Secure Data Transmission and Storage for Access Control Management Systems (ACMS): Part 1 - Card Cloning and Card Security

 

In this blog series, we'll delve into what it takes to have true data security when it comes to your access control system.  We'll begin with the card (physical credential), and work our way up to the server/database level, but first, lets identify the root problem.

The Problem:

Traditional access control systems have historically relied on technical obfuscation, AKA “security through obscurity”, and the high level of skill that would be necessary to undermine the system as key factors in keeping the customer’s facility secure.  Due to several technical advancements, access to inexpensive manufacturing, and the general advancement of the sophistication of attackers, this model is now vulnerable to several “fast and easy” hacks that allow the everyday criminal to expand their horizons.

Part 1 - Card Cloning and Card Security:

Let’s talk access cards for a moment.  One of the most widely recognized access cards is the nearly ubiquitous “Proxy” card.  This card tends to be a legacy 125KHz Proximity card made by HID (www.hidglobal.com).  These cards have long been the workhorse of the corporate world.  Released in the 1980’s, they brought about a revolution in access control.  The cards were pre-programmed by the manufacturer with certain card numbers and facility codes.  The RFID (Radio Frequency IDentifcation) proximity technology in the cards allowed users to simply place the card near the reader and get the doors to unlock (if they had access).  This card technology is still widely in-use today, though we’ll see why that’s a security risk these days.  The biggest down-side to this style of card, is that the data encoded on the card is 100% unencrypted.  This means that the data can be read by anything that can get in range of the card and knows how to process the signal.  One of the most widely known (but more expensive) options to achieve this is the ProxMark device, originally developed by Jonathan Westhues and released under the General Public License (GNU) back in 2007.  Originally, the product had to be kitted together, and hand assembled, soldered, programmed, etc., all of which required a technically skilled individual.  Fast forward more than a decade, and the current incarnation is available for purchase online for $300-$400, and includes the ability to read and clone 125 KHZ proximity cards, as well as the newer 13.56 MHz Mifare cards as well (more on those later).  The good news is that this tool was ultimately designed for penetration testers and is still probably out of league for your common criminal.  Now for the bad news: there are at least a couple more less expensive, easier ways to copy a legacy prox card.

1. Key copying kiosks are commonplace these days, what is newer is that there are kiosks that additionally can copy / clone your access card.  The company KeyMe does just that, enabling anyone with a card to submit it for copying.  The good news (if you can call it that), is that you actually have to have the card in your possession at the kiosk in order to copy it, so a criminal would need to physically have your card in order to copy it (just as copying a key).

2. Cheap card-cloners are now also available directly online for as little as $30.  These devices can copy / clone HID 125 KHz proximity cards, are battery powered, and have a grand total of 3 buttons on them (on/off, read, write).  Any criminal can now copy your card if they get close enough to it (typically 1-2 inches) for about 1 second.  These devices usually make a beep noise when they copy a card, but it is trivial to damage the speaker to make them silent.

In addition to the legacy prox card being cloneable, the encryption present on several 1^st generation contactless smart-cards (13.56 MHZ) has also been cracked / broken.  Card technologies that have been hacked / broken include:

• Most 125 KHz Proximity (HID, Indala, etc.)
• HID iClass
• Mifare (also known as Mifare Classic)

Card technologies that are not currently compromised

• HID iClass SE
• HID iClass SEOS
• Mifare DESFire Family (EV1 and EV2)
• Mifare Plus

When selecting a card and reader technology for your facility, don't just opt for the cheapest technology available, as that can prove to be a disastrous, and costly, decision in the long run.  Make sure you select a card and reader technology that is secure so that you can avoid a major security breach (at worst), or have to pay to replace the cards are readers at a later date.  While replacing the readers and cards themselves can be costly, many do not consider the amount of administrative time and effort it takes to completely re-issue a new set of credentials to an entire employee operation.  Not only does replacing the credentials take additional administrative time, but there are inevitably disruptions to the facility's operations when people are switching between cards, which can directly affect the productivity of your employees.  Choosing a secure technology at the beginning of the project may slightly increase the costs of the readers and credentials (10%-50% typically), but the overall cost of these components are typically small in comparison to that of the entire system.

If you're interested in learning more, have questions, or just want a frank evaluation of your current or newly planned access control system, then please reach out to our knowledgeable sales team at This email address is being protected from spambots. You need JavaScript enabled to view it. or 346-200-3400.