Communication. It’s more akin to RFID than BTLE. The tags don’t have their own power. Instead they harvest the power from the radio signals sent to them in order to generate a static response, usually just an ID number.

As Russ accurately described, that gets passed to the openHAB App on the phone to interpret. All the actual communication between openHAB and the phone is done through the openHAB App.

So, if you trust the phone app to control your openHAB I see no reason why you couldn’t also trust NFC tags. The tags by themselves at most reveal the Item name. Though that may not even be the case. I don’t know if the phone app programs that into the NFC tag, or the phone app just records the NFC tag’s ID and maps that to an Item command internally to the app. But for sure there is no login information or even URL information contained in the tag, assuming you are using the openHAB app with these tags.

I don’t think that’s a necessary bit of redirection but it would certainly work. That might give you the opportunity to do some extra stuff on the phone before commanding the Item (ask for a pin for example).

I don’t have any NFC tags any more to test this. It would be useful to test which way the mapping between tag and Item goes, whether it’s actually stored on the tag itself or just maintained within the app. If it’s only within the app then you could program different Items for each user using the same tag.

I just so happen to have the NFC tag that I was playing with awhile back sitting on my desk. The record is:


I love the idea of the mapping working the other way, but I suppose that would be feature-add to the app, in which case the same can be accomplished with Tasker.


I am looking to set up tags to do some toggling - can you break down the syntax you are using here so I can apply it to my use cases? I tried with just the i (item?) and s (state?) and it opens the openhab app but does nothing. Does the item referenced need to exist in the sitemap?

Id use the iphone built in shortcuts as those are easy to share as well but it only lets you send on or off - no toggle option

Per my earlier messages I’m using the Android app, which has the ability to write NFC tags. I don’t know if that’s possible with the iOS app, or what the syntax would be. It might not even be possible to toggle in the iOS app.

ok so that url was created by the app completely ? Is it changing just one Item / is it on a specific sitemap? ie do the variables appear to align with anything? I’m curious if iphone app allows for the path to work just as android - we just need to use another app to write the tag.

I don’t want to hijack this thread, as the OP was asking about best practices for security, not how to get NFC working in iOS. To answer your questions, the URI was written by the app for one item, and sitemaps have nothing to do with it.

If you’re not finding anything else about it in the community, I suggest looking in GitHub to see if it’s been discussed. If anyone’s going to know the syntax, it’s the maintainers.

If you don’t have full control over your tags, don’t use NFC. Tags could be overwritten or just changed by attacker. Would you blindly visit some url? I guess not. Essentially it’s the same here, you do not really know what’s on the tag.
Real life example: in some school kids were receiving their daily schedule scanning tags at the morning. There were million ways to make things simpler, the school just got fancy. Result: it took two days to reprogram them and put there pornhub address or smth like that. And they never found who :slight_smile: