Proximity Card Vulnerabilities

Author: Brian Rhodes, Published on Aug 22, 2012

Even though it is the most common credential in access control today, proximity cards face notable security problems. The effort to move end users to newer card technologies is no accident; technology vendors are not only trying to sell new readers, but they are trying to mitigate the risk inherent in every single one of these older cards.

What are these risks, and what can be done to make them more secure short of overhauling all the readers and cards in an access control system? In this note, we dig in to this issue and provide our recommendations.

Weaknesses

It is surprising for some to realize that 'proximity cards' have been in use for over 30 years. Like many technologies, the more widely it is used, the less protected it becomes against exploitation. After so many years, the methods of compromising proximity cards are common knowledge:

  • Easy to Spoof & Clone: the Internet is full of websites, videos, and ready-to-build kits designed to illegally copy or duplicate credential cards.
  • Easy to Intercept: This is a specific element of spoofing, that introduces a 'passive reader' near a security card reader that scans cards as they are presented. Unlike 'contact credentials' or short-range proximity technologies like NFC, proximity cards can be read without card holder knowledge by fifty or more feet away. Activities like spoofing and cloning can happen without the end user ever being physically separated from their credentials.
  • Widely Available in Distribution: Obtaining 'blank' proximity cards is easy and cheap. If an unauthorized user knows just a few basic details about the cards in use, they can procure 'exact matches' of active cards at most facilities with little effort. While mechanical keyblanks are commonly available, they still require additional cutting before being used improperly. In many cases, buying exact copies of active cards is less difficult.
  • Credentials Often Not Securely Stored: While end users never leave keys or wallets unattended, credential cards are often hung from lanyards around rear-view mirrors or stuffed into duffel bags after work, and can be easily stolen or 'read' for the purposes of cloning. Cards are commonly lost or misplaced and many users do not recognize the security vulnerability introduced when this happens.

The Scope of the Threat

Since it's introduction to the security market in the 1980's, contactless RFID has been the standard method of delivering credentials into physical access control systems. Not only do users find Proximity (Prox) Cards easy to use - wave a card in front of a reader - it requires special equipment to read or emit the information it uses. However, the security was largely assured by 'security through obscurity'.

While the technology is still fairly uncommon, it is by no means 'protected' or 'restricted'. An individual with a modest amount of proximity card/reader knowledge can find a number of exploits and procure equipment to take advantage of them. In recent years, a sure way to be noticed at hacker conventions, electronic hobbyist projects, or to have an engineering paper recognized is to publish methods on how cheaply and easily prox card weaknesses can be taken advantage of. However, despite the buzz, most of these methods remain out of the reach of common criminals.

Really a Problem?

Evaluating these vulnerabilities in terms of actual risk is difficult. It is unlikely that an individual intent on unauthorized entry will be patient enough and have the specialized knowledge required to take advantage of these exploits. Very few examples exist in the public domain of someone entering a facility via Prox card vulnerabilities, and most end users may still find their biggest access risk comes from guys with sledgehammers less sophisticated threats. A risk assessment simply reveals that the chance of someone spoofing or cloning an access card is unlikely and security is not practically effected.

However, many government and 'high security' installations find prox card vulnerabilities too big and expensive to defend against. Security protocol in these facilities means active risk mitigation must take place as soon as it is recognized. In many cases, this means that proximity cards have been prohibited from use in those facilities. For example, with the advent of HSPD-12, the US Government has adopted FIPS-201 PIV standards that eliminate use of prox cards entirely, in part to eliminate these vulnerabilities.

Mitigating the Risk

Manufacturing often suggest replacing reader with new technology, and even incentivize doing so. For example, iClass is cheaper than Prox II. However, massive credential and reader replacement is not always necessary to increase the security of a system. For those end users not in position to pay for upgrades, here are some practical steps to consider with existing equipment:

  • Two-Factor Authentication: A simple step to take follows the "Something You Have AND Something You Know" verification path. In real terms, this means requiring both a card credential and a PIN to access an opening. While the next effect might be slowing down the credential process, it condenses spoofing or cloning a card only half the effort needed to gain access.
  • Tighten down Access Levels: This is an often overlooked, but perhaps most critical aspect, of managing an electronic access control system. This step requires configuring the system to permit card holders access only during certain times and on certain days. In other words, first-shift employees only have access during first shift periods on workdays, and so on. Rather, many access system managers 'balance' the matter of convenience versus security by simply permitting a card holder access any time on any day. However, while tightening down access permissions may increase inconvenience during 'non-standard' circumstances, it can significantly increase overall security by reducing the utility of faked access cards.
  • Use uncommon 'facility codes': A critical piece of information most access systems use to define credentials is the 'facility code'. Most systems require this code to be a certain value in order for a card to even be 'read' by the system. However, many end users do not realize the importance of this code, and just use whatever their system is defaulted to use. In the same way that a 'restricted keyway' limits the number of keyblanks that can be used to make a illegal keys, using a unique set of 'factory codes' limits the potential number of blank prox cards to use against a system. While this step will not prevent sophisticated spoofers from reading this code, it is easy layer of security to add to these systems.
  • Layer Video Surveillance with Access: Aside from the value of having visual records entry to a facility, adding cameras at doors, and integrating video with access systems will reveal tampering and unauthorized entry attempts. Even the most sophisticated exploits may take more than one effort, and validating entry records against specific people can uncover problems before they become serious.
  • Encourage carriers to treat credentials as keys: Many credential carriers see cards as a picture ID badge rather than an opportunity for someone to gain unauthorized access. In the same way that users would not store key rings in an insecure manner, it is important to reinforce prox cards in a safe, secure spot when not being used. Stressing the importance of keeping prox credential badges on their person or securely stored at all times will significantly reduce the risk of unauthorized entry.

1 report cite this report:

Paxton Access Control Company Profile on Dec 07, 2015
This note profiles access company Paxton, our 3rd installment in an ongoing series, following our profiles of Tyco Kantech and DSX. Inside we...
Comments : PRO Members only. Login. or Join.

Related Reports

2019 Access Control Book Released on Dec 12, 2018
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
Multi-Factor Access Control Authentication Guide on Dec 10, 2018
Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...
Top 2019 Trend - AI Video Analytics on Dec 10, 2018
160+ Integrators answered: What do you think the top industry trend will be in 2019? Why? AI / video analytics was the run-away winner with...
Cybersecurity Insurance For Security Integrators on Nov 29, 2018
Most security industry professionals carry insurance to cover themselves in the event of a general loss. However, most are not carrying cyber...
Startup Qumulex Aims For Unified Platform, Adds Infinias Access Founder on Nov 29, 2018
The startup founded by former Exacq executives, Qumulex has hired Wayne Jared, founder of access control manufacturer Infinias and most recently a...
HID Product Configurator Examined on Nov 26, 2018
HID is widely used. However, figuring out all the different configurations of features for a final credential or reader part number can be a real...
Openpath Access Control Tested on Nov 20, 2018
Big investment in access startups is uncommon, but Openpath has recently attracted $20 million doing just that. The company has limited security...
Arcules Cloud VMS Tested on Nov 19, 2018
Arcules is a big bet, or as they describe themselves a 'bold company', spun out and backed by Milestone and Canon.  But how good is Arcules cloud...
Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Beware Amazon Go Store Hype (Tested) on Nov 13, 2018
IPVM's trip to and testing of Amazon Go's San Francisco store shows a number of significant operational and economic issues that undermine the...

Most Recent Industry Reports

Imperial Capital Security Investor Conference 2018 Review - ADT, Resideo, Alarm.com, Arlo, Eagle Eye, ACRE, More on Dec 14, 2018
Imperial Capital Security Investor Conference is an event matching industry executives with financiers that frequently leads to future funding...
Cisco Meraki New Cameras and AI Analytics on Dec 14, 2018
Meraki has released their second generation of video surveillance with 3 new cameras, AI-based video analytics, and 2 cloud-based storage...
Foolish Strategy: OEMing Facial Recognition on Dec 13, 2018
Almost as 'hot' as face recognition marketing right now is OEMing facial recognition. Last year, they were a who's who of company's with...
DVR Examiner - Video Recovery from Recorder Hard Drives on Dec 13, 2018
Bypassing passwords and long download times on-site, DVR Examiner collects and organizes video evidence directly from a hard drive extracted from...
2019 Access Control Book Released on Dec 12, 2018
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
Huawei Hisilicon Quietly Powering Tens of Millions of Western IoT Devices on Dec 12, 2018
Huawei Hisilicon chips are powering, at least, tens of millions of Western IoT devices, such as IP cameras and surveillance recorders, a fact that...
FLIR Launches Body Cameras Unified With VMS (TruWitness) on Dec 11, 2018
While FLIR is best known for their thermal cameras, now they have expanded into body cameras, launching TruWITNESS, a public safety focused body...
Startup Sunflower Labs' Autonomous Drone Security System on Dec 11, 2018
Startup Sunflower Labs is claiming a unique design on a home security system, combining autonomous drones and 'Sunflower' sensors. Imagine an...
The 2019 Video Surveillance Industry Guide on Dec 10, 2018
The 300 page, 2019 Video Surveillance Industry Guide, covers the key events and the future of the video surveillance market, is now available,...
Multi-Factor Access Control Authentication Guide on Dec 10, 2018
Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact