Proximity Card Vulnerabilities

By: Brian Rhodes, Published on Aug 22, 2012

Even though it is the most common credential in access control today, proximity cards face notable security problems. The effort to move end users to newer card technologies is no accident; technology vendors are not only trying to sell new readers, but they are trying to mitigate the risk inherent in every single one of these older cards.

What are these risks, and what can be done to make them more secure short of overhauling all the readers and cards in an access control system? In this note, we dig in to this issue and provide our recommendations.

Weaknesses

It is surprising for some to realize that 'proximity cards' have been in use for over 30 years. Like many technologies, the more widely it is used, the less protected it becomes against exploitation. After so many years, the methods of compromising proximity cards are common knowledge:

  • Easy to Spoof & Clone: the Internet is full of websites, videos, and ready-to-build kits designed to illegally copy or duplicate credential cards.
  • Easy to Intercept: This is a specific element of spoofing, that introduces a 'passive reader' near a security card reader that scans cards as they are presented. Unlike 'contact credentials' or short-range proximity technologies like NFC, proximity cards can be read without card holder knowledge by fifty or more feet away. Activities like spoofing and cloning can happen without the end user ever being physically separated from their credentials.
  • Widely Available in Distribution: Obtaining 'blank' proximity cards is easy and cheap. If an unauthorized user knows just a few basic details about the cards in use, they can procure 'exact matches' of active cards at most facilities with little effort. While mechanical keyblanks are commonly available, they still require additional cutting before being used improperly. In many cases, buying exact copies of active cards is less difficult.
  • Credentials Often Not Securely Stored: While end users never leave keys or wallets unattended, credential cards are often hung from lanyards around rear-view mirrors or stuffed into duffel bags after work, and can be easily stolen or 'read' for the purposes of cloning. Cards are commonly lost or misplaced and many users do not recognize the security vulnerability introduced when this happens.

The Scope of the Threat

Since it's introduction to the security market in the 1980's, contactless RFID has been the standard method of delivering credentials into physical access control systems. Not only do users find Proximity (Prox) Cards easy to use - wave a card in front of a reader - it requires special equipment to read or emit the information it uses. However, the security was largely assured by 'security through obscurity'.

While the technology is still fairly uncommon, it is by no means 'protected' or 'restricted'. An individual with a modest amount of proximity card/reader knowledge can find a number of exploits and procure equipment to take advantage of them. In recent years, a sure way to be noticed at hacker conventions, electronic hobbyist projects, or to have an engineering paper recognized is to publish methods on how cheaply and easily prox card weaknesses can be taken advantage of. However, despite the buzz, most of these methods remain out of the reach of common criminals.

Really a Problem?

Evaluating these vulnerabilities in terms of actual risk is difficult. It is unlikely that an individual intent on unauthorized entry will be patient enough and have the specialized knowledge required to take advantage of these exploits. Very few examples exist in the public domain of someone entering a facility via Prox card vulnerabilities, and most end users may still find their biggest access risk comes from guys with sledgehammers less sophisticated threats. A risk assessment simply reveals that the chance of someone spoofing or cloning an access card is unlikely and security is not practically effected.

However, many government and 'high security' installations find prox card vulnerabilities too big and expensive to defend against. Security protocol in these facilities means active risk mitigation must take place as soon as it is recognized. In many cases, this means that proximity cards have been prohibited from use in those facilities. For example, with the advent of HSPD-12, the US Government has adopted FIPS-201 PIV standards that eliminate use of prox cards entirely, in part to eliminate these vulnerabilities.

Mitigating the Risk

Manufacturing often suggest replacing reader with new technology, and even incentivize doing so. For example, iClass is cheaper than Prox II. However, massive credential and reader replacement is not always necessary to increase the security of a system. For those end users not in position to pay for upgrades, here are some practical steps to consider with existing equipment:

  • Two-Factor Authentication: A simple step to take follows the "Something You Have AND Something You Know" verification path. In real terms, this means requiring both a card credential and a PIN to access an opening. While the next effect might be slowing down the credential process, it condenses spoofing or cloning a card only half the effort needed to gain access.
  • Tighten down Access Levels: This is an often overlooked, but perhaps most critical aspect, of managing an electronic access control system. This step requires configuring the system to permit card holders access only during certain times and on certain days. In other words, first-shift employees only have access during first shift periods on workdays, and so on. Rather, many access system managers 'balance' the matter of convenience versus security by simply permitting a card holder access any time on any day. However, while tightening down access permissions may increase inconvenience during 'non-standard' circumstances, it can significantly increase overall security by reducing the utility of faked access cards.
  • Use uncommon 'facility codes': A critical piece of information most access systems use to define credentials is the 'facility code'. Most systems require this code to be a certain value in order for a card to even be 'read' by the system. However, many end users do not realize the importance of this code, and just use whatever their system is defaulted to use. In the same way that a 'restricted keyway' limits the number of keyblanks that can be used to make a illegal keys, using a unique set of 'factory codes' limits the potential number of blank prox cards to use against a system. While this step will not prevent sophisticated spoofers from reading this code, it is easy layer of security to add to these systems.
  • Layer Video Surveillance with Access: Aside from the value of having visual records entry to a facility, adding cameras at doors, and integrating video with access systems will reveal tampering and unauthorized entry attempts. Even the most sophisticated exploits may take more than one effort, and validating entry records against specific people can uncover problems before they become serious.
  • Encourage carriers to treat credentials as keys: Many credential carriers see cards as a picture ID badge rather than an opportunity for someone to gain unauthorized access. In the same way that users would not store key rings in an insecure manner, it is important to reinforce prox cards in a safe, secure spot when not being used. Stressing the importance of keeping prox credential badges on their person or securely stored at all times will significantly reduce the risk of unauthorized entry.

1 report cite this report:

Paxton Access Control Company Profile on Dec 07, 2015
This note profiles access company Paxton, our 3rd installment in an ongoing series, following our profiles of Tyco Kantech and DSX. Inside we...
Comments : PRO Members only. Login. or Join.

Related Reports

Farpointe Data Conekt Mobile Access Reader Tested on Jun 13, 2019
California based Farpointe Data has been a significant OEM supplier of conventional access readers for years to companies including DMP, RS2, DSX,...
Axis Will Not Block Resellers on Jun 10, 2019
While Axis generally has strong favorability amongst integrators, the biggest complaint is their channel model, which results in smaller integrator...
Dumber Techs, Bad Box Movers, Says Australian Distributor on Jun 10, 2019
Techs today are "dumber" than they used to be, despite better education and training and that makes a typical day "frustrating" for one...
OSDP Access Control Guide on Jun 04, 2019
Access control readers and controllers need to communicate. While Wiegand has been the de facto standard for decades, OSDP aims to solve major...
Vidsys New President Interviewed on May 31, 2019
A decade ago, PSIM was hot with projections then of a billion dollar market by now. This has not come close to happening. However, Vidsys, one of...
Verkada Favorability Results 2019 on May 29, 2019
Verkada has taken the industry by storm with the fastest growing video surveillance sales organization ever and a half billion dollar valuation....
Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
Facial Recognition Systems Fail Simple Liveness Detection Test on May 17, 2019
Facial recognition is being widely promoted as a solution to physical access control but we were able to simply spoof 3 systems because they had no...
Maglock Selection Guide on May 16, 2019
One of the most misunderstood yet valuable pieces of electrified hardware is the maglock. Few locks are stronger, but myths and confusion surround...
Milestone XProtect 2019 R1 Tested on May 15, 2019
For the past few years, Milestone has released quarterly software updates XProtect VMS platform. What is new and how much impact do the updates...

Most Recent Industry Reports

Sighthound Transforms Into Enterprise AI Provider on Jun 14, 2019
Sighthound is now rapidly expanding its R&D team, building an enterprise AI service. This may come as a surprise given their origins 6 years...
ADT Eliminating Acquired Brands, Unifying Under 'Commercial' Brand on Jun 14, 2019
ADT is eliminating the brands of the many integrators it has acquired over the past few years, including Red Hawk, Aronson Security Group (ASG),...
NSA Director Keynoting Dahua and Hikvision Sponsored Cybersecurity Conference on Jun 13, 2019
The technical director for the NSA’s Cybersecurity Threat Operations Center will be keynoting a physical security cybersecurity conference that is...
Farpointe Data Conekt Mobile Access Reader Tested on Jun 13, 2019
California based Farpointe Data has been a significant OEM supplier of conventional access readers for years to companies including DMP, RS2, DSX,...
Embattled $400 Million China Funded Philippines Surveillance System Proceeds on Jun 13, 2019
An embattled 12,000 camera surveillance system project that will cost ~$400 million will proceed.  The project contract was awarded, had its...
False Verkada 'Unrivaled' Low Light Performance Claim Removed on Jun 12, 2019
Verkada falsely claimed that it delivered 'UNRIVALED LOW LIGHT PERFORMANCE' until IPVM questioned. In fact, Verkada's low light performance is...
Manufacturer Favorability Guide 2019 on Jun 12, 2019
The 259 page PDF guide may be downloaded inside by all IPVM members. It includes our manufacturer favorability rankings and individual...
Camera Course Summer 2019 - Register Now on Jun 12, 2019
Register for the Summer 2019 Camera Course.  This is the only independent surveillance camera course, based on in-depth product and technology...
Favorite Wireless Manufacturers 2019 on Jun 12, 2019
Many wireless options exist for video surveillance but how are integrator's overall favorites? 170 integrators answered the question: What is...
Carnegie Mellon AI Startup Zensors Profile on Jun 11, 2019
Zensors is a startup formed by Carnegie Mellon graduates from a Carnegie Mellon research project, offering customized models per camera that they...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact