Proximity Card Vulnerabilities

Author: Brian Rhodes, Published on Aug 22, 2012

Even though it is the most common credential in access control today, proximity cards face notable security problems. The effort to move end users to newer card technologies is no accident; technology vendors are not only trying to sell new readers, but they are trying to mitigate the risk inherent in every single one of these older cards.

What are these risks, and what can be done to make them more secure short of overhauling all the readers and cards in an access control system? In this note, we dig in to this issue and provide our recommendations.

**********

** ** ********** *** **** ** ******* **** '********* *****' have **** ** *** *** **** ** *****. **** **** technologies, *** **** ****** ** ** ****, *** **** ********* it ******* ******* ************. ***** ** **** *****, *** ******* of ************ ********* ***** *** ****** *********:

  • **** ** ***** & *****:*** ******** ** **** **********,******, ********-**-***** ************ ** ********* **** ** ********* ********** *****.
  • **** ** *********: **** ** * ******** ******* ** ********, **** ********** a '******* ******' **** * ******** **** ********** ***** ***** ** **** *** *********. ****** '******* ***********' ** *****-***** ********* ************ **** ***, proximity ***** *** ** **** ******* **** ****** ********* ** fifty ** **** **** ****. ********** **** ******** *** ******* can ****** ******* *** *** **** **** ***** ********** ********* from ***** ***********.
  • ****** ********* ** ************:********* '*****' ********* ***** ** **** *** *****. ** ** ************ **** ***** **** * *** ***** details ***** *** ***** ** ***, **** *** ******* '***** matches' ** ****** ***** ** **** ********** **** ****** ******. While ********** ********* *** ******** *********, **** ***** ******* ********** cutting ****** ***** **** **********. ** **** *****, ****** ***** copies ** ****** ***** ** **** *********.
  • *********** ***** *** ******** ******:***** *** ***** ***** ***** **** ** ******* **********, ********** cards *** ***** **** **** ******** ****** ****-**** ******* ** stuffed **** ****** **** ***** ****, *** *** ** ****** stolen ** '****' *** *** ******** ** *******. ***** *** commonly **** ** ********* *** **** ***** ** *** ********* the ******** ************* ********** **** **** *******.

The ***** ** *** ******

***** **'* ************ ** *** ******** ****** ** *******'*, *********** **** *** **** *** ******** ****** ** ********** credentials **** ******** ****** ******* *******. *** **** ** ***** find ********* (****) ***** **** ** *** - **** * card ** ***** ** * ****** - ** ******** ******* equipment ** **** ** **** *** *********** ** ****. *******, the ******** *** ******* ******* ** '******** ******* *********'.

***** *** ********** ** ***** ****** ********, ** ** ** no ***** '*********' ** '**********'. ** ********** **** * ****** amount ** ********* ****/****** ********* *** **** * ****** ** exploits *** ******* ********* ** **** ********* ** ****. ** recent *****, * **** *** ** ** ******* ******** ***********,********** ******** ********, ** ** **** ************* ***** ************ ** ******* ******* ** *** ******* *** ****** **** card ********** *** ** ***** ********* **. *******, ******* *** buzz,**** ** ***** ******* ****** *** ** *** ***** ** common *********.

Really * *******?

********** ***** *************** ** ***** ** ****** **** ** *********. It ** ******** **** ** ********** ****** ** ************ ***** will ** ******* ****** *** **** *** *********** ********* ******** to **** ********* ** ***** ********. **** *** ******** ***** in *** ****** ****** ** ******* ******** * ******** *** Prox **** ***************, *** **** *** ***** *** ***** **** their ******* ****** **** ***** ******** **** ***************** ************* *******. * **** ********** ****** ******* **** *** chance ** ******* ******** ** ******* ** ****** **** ** unlikely *** ******** ** *** *********** ********.

*******, **** ********** *** '**** ********' ************* **** **** **** vulnerabilities *** *** *** ********* ** ****** *******. ******** ******** in ***** ********** ***** ****** **** ********** **** **** ***** as **** ** ** ** **********. ** **** *****, **** means **** ********* ***** **** **** ********** **** *** ** those **********. *** *******, **** *** ****** ** ****-**, *** US ********** *** ******* ****-*** *** ********* **** ********* *** of **** ***** ********, ** **** ** ********* ***** ***************.

Mitigating *** ****

************* ***** ******* ********* ****** **** *** **********, *** **** incentivize ***** **. *** *******, ****** ** ******* **** **** II. *******, ******* ********** *** ****** *********** ** *** ****** necessary ** ******** *** ******** ** * ******. *** ***** end ***** *** ** ******** ** *** *** ********, **** are **** ********* ***** ** ******** **** ******** *********:

  • ***-****** **************: * ****** **** ** **** ******* *** "********* *** Have *** ********* *** ****" ************ ****. ** **** *****, this ***** ********* **** * **** ********** *** * *** to ****** ** *******. ***** *** **** ****** ***** ** slowing **** *** ********** *******, ** ********* ******** ** ******* a **** **** **** *** ****** ****** ** **** ******.
  • ******* **** ****** ******: **** ** ** ***** **********, *** ******* **** ******** aspect, ** ******** ** ********** ****** ******* ******. **** **** requires *********** *** ****** ** ****** **** ******* ****** **** during ******* ***** *** ** ******* ****. ** ***** *****, first-shift ********* **** **** ****** ****** ***** ***** ******* ** workdays, *** ** **. ******, **** ****** ****** ******** '*******' the ****** ** *********** ****** ******** ** ****** ********** * card ****** ****** *** **** ** *** ***. *******, ***** tightening **** ****** *********** *** ******** ************* ****** '***-********' *************, it *** ************* ******** ******* ******** ** ******** *** ******* of ***** ****** *****.
  • *** ******** '******** *****': * ******** ***** ** *********** **** ****** ******* *** to ****** *********** ** *** '******** ****'. **** ******* ******* **** **** ** ** * ******* value ** ***** *** * **** ** **** ** '****' by *** ******. *******, **** *** ***** ** *** ******* the ********** ** **** ****, *** **** *** ******** ***** system ** ********* ** ***. ** *** **** *** **** a '********** ******' ****** *** ****** ** ********* **** *** ** **** to **** * ******* ****, ***** * ****** *** ** 'factory *****' ****** *** ********* ****** ** ***** **** ***** to *** ******* * ******. ***** **** **** **** *** prevent ************* ******** **** ******* **** ****, ** ** **** layer ** ******** ** *** ** ***** *******.
  • ***** ***** ************ **** ******:***** **** *** ***** ** ****** ****** ******* ***** ** a ********, ****** ******* ** *****, *** *********** ***** **** access ******* **** ****** ********* *** ************ ***** ********. **** the **** ************* ******** *** **** **** **** *** ******, and ********** ***** ******* ******* ******** ****** *** ******* ******** before **** ****** *******.
  • ********* ******** ** ***** *********** ** ****:**** ********** ******** *** ***** ** * ******* ** ***** rather **** ** *********** *** ******* ** **** ************ ******. In *** **** *** **** ***** ***** *** ***** *** rings ** ** ******** ******, ** ** ********* ** ********* prox ***** ** * ****, ****** **** **** *** ***** used. ********* *** ********** ** ******* **** ********** ****** ** their ****** ** ******** ****** ** *** ***** **** ************* reduce *** **** ** ************ *****.
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Glass Doors and Access Control Tutorial on Feb 22, 2017
The biggest challenge for many access control systems are glass doors. Here's what happens when a maglock is improperly installed to an existing...
Customized Access Control Cans (Altronix Trove) on Feb 14, 2017
Access control installs typically require hanging at least two or three different enclosure cans, each holding individual parts.  Open wall space...
Lenel Favorability Results 2017 on Feb 09, 2017
At this point, it is not surprising that Lenel is one of the most disliked security manufacturers. From stories like Lenel Partners Angry, Lenel...
VPNs for Video Surveillance on Feb 07, 2017
Remote access in surveillance networks is a key cyber security and usability issue. With cyber attacks rising, how can users ensure their systems...
Boycott Anixter, Says 82% Integrators on Feb 05, 2017
82% of 130 145 integrator respondents say integrators should boycott Anixter, in response to Anixter / Bosch Sells Direct to Amazon. This is the...
Scathing Honeywell Favorability Results on Jan 24, 2017
Honeywell is one of the biggest brands in security, with offerings for intrusion, fire, wire, video surveillance, access control, plus they own one...
Paxton Hosted Access - Disruptive Low Dealer Pricing on Jan 19, 2017
Paxton is entering the hosted access game, with BLU, at a cost that is a fraction of key competitors. The different approach could be very...
Anixter / Bosch Sells Direct to Amazon on Jan 18, 2017
Anixter regularly says they do not sell direct to end users or that they do not do it anymore. However, over the past year, Anixter has sold Bosch...
Cut in Half, Everfocus Shifts Strategies on Jan 17, 2017
The race to the bottom impact continues. Now, Everfocus, who used to be one of the larger budget providers, is shifting strategies after years of...
Genetec Favorability Results on Jan 16, 2017
In the race to the bottom and flight to 'solutions', Genetec has taken a contrary path. The company remains independent, focusing up market,...

Most Recent Industry Reports

Uniview (UNV) IP Cameras Tested on Feb 22, 2017
"We're #3," in China says Uniview (UNV). While the company significantly trails Hikvision and Dahua in total sales, one notable difference is that...
Glass Doors and Access Control Tutorial on Feb 22, 2017
The biggest challenge for many access control systems are glass doors. Here's what happens when a maglock is improperly installed to an existing...
Exacq Favorability Results on Feb 22, 2017
For years, Exacq has been one of the most frequently favored VMSes in IPVM integrator statistics (e.g., see Favorite VMS Manufacturers...
The Hot RMR Company - Electric Guard Dog on Feb 22, 2017
The financiers at the Barnes Buchanan conference praised a company named 'Electric Guard Dog'. While the name sounds fairly low tech, the money and...
Hikvision Leads Multi-Manufacturer Sales Promo on Feb 21, 2017
Earlier this month, Hikvision launched new 'super value' kits, with 40% discounts, and now Hikvision is offering another promo, but this time they...
Washington DC MPD's Surveillance Equipment on Feb 21, 2017
The Washington DC Metropolitan Police Department's surveillance system was hacked in January 2017. Two immediate questions were: Whose...
Hikvision Ezviz Mini 360 Plus - $80 Autotracking Camera Tested on Feb 21, 2017
Autotracking, integrated IR, local storage, full HD, cloud access: $80. That is the claim of Hikvision EZVIZ's new Mini 360 Plus. But for this...
Lenel Improving Customer Support on Feb 21, 2017
Lenel has faced significant criticism recently (see Lenel Partners Angry, Lenel Does Not Care, Worst Access Control 2016, Lenel Favorability...
'Dirty': Hikvision Attacks Genetec on Feb 20, 2017
Hikvision is angry at the growing public awareness that Hikvision is owned by the Chinese government. They took aim at Genetec,...
Directory of Alarm Company Brokers on Feb 20, 2017
Selling an RMR based business, such as alarm company, can be highly profitable, with acquisition prices of 36 to 48x RMR (equivalent to 3 to 4x...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact