Are serial numbers of NFC tags truely unique?
That depends on the tag product and what you consider truely unique. E.g.:
- ISO 14443 Type A tags with 4 byte serial numbers: There certainly exist duplicates (mainly because there is no clear scheme to divide the available range of serial numbers among the various manufacturers) and you can expect that within a batch of tags, there will be significant similarity between serial numbers (e.g. running sequences).
- ISO 14443 Type A tags with 7 byte serial number (similarly for serial numbers of ISO 15693 tags): Each manufacturer is allocated a block of serial numbers (e.g. NXP serial numbers start with 0x04, Infineon with 0x05, etc). Within that block many manufacturers (I’m not sure about all of them) guarantee that they use each serial number only once. So these serial numbers are often unique (each manufacturer has a block of trillions of serial numbers). Still there will often be significant similarities between serial numbers of each batch (e.g. running sequences). Moreover, it seems that even within the serial number ranges that are supposedly guaranteed to be unique by manufacturers there appear counterfeit tag products that have duplicate serial numbers (see this question on duplicate serial numbers of counterfeit(?) NTAG203 chips).
Can serial numbers be cloned?
Yes, definitely. If you look for instance at MIFARE Classic, you can easily get cards with freely customizable serial number from a Chinese vendor of your choice. There is also devices like Proxmark with which you can emulate a card with a freely customizable serial number. And, moreover, it is relatively easy and cheap to build a device that emulates the protocol and consequently emulates a serial number of your choice. (Also see this question on emulating arbitrary serial numbers using Android NFC smartphones.)
As an attacker, the interesting part now is how you find a legit serial number for a specific system (i.e. a serial number that successfully authenticates to the system):
- Read someone’s card and clone the serial number.
- Intercept communication between the legit card and the legit reader.
- Make a guess based on other cards from the same batch (that’s why similarity between serial numbers also matters).
Is it a good idea to design an access control system that’s based solely on serial numbers?
No, definitely not. Still there exist lots of such systems. But more and more of these systems introduce additional security mechanisms.