Proximity Card Vulnerabilities

Author: Brian Rhodes, Published on Aug 22, 2012

Even though it is the most common credential in access control today, proximity cards face notable security problems. The effort to move end users to newer card technologies is no accident; technology vendors are not only trying to sell new readers, but they are trying to mitigate the risk inherent in every single one of these older cards.

What are these risks, and what can be done to make them more secure short of overhauling all the readers and cards in an access control system? In this note, we dig in to this issue and provide our recommendations.

Weaknesses

It is surprising for some to realize that 'proximity cards' have been in use for over 30 years. Like many technologies, the more widely it is used, the less protected it becomes against exploitation. After so many years, the methods of compromising proximity cards are common knowledge:

  • Easy to Spoof & Clone: the Internet is full of websites, videos, and ready-to-build kits designed to illegally copy or duplicate credential cards.
  • Easy to Intercept: This is a specific element of spoofing, that introduces a 'passive reader' near a security card reader that scans cards as they are presented. Unlike 'contact credentials' or short-range proximity technologies like NFC, proximity cards can be read without card holder knowledge by fifty or more feet away. Activities like spoofing and cloning can happen without the end user ever being physically separated from their credentials.
  • Widely Available in Distribution: Obtaining 'blank' proximity cards is easy and cheap. If an unauthorized user knows just a few basic details about the cards in use, they can procure 'exact matches' of active cards at most facilities with little effort. While mechanical keyblanks are commonly available, they still require additional cutting before being used improperly. In many cases, buying exact copies of active cards is less difficult.
  • Credentials Often Not Securely Stored: While end users never leave keys or wallets unattended, credential cards are often hung from lanyards around rear-view mirrors or stuffed into duffel bags after work, and can be easily stolen or 'read' for the purposes of cloning. Cards are commonly lost or misplaced and many users do not recognize the security vulnerability introduced when this happens.

The Scope of the Threat

Since it's introduction to the security market in the 1980's, contactless RFID has been the standard method of delivering credentials into physical access control systems. Not only do users find Proximity (Prox) Cards easy to use - wave a card in front of a reader - it requires special equipment to read or emit the information it uses. However, the security was largely assured by 'security through obscurity'.

While the technology is still fairly uncommon, it is by no means 'protected' or 'restricted'. An individual with a modest amount of proximity card/reader knowledge can find a number of exploits and procure equipment to take advantage of them. In recent years, a sure way to be noticed at hacker conventions, electronic hobbyist projects, or to have an engineering paper recognized is to publish methods on how cheaply and easily prox card weaknesses can be taken advantage of. However, despite the buzz, most of these methods remain out of the reach of common criminals.

Really a Problem?

Evaluating these vulnerabilities in terms of actual risk is difficult. It is unlikely that an individual intent on unauthorized entry will be patient enough and have the specialized knowledge required to take advantage of these exploits. Very few examples exist in the public domain of someone entering a facility via Prox card vulnerabilities, and most end users may still find their biggest access risk comes from guys with sledgehammers less sophisticated threats. A risk assessment simply reveals that the chance of someone spoofing or cloning an access card is unlikely and security is not practically effected.

However, many government and 'high security' installations find prox card vulnerabilities too big and expensive to defend against. Security protocol in these facilities means active risk mitigation must take place as soon as it is recognized. In many cases, this means that proximity cards have been prohibited from use in those facilities. For example, with the advent of HSPD-12, the US Government has adopted FIPS-201 PIV standards that eliminate use of prox cards entirely, in part to eliminate these vulnerabilities.

Mitigating the Risk

Manufacturing often suggest replacing reader with new technology, and even incentivize doing so. For example, iClass is cheaper than Prox II. However, massive credential and reader replacement is not always necessary to increase the security of a system. For those end users not in position to pay for upgrades, here are some practical steps to consider with existing equipment:

  • Two-Factor Authentication: A simple step to take follows the "Something You Have AND Something You Know" verification path. In real terms, this means requiring both a card credential and a PIN to access an opening. While the next effect might be slowing down the credential process, it condenses spoofing or cloning a card only half the effort needed to gain access.
  • Tighten down Access Levels: This is an often overlooked, but perhaps most critical aspect, of managing an electronic access control system. This step requires configuring the system to permit card holders access only during certain times and on certain days. In other words, first-shift employees only have access during first shift periods on workdays, and so on. Rather, many access system managers 'balance' the matter of convenience versus security by simply permitting a card holder access any time on any day. However, while tightening down access permissions may increase inconvenience during 'non-standard' circumstances, it can significantly increase overall security by reducing the utility of faked access cards.
  • Use uncommon 'facility codes': A critical piece of information most access systems use to define credentials is the 'facility code'. Most systems require this code to be a certain value in order for a card to even be 'read' by the system. However, many end users do not realize the importance of this code, and just use whatever their system is defaulted to use. In the same way that a 'restricted keyway' limits the number of keyblanks that can be used to make a illegal keys, using a unique set of 'factory codes' limits the potential number of blank prox cards to use against a system. While this step will not prevent sophisticated spoofers from reading this code, it is easy layer of security to add to these systems.
  • Layer Video Surveillance with Access: Aside from the value of having visual records entry to a facility, adding cameras at doors, and integrating video with access systems will reveal tampering and unauthorized entry attempts. Even the most sophisticated exploits may take more than one effort, and validating entry records against specific people can uncover problems before they become serious.
  • Encourage carriers to treat credentials as keys: Many credential carriers see cards as a picture ID badge rather than an opportunity for someone to gain unauthorized access. In the same way that users would not store key rings in an insecure manner, it is important to reinforce prox cards in a safe, secure spot when not being used. Stressing the importance of keeping prox credential badges on their person or securely stored at all times will significantly reduce the risk of unauthorized entry.

1 report cite this report:

Paxton Access Control Company Profile on Dec 07, 2015
This note profiles access company Paxton, our 3rd installment in an ongoing series, following our profiles of Tyco Kantech and DSX. Inside we...
Comments : PRO Members only. Login. or Join.

Related Reports

Ex-Integrator Now Growth Strategist Interviewed on Apr 24, 2019
For more than a decade, Scot MacTaggart was a security integrator (at PA-based PSX). In late 2018, he left the industry. He is now a Growth...
19 Facial Recognition Providers Profiled on Apr 23, 2019
IPVM interviewed 19 facial recognition providers at ISC West to understand their claimed accuracy, success and positioning. 9 from China, where...
ACRE Acquires RS2, Explains Acquisition Strategy on Apr 19, 2019
ACRE continues to buy, now acquiring RS2, just 5 months after buying Open Options. One is a small access control manufacturer from Texas, the...
Access Control Course Spring 2019 - Last Chance on Apr 19, 2019
 Register for the Spring 2019 Access Control Course----Closed IPVM offers the most comprehensive access control course in the industry. Unlike...
Door Operators Access Control Tutorial on Apr 17, 2019
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Alarm.com Favorability Results 2019 on Apr 15, 2019
The once dot com startup has evolved to become a core provider for home security and is now expanding into commercial. In their first entry in...
ISC West 2019 Report on Apr 12, 2019
The IPVM team has finished at the Sands looking at what companies are offering and how they are changing their positioning. See below for 50+...
Spring 2019 50+ New Products Directory on Apr 08, 2019
We are compiling a list of new products for Spring 2019 and have over 50 already. Contrast to Fall 2018 New Products Directory and Spring 2018...
Startup GateKeeper Aims For Unified Physical / Logical Access Token on Apr 04, 2019
This startup's product claims to 'Kill the Password' you use to keep your computers safe.  They have already released their Gatekeeper Halberd...
Airship VMS Profile on Apr 03, 2019
Airship has been developing VMS software for over 10 years, however, with no outside investment, and minimal marketing, the company is not well...

Most Recent Industry Reports

Verkada Salesman: IPVM "Stuck In A The Stone Age" on Apr 25, 2019
Verkada is 'tackling dinosaurs' and battling those, like IPVM, who are 'stuck in a the stone age'. Verkada's recent sales recruiting promotion...
The HIVIDEO $31 Face Detection DVR Tested on Apr 25, 2019
Face detection in a $31 DVR? That is what "HIVIDEO" (not to be confused with Hikvision, even if the company intends to do that) was promoting at...
Amazon Marketing Pro Installs of Amazon Security Systems on Apr 25, 2019
Is Amazon a threat to conventional providers like ADT, Vivint and Brinks Home Security? Many say no. Now, Amazon is advertising free in-home...
Ex-Integrator Now Growth Strategist Interviewed on Apr 24, 2019
For more than a decade, Scot MacTaggart was a security integrator (at PA-based PSX). In late 2018, he left the industry. He is now a Growth...
19 Facial Recognition Providers Profiled on Apr 23, 2019
IPVM interviewed 19 facial recognition providers at ISC West to understand their claimed accuracy, success and positioning. 9 from China, where...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Hikvision Admits USA Sales Falling on Apr 22, 2019
Hikvision, in a new Chinese financial filing, has admitted that its USA sales are now falling. Less than a year after the US government passed a...
Speco Ultra Intensifier Tested on Apr 22, 2019
While ISC West 2019 named Speco's Ultra Intensifier the best new "Video Surveillance Cameras IP", IPVM testing shows the camera suffers from...
Arecont Favorability Results 2019 on Apr 22, 2019
Arecont's net negativity remained the same in IPVM's 2019 integrator study, though integrator's feeling became relatively more neutral compared to...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact