Access control in the form of electronic readers and RFID cards have replaced traditional key-and-lock systems in most commercial / residential properties – at least for the semi-public, high traffic areas. The advantages are plentiful – ease of granting access to multiple individuals, ease of auditing transactions, ease of revoking access when a card is lost as opposed to re-keying an entire building or set of doors.
However, what if I told you that in order to gain access to most of the commercial / residential buildings in Downtown Vancouver, all I would need is a $25 dollar gadget on Amazon anyone can buy (with Prime shipping to boot)? Would you believe me? Would you still trust your property’s access control measures to keep unwanted people out?
Let’s begin by explaining in layman’s terms how a RFID access control keycard works. Your average RFID proximity (prox) cards use 125 kHz radio frequency fields to communicate when in close “proximity” to a reader (hence the name). A prox card is divided into three components: a coil, a capacitor, and an integrated circuit. When a card is presented to a reader, the reader’s electrical field excites a coil in the card. The coil charges a capacitor and, in turn, powers an integrated circuit. The integrated circuit outputs the card number to the coil which transmits it to the reader. The reader then verifies the number against a list of approved, issued credentials, and then either grants access, or denies it.
In a security context, what we need to be aware of is the fact that the transmission of the card number happens in the clear — it is not encrypted. Hence, the $25 Arduino based RFID reader/writer I referred to earlier is capable of copying most 125 kHz proximity cards that use open 26 bit format. The particular tool I purchased can be used to copy popular 125 kHz HID Prox, ISOProx, and Prox II formats, and several others commonly used in access control such as EM4100 and AWID formats.
I tested the device on both residential and commercial properties (locations withheld for privacy) in the lower mainland and had no issues cloning and subsequently using prox cards and building fobs to gain access into restricted areas, such as parking lots, elevators, office spaces, etc. From what I have seen so far, I would hazard a rough guess that over 50% of properties still use 125 kHz RFID frequencies for their access control tokens.
Moreover, on the transaction logs, the spoofed copies appear identical to the original credentials. Multiple copies of the same fob/card are indistinguishable from the original. The implications for this are severe. Imagine if you left your card lying around, and someone seizes the opportunity to clone it within a few seconds. Later, any misconduct they commit using the cloned card will be attributed to your access credentials, landing you under investigation as a primary suspect or accomplice.
Now, there are some limitations. The unit I purchased must be held close to the card for the copying antenna to work, at a distance of less than ½ inch. This is somewhat of a benefit to cardholders, because someone bent on stealing and spoofing card must be very close to do it. Moreover, the device currently emits a series of loud, sharp beeps, which would alert most people. However, the time needed to steal the information is fast - less than 4 seconds, so it is conceivable that someone could have card details copied and stolen without realizing it, especially in crowded groups of people with lots of background noise.
More importantly, social engineering could bypass these limitations. It costs very little for me to don a hard hat, high visibility vest, procure a clipboard with some fancy papers, and spruce up the clamshell of the device to look more professional. I would then stand at the entrance of the building and inform tenants that I am a “facilities technician” conducting a periodic “recharge/audit/repair” of their access card. I would guess that although some individuals may challenge me, most will defer to my perceived authority and expertise, and allow me to do so. It goes without saying, that the human factor will always be the weakest link, especially when technology is blindly introduced to augment performance.
However, there are a few methods to mitigate this risk, depending on our budget, the type of facility we are protecting, the value of assets under access control, and the severity of consequences should a breach occur:
- Firstly, we can implement two-factor authentication, a protocol where users must present two different credentials to verify themselves before access is granted. For instance, we may combine the use of an access card with a PIN keypad or biometric, such as a retina scanner. Even if a card is spoofed, the attacker must also know the Pin or have their biometrics on file, a task which significantly delays or even deters them outright.
- Secondly, we can make the shift to contact less smart card technology – specifically, 13.56-MHz cards. The 13.56 MHz formats are encrypted and the data they hold must be first decoded by the companion reader with a specific 'key' value, otherwise the information they transmit in open air is heavily hashed, ensuring encrypted communication between the card and reader. 13.56 MHz cards are more expensive, but only a modest 15% - 25% more, and are frequently offered at the same or lower price of the less secure 125 kHz types when purchased in bulk. One must ask themselves whether the higher price is worth avoiding for greater risk exposure and consequence of loss should a credential be spoofed and misused.
- Finally, we can take advantage of smartphone NFC (near-field communication) capabilities to store credentials on a phone. Mobile credentials are easy to assign, monitor, and revoke in real time. They can be easily tracked in a centralized database. It is difficult for them to be copied or duplicated. From a practical perspective – we tend to share and leave key cards unattended quite a bit, even if on a lanyard. When was the last time you deliberately lent someone your phone, or left it sitting on a desk unlocked?
At the very least, facilities / IT / security managers should take a close look at their access control systems and determine if the risk exposure created by the use of 125 kHz prox cards is worth their cheap price and ease of use.