Proximity Card Vulnerabilities

Author: Brian Rhodes, Published on Aug 22, 2012

Even though it is the most common credential in access control today, proximity cards face notable security problems. The effort to move end users to newer card technologies is no accident; technology vendors are not only trying to sell new readers, but they are trying to mitigate the risk inherent in every single one of these older cards.

What are these risks, and what can be done to make them more secure short of overhauling all the readers and cards in an access control system? In this note, we dig in to this issue and provide our recommendations.

Weaknesses

It is surprising for some to realize that 'proximity cards' have been in use for over 30 years. Like many technologies, the more widely it is used, the less protected it becomes against exploitation. After so many years, the methods of compromising proximity cards are common knowledge:

  • Easy to Spoof & Clone: the Internet is full of websites, videos, and ready-to-build kits designed to illegally copy or duplicate credential cards.
  • Easy to Intercept: This is a specific element of spoofing, that introduces a 'passive reader' near a security card reader that scans cards as they are presented. Unlike 'contact credentials' or short-range proximity technologies like NFC, proximity cards can be read without card holder knowledge by fifty or more feet away. Activities like spoofing and cloning can happen without the end user ever being physically separated from their credentials.
  • Widely Available in Distribution: Obtaining 'blank' proximity cards is easy and cheap. If an unauthorized user knows just a few basic details about the cards in use, they can procure 'exact matches' of active cards at most facilities with little effort. While mechanical keyblanks are commonly available, they still require additional cutting before being used improperly. In many cases, buying exact copies of active cards is less difficult.
  • Credentials Often Not Securely Stored: While end users never leave keys or wallets unattended, credential cards are often hung from lanyards around rear-view mirrors or stuffed into duffel bags after work, and can be easily stolen or 'read' for the purposes of cloning. Cards are commonly lost or misplaced and many users do not recognize the security vulnerability introduced when this happens.

The Scope of the Threat

Since it's introduction to the security market in the 1980's, contactless RFID has been the standard method of delivering credentials into physical access control systems. Not only do users find Proximity (Prox) Cards easy to use - wave a card in front of a reader - it requires special equipment to read or emit the information it uses. However, the security was largely assured by 'security through obscurity'.

While the technology is still fairly uncommon, it is by no means 'protected' or 'restricted'. An individual with a modest amount of proximity card/reader knowledge can find a number of exploits and procure equipment to take advantage of them. In recent years, a sure way to be noticed at hacker conventions, electronic hobbyist projects, or to have an engineering paper recognized is to publish methods on how cheaply and easily prox card weaknesses can be taken advantage of. However, despite the buzz, most of these methods remain out of the reach of common criminals.

Really a Problem?

Evaluating these vulnerabilities in terms of actual risk is difficult. It is unlikely that an individual intent on unauthorized entry will be patient enough and have the specialized knowledge required to take advantage of these exploits. Very few examples exist in the public domain of someone entering a facility via Prox card vulnerabilities, and most end users may still find their biggest access risk comes from guys with sledgehammers less sophisticated threats. A risk assessment simply reveals that the chance of someone spoofing or cloning an access card is unlikely and security is not practically effected.

However, many government and 'high security' installations find prox card vulnerabilities too big and expensive to defend against. Security protocol in these facilities means active risk mitigation must take place as soon as it is recognized. In many cases, this means that proximity cards have been prohibited from use in those facilities. For example, with the advent of HSPD-12, the US Government has adopted FIPS-201 PIV standards that eliminate use of prox cards entirely, in part to eliminate these vulnerabilities.

Mitigating the Risk

Manufacturing often suggest replacing reader with new technology, and even incentivize doing so. For example, iClass is cheaper than Prox II. However, massive credential and reader replacement is not always necessary to increase the security of a system. For those end users not in position to pay for upgrades, here are some practical steps to consider with existing equipment:

  • Two-Factor Authentication: A simple step to take follows the "Something You Have AND Something You Know" verification path. In real terms, this means requiring both a card credential and a PIN to access an opening. While the next effect might be slowing down the credential process, it condenses spoofing or cloning a card only half the effort needed to gain access.
  • Tighten down Access Levels: This is an often overlooked, but perhaps most critical aspect, of managing an electronic access control system. This step requires configuring the system to permit card holders access only during certain times and on certain days. In other words, first-shift employees only have access during first shift periods on workdays, and so on. Rather, many access system managers 'balance' the matter of convenience versus security by simply permitting a card holder access any time on any day. However, while tightening down access permissions may increase inconvenience during 'non-standard' circumstances, it can significantly increase overall security by reducing the utility of faked access cards.
  • Use uncommon 'facility codes': A critical piece of information most access systems use to define credentials is the 'facility code'. Most systems require this code to be a certain value in order for a card to even be 'read' by the system. However, many end users do not realize the importance of this code, and just use whatever their system is defaulted to use. In the same way that a 'restricted keyway' limits the number of keyblanks that can be used to make a illegal keys, using a unique set of 'factory codes' limits the potential number of blank prox cards to use against a system. While this step will not prevent sophisticated spoofers from reading this code, it is easy layer of security to add to these systems.
  • Layer Video Surveillance with Access: Aside from the value of having visual records entry to a facility, adding cameras at doors, and integrating video with access systems will reveal tampering and unauthorized entry attempts. Even the most sophisticated exploits may take more than one effort, and validating entry records against specific people can uncover problems before they become serious.
  • Encourage carriers to treat credentials as keys: Many credential carriers see cards as a picture ID badge rather than an opportunity for someone to gain unauthorized access. In the same way that users would not store key rings in an insecure manner, it is important to reinforce prox cards in a safe, secure spot when not being used. Stressing the importance of keeping prox credential badges on their person or securely stored at all times will significantly reduce the risk of unauthorized entry.

1 report cite this report:

Paxton Access Control Company Profile on Dec 07, 2015
This note profiles access company Paxton, our 3rd installment in an ongoing series, following our profiles of Tyco Kantech and DSX. Inside we...
Comments : PRO Members only. Login. or Join.

Related Reports

Nortek Mobile Access Reader BluePass Examined on Feb 12, 2019
Nortek's Linear access control division claims to make mobile credentials "more secure and easier to use than ever before" with their BluePass...
No Genetec Major Releases In Over A Year on Feb 06, 2019
Annual VMS licenses are a controversial practice in the video surveillance industry, with many questioning their need or value. However, enterprise...
HID Launches Origo To Fix Mobile Credential Problems on Feb 05, 2019
HID is releasing Origo, an overhaul of its mobile credential platform, this time drastically restructuring the way it is priced and packaged. HID's...
Designing Access Control Guide on Jan 30, 2019
Designing an access control solution requires decisions on 8 fundamental questions. This in-depth guide helps you understand the options and...
Access Control Turnstiles Guide on Jan 28, 2019
Turnstiles control pedestrian access to secured areas, essentially becoming moving portions of fences, walls, or barricades for physically stop...
Genetec Favorability Report 2019 on Jan 25, 2019
Genetec's favorability moderately strengthed, in new IPVM integrator statistics over their results from 2017, with 2019 results showing solid, but...
Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Wavelynx Access Control Manufacturer Profile on Jan 10, 2019
Denver-based WaveLynx is not well known as an access reader manufacturer, but OEMs for big industry brands including Amag, Isonas (Allegion),...

Most Recent Industry Reports

Casino Surveillance Pro Interview: James Lathrop on Feb 15, 2019
James Lathrop has been working in casinos for almost 25 years. During that time, he says he has held "just about every job you can do in the...
Hikvision 2018 Revenue Tops $7 Billion USD But Growth Slows To Low on Feb 15, 2019
Hikvision's annual revenue topped $7 billion for the first time in 2018, although growth slowed sharply. In this post, we analyze the latest...
Hanwha Smaller Multi Imager Tested (PNM-9000VQ) on Feb 14, 2019
Hanwha's first repositionable multi imager PNM-9081VQ tested well, but was huge, over 12" wide and weighing in at over 10 pounds. Now, they have...
ADT And 'The Defenders' Silent About Massive Complaints on Feb 14, 2019
ADT's largest dealer, "The Defenders" has been the subject of a massive number of complaints over many years and many forums, most recently a CBS...
Hikvision Chairman Praises United Front on Feb 14, 2019
Hikvision’s controlling shareholder held a meeting last month praising the United Front, a Communist Party organization known for its secretive...
Sales Turnover At Anyvision on Feb 13, 2019
Anyvision raised a $43 million Series A and according to their newest investor: what you need to do is push the gas pedal and build an...
Cisco Meraki Cloud VMS/Cameras Tested on Feb 13, 2019
Cisco Meraki says their cameras "bring Meraki magic to the enterprise video security world". According to Meraki, their magic is their management...
Uniview / UNV Favorability Results 2019 on Feb 12, 2019
Uniview / UNV, the self-proclaimed #3 China manufacturer, while starting late, has been working to make inroads internationally. In IPVM's 2019...
Nortek Mobile Access Reader BluePass Examined on Feb 12, 2019
Nortek's Linear access control division claims to make mobile credentials "more secure and easier to use than ever before" with their BluePass...
Solink Raises $12 Million - Company Profile on Feb 12, 2019
Most industry professionals have never heard of Solink, a company whose tagline is: It's time to revolutionize the way business uses...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact