Proximity Card Vulnerabilities

Author: Brian Rhodes, Published on Aug 22, 2012

Even though it is the most common credential in access control today, proximity cards face notable security problems. The effort to move end users to newer card technologies is no accident; technology vendors are not only trying to sell new readers, but they are trying to mitigate the risk inherent in every single one of these older cards.

What are these risks, and what can be done to make them more secure short of overhauling all the readers and cards in an access control system? In this note, we dig in to this issue and provide our recommendations.

Weaknesses

It is surprising for some to realize that 'proximity cards' have been in use for over 30 years. Like many technologies, the more widely it is used, the less protected it becomes against exploitation. After so many years, the methods of compromising proximity cards are common knowledge:

  • Easy to Spoof & Clone: the Internet is full of websites, videos, and ready-to-build kits designed to illegally copy or duplicate credential cards.
  • Easy to Intercept: This is a specific element of spoofing, that introduces a 'passive reader' near a security card reader that scans cards as they are presented. Unlike 'contact credentials' or short-range proximity technologies like NFC, proximity cards can be read without card holder knowledge by fifty or more feet away. Activities like spoofing and cloning can happen without the end user ever being physically separated from their credentials.
  • Widely Available in Distribution: Obtaining 'blank' proximity cards is easy and cheap. If an unauthorized user knows just a few basic details about the cards in use, they can procure 'exact matches' of active cards at most facilities with little effort. While mechanical keyblanks are commonly available, they still require additional cutting before being used improperly. In many cases, buying exact copies of active cards is less difficult.
  • Credentials Often Not Securely Stored: While end users never leave keys or wallets unattended, credential cards are often hung from lanyards around rear-view mirrors or stuffed into duffel bags after work, and can be easily stolen or 'read' for the purposes of cloning. Cards are commonly lost or misplaced and many users do not recognize the security vulnerability introduced when this happens.

The Scope of the Threat

Since it's introduction to the security market in the 1980's, contactless RFID has been the standard method of delivering credentials into physical access control systems. Not only do users find Proximity (Prox) Cards easy to use - wave a card in front of a reader - it requires special equipment to read or emit the information it uses. However, the security was largely assured by 'security through obscurity'.

While the technology is still fairly uncommon, it is by no means 'protected' or 'restricted'. An individual with a modest amount of proximity card/reader knowledge can find a number of exploits and procure equipment to take advantage of them. In recent years, a sure way to be noticed at hacker conventions, electronic hobbyist projects, or to have an engineering paper recognized is to publish methods on how cheaply and easily prox card weaknesses can be taken advantage of. However, despite the buzz, most of these methods remain out of the reach of common criminals.

Really a Problem?

Evaluating these vulnerabilities in terms of actual risk is difficult. It is unlikely that an individual intent on unauthorized entry will be patient enough and have the specialized knowledge required to take advantage of these exploits. Very few examples exist in the public domain of someone entering a facility via Prox card vulnerabilities, and most end users may still find their biggest access risk comes from guys with sledgehammers less sophisticated threats. A risk assessment simply reveals that the chance of someone spoofing or cloning an access card is unlikely and security is not practically effected.

However, many government and 'high security' installations find prox card vulnerabilities too big and expensive to defend against. Security protocol in these facilities means active risk mitigation must take place as soon as it is recognized. In many cases, this means that proximity cards have been prohibited from use in those facilities. For example, with the advent of HSPD-12, the US Government has adopted FIPS-201 PIV standards that eliminate use of prox cards entirely, in part to eliminate these vulnerabilities.

Mitigating the Risk

Manufacturing often suggest replacing reader with new technology, and even incentivize doing so. For example, iClass is cheaper than Prox II. However, massive credential and reader replacement is not always necessary to increase the security of a system. For those end users not in position to pay for upgrades, here are some practical steps to consider with existing equipment:

  • Two-Factor Authentication: A simple step to take follows the "Something You Have AND Something You Know" verification path. In real terms, this means requiring both a card credential and a PIN to access an opening. While the next effect might be slowing down the credential process, it condenses spoofing or cloning a card only half the effort needed to gain access.
  • Tighten down Access Levels: This is an often overlooked, but perhaps most critical aspect, of managing an electronic access control system. This step requires configuring the system to permit card holders access only during certain times and on certain days. In other words, first-shift employees only have access during first shift periods on workdays, and so on. Rather, many access system managers 'balance' the matter of convenience versus security by simply permitting a card holder access any time on any day. However, while tightening down access permissions may increase inconvenience during 'non-standard' circumstances, it can significantly increase overall security by reducing the utility of faked access cards.
  • Use uncommon 'facility codes': A critical piece of information most access systems use to define credentials is the 'facility code'. Most systems require this code to be a certain value in order for a card to even be 'read' by the system. However, many end users do not realize the importance of this code, and just use whatever their system is defaulted to use. In the same way that a 'restricted keyway' limits the number of keyblanks that can be used to make a illegal keys, using a unique set of 'factory codes' limits the potential number of blank prox cards to use against a system. While this step will not prevent sophisticated spoofers from reading this code, it is easy layer of security to add to these systems.
  • Layer Video Surveillance with Access: Aside from the value of having visual records entry to a facility, adding cameras at doors, and integrating video with access systems will reveal tampering and unauthorized entry attempts. Even the most sophisticated exploits may take more than one effort, and validating entry records against specific people can uncover problems before they become serious.
  • Encourage carriers to treat credentials as keys: Many credential carriers see cards as a picture ID badge rather than an opportunity for someone to gain unauthorized access. In the same way that users would not store key rings in an insecure manner, it is important to reinforce prox cards in a safe, secure spot when not being used. Stressing the importance of keeping prox credential badges on their person or securely stored at all times will significantly reduce the risk of unauthorized entry.

1 report cite this report:

Paxton Access Control Company Profile on Dec 07, 2015
This note profiles access company Paxton, our 3rd installment in an ongoing series, following our profiles of Tyco Kantech and DSX. Inside we...
Comments : PRO Members only. Login. or Join.

Related Reports

Startup SafePass Profile on Oct 19, 2018
A major problem with visitor management is that the systems mostly require adhesive printed paper labels and paper logs, creating waste and an...
Higher Power PoE 802.3bt Ratified, Impact on Security Products Examined on Oct 12, 2018
Power over Ethernet has become one of the most popular features of many video, access, and other security products. See our PoE for IP Video...
Door Hinges Guide on Oct 10, 2018
Some of the trickiest access control problems are caused by bad door hinges. From doors not closing right, to locks not locking, worn or warped...
Security System Health Monitoring Usage Statistics 2018 on Oct 09, 2018
How well and quickly do integrators know if devices are offline or broken? New IPVM statistics show that typically no health monitoring is...
UTC Merges Lenel and S2, Creates LenelS2 on Oct 03, 2018
UTC has completed the acquisition of S2, launching literally Lenel's2 LenelS2 with UTC declaring that "LenelS2 unites two world-class teams with...
Anti-Tailgating Startup: Spyfloor on Oct 03, 2018
A Canadian startup, Spyfloor, is using a different approach to warn against tailgating, a common access control problem. By counting feet,...
ASIS GSX 2018 Mixed Manufacturer Reviews With Declining Overall Attendance on Oct 02, 2018
ASIS GSX 2018 show drew 9% fewer total registrants, however, it gained 15% more paid registrations, according to ASIS. In this note, we look...
VMS Mobile App Shootout - Avigilon, Dahua, Exacq, Genetec, Hikvision, Milestone on Oct 01, 2018
Mobile VMS apps are a critical interface for the modern surveillance user. But who does it best and worst? We tested 6 manufacturers - Avigilon,...
Favorite Power Supply Manufacturer 2018 on Sep 28, 2018
While power supplies are becoming less important as PoE matures, they remain vital to access control systems, where increased power for locks,...
AHJ / Authority Having Jurisdiction Tutorial on Sep 27, 2018
One of the most powerful yet often underappreciated characters in all of physical security is the Authority Having Jurisdiction (AHJ). Often,...

Most Recent Industry Reports

Startup SafePass Profile on Oct 19, 2018
A major problem with visitor management is that the systems mostly require adhesive printed paper labels and paper logs, creating waste and an...
China Is Not A Security Megatrend, Says SIA on Oct 19, 2018
The US Security Industry Association has released its 10 "Security Megatrends" for 2019. SIA declares that these megatrends, such as "Advanced...
Hanwha Dual Imager Dome Camera Tested (PNM-7000VD) on Oct 18, 2018
Hanwha has introduced their first dual-imager model, the PNM-7000VD, a twin 1080p model featuring independently positionable sensors and a snap-in...
Camera Height / Blind Spot Added to IPVM Camera Calculator on Oct 18, 2018
IPVM has added camera height and blind spot estimation to the Camera Calculator. This is especially helpful for those who need to mount cameras up...
Axis Strong US Growth, Flat EMEA - Q3 2018 Financials on Oct 18, 2018
This spring, Axis had its best financials in many years (see Axis Strong Q2 2018 Results). However, over the summer, Axis had many products sold...
Best Alternatives to Banned Dahua and Hikvision on Oct 17, 2018
With the US government ban and a growing number of users banning Dahua and Hikvision, one key question is what to use for low cost? While Dahua and...
Video Quality / Compression Tutorial on Oct 17, 2018
While CODECs, like H.264, H.265, and MJPEG, get a lot of attention, a camera's 'quality' or compression setting has a big impact on overall...
Knightscope Winning Investors, Struggling With Growth on Oct 16, 2018
While Knightscope's new financials show the company only winning 11 new customers in the past 12 months, the company continues to win new...
Integrator Laptop Guide on Oct 16, 2018
This 18-page guide provides guidance and statistics about integrator laptop use. 150 integrators explained to IPVM in detail about their laptops,...
Huawei Admits AI "Bubble" on Oct 16, 2018
A fascinating article from the Chinese government's Global Times: Huawei’s AI ambition to reshape industries. While the Global Times talks about...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact