An essential ingredient of access control has long been the security of the credential which individuals used to gain access. Access control was initially promoted as a means to eliminate keys and enhance security.
Early access control used mechanical keypads and a single code to control an integral lock mechanism. Next, electronic keypads were introduced that controlled external locking devices. Card readers were eventually introduced for door control.
Credentials (cards) had already been used for decades for identification purposes, with Photo IDs being popular & cost efficient for many applications. These early Photo ID cards did not have any electronics on them. Badging involved taking a Polaroid picture of the person, cutting (cropping) it to the correct size, then laminating into a permanent plastic credential which the end-user wore and displayed while on the protected premises.
A big technical advance was when magnets were embedded into the card which could be read by a specially designed reader set up to move magnetic disks inside, which then allowed the card to be pushed into the reader, and actuate a microswitch. The microswitch was in the control circuit for a locking device.
Next, Wiegand technology employed tiny wires embedded in each credential. Ironically, the Weigand encoding technology eventually became obsolete, but the wiring interface between the card reader and the door controller, also referred to as Wiegand, is still in use today. One reason might be it works, and another might be that by retaining the Weigand interface even while introducing newer encoded card types, existing electronics and cabling could be retained, cutting transition costs.
The technology used in credentials has evolved since the first ones were introduced.
For decades, and until recently, encoded ferrous stripes were placed on credentials. One of the largest markets for these systems was ATMs located in the lobbies of retail banks, and credit cards. Also the military, government, financial organizations and corporations represented the major market.
Despite the fact that ‘magstripe’ cards were very vulnerable to the data being read from them, or the credential being counterfeited, they were inexpensive to manufacture and universally accepted for access control and banking.
Many other products were introduced along the way, including scanner type cards which passed light through the card to read an embedded mask, and exotic credentials which had bulky radio transmitters built in. These did not achieve mass acceptance into the market.
The next major advance was RFID (radio frequency identification) credentials, referred to as prox (proximity) cards.
These cards did not require that the card make physical contact with the reader. Therefore, they were very convenient and would last a long time since they did not require physical contact between the credential and the reader which tended to scrape ferrous material off the credential and render it unreliable. Eventually ‘extended read range’ became an important selling feature for RFID systems.
Threats from DIY Kiosk Cloning
The impetus for this article was a recent announcement that vending style self-serve machines were now being installed in malls and other public places which could ‘clone’ (reproduce) RFID credentials, greatly inhibiting their value to those who were relying on them to secure their facilities and data.
Of course improved credential technology has been in use for decades, so this announcement was not a surprise to most people with even a casual familiarity with security, credentials, and keeping their property safe.
It’s surprising how the evolution of credential security has evolved and the pace at which certain industries have rolled out better technologies to protect clients and the public. They were using biometrics for decades at the Federal Reserve while we were using magstripe at the supermarket checkout.
What’s the Difference Between a MIFARE & a Proximity Card? The majority of credential applications are using some type of proximity card or MIFARE card for access control, ticketing, toll, time and attendance, and other applications. It’s easy to confuse a proximity card with a MIFARE card. Here are the basic differences between the two technology card options:
Proximity Cards: The microchip embedded within a proximity card has only one function: to provide the prox card reader with the card’s identification number and/or site facility code number for verification by the electronic access control database.
Many access control systems only read the identification numbers. This data does not use as much memory as the data typically stored and sent on a smart card. Prox cards – such as the HID 1386 prox card – are commonly used for door access.
MIFARE Cards: MIFARE cards can provide identification, authentication, and store information on the card because of the microchip and available memory which is embedded within the MIFARE card. Encryption keys prevent data from being emitted until the MIFARE card and card reader mutually authenticate each other.
MIFARE is also an RFID card and operates at 13.56 KHz.
The Locksmith Ledger contacted experts in the security industry for their comments and recommendations.
Scott Lindley, General Manager, Farpointe Data, sees those kiosks which can clone RFID credentials and some vehicle RFIDs as a danger.
“Locksmiths should consider it a threat. Today, specialized retail key kiosks, such as what may be found in the neighborhood convenience store, are indeed capable of duplicating an RFID credential and, thereby, create a clone copy containing the exact data contained in the original. In addition to RFID credentials, these kiosks can often duplicate home, office and vehicle keys.”
He added that many of the most popular RFID credentials initially affected were those based upon 125-kHz proximity technology, including clamshell cards, ISO cards and key tags. Additionally, now some RFID credentials based upon legacy 13.56- MHz contactless smartcard technology can be cloned, too
But not all of the effects of this development are bad, as it is increasing awareness of the need for secure credentials.
“We see that the cloning of RFID credentials by retail kiosks has actually helped to increase the use of RFID in electronic access control. Awareness to the security of the base card technology is increasing at the end user level. Not surprisingly, we see this awareness translating into a demand for access control credentials with encryption. More surprising, though, is the demand for specialized credentials, such as long-range and mobile, which present the credential’s access data only when expressly released by the user,” Lindley said.
So what can locksmiths to mitigate the threat to security?
According to Lindley, one solution is upgrading the RFID credentials to 13.56-MHz contactless smartcards that make use of MIFARE® DESFire EV1 or EV2 technology.
Another solution, perhaps surprisingly, is keypad readers. With a keypad reader, security is elevated by adding the requirement of a second layer of identification – a PIN, to the first layer, a card read.
Finally, if safety, security and convenience are the locksmith’s prime issues, then mobile solutions are the clear choice. Today, the use of mobile phones as access credentials is one of the biggest trends in our industry. Look for a solution that protects the mobile access credential behind the smart phone’s security parameters - biometrics and PIN.
To emphasize, the user cannot have access to the mobile credential without having access to the smartphone. More simply said, if the phone doesn’t work, the credential doesn’t work.
Brian Marris, Product Manager, Allegion Connected Accessories, stated that RFID credentials that are not encrypted, including 125kHz Proximity credentials, are vulnerable to duplication in these kiosks. “There are also products out there that can easily read and duplicate mag-stripe credentials. Proximity credentials and mag-stripe credentials are technologies invented well over 60 years ago. They are no longer secure and easily duplicated. As with any outdated technology, credentials need to be updated to ensure the places where people work and thrive are secure.”
Marris adds that this is accelerating the loss of key control and security of sites that use credentials that are not encrypted. For some industries, this presents a major risk. Take multifamily for example. Key control is extremely important from a risk mitigation and a safety perspective. The industry has moved towards electronic credentials to help mitigate the risks associated with duplication of mechanical keys. These kiosks have essentially replicated the problem by allowing anyone to duplicate these proximity credentials.
Marris recommends that locksmiths take the following steps to educate and protect their customers. “Talk to your customers about these risks. Web search the closest kiosk locations and show your customers how easy this is becoming. Then proactively provide stakeholders education on the availability and economics of secure, encrypted credentials such as DESFire and new mobile credential technologies. Start educating yourself on these to better understand what is available. Smart and mobile technologies can provide a secure opening, but they can also limit choices if you aren’t careful. Highlight how customers can retain flexibility if they choose open, global-standard technology like NXP for their encrypted smart credentials. Assist customers in capturing an inventory of existing 125kHz credential applications and partner with your distributor or manufacturer’s representative to propose a migration path within the appropriate timeframe.”
Wendi J. Grinnell, VIZpin, recommends replacing RFID cards with smartphone credentials which cannot be copied and shared. Smartphone credentials will work with any access control system new or old and they are less expensive than RFID cards or fobs.
“Since RFID cards transmit the same signal over and over again, you have always been able to clone them. In the past you would have to get the card, or get close to it, to detect the card number then go program another card with the same number. Most people didn’t have card programmers so it wasn’t a wide spread issue. These new kiosks change that by making it easy and cheap to clone them. The good news is this raises awareness of the risks of using RFID cards. The bad news is anyone who takes security seriously will have to replace all their cards and readers,” she said.
According to Fred Dawber, Cansec Systems Ltd., the ability to easily close 125kHz prox cards and fobs has been around for many years but very few people were aware of it. But now that 125kHz credential cloning kiosks are being installed at shopping malls and other public places, the cat is clearly out of the bag.
However, Dawber notes that many of the folks trying to clone their prox credentials in these kiosks are simply looking to save money, rather than to gain entry to a secured facility for malicious purposes.
“It is useful to consider why someone would be motivated to clone their prox credential. The answer is simple – money. If you are living in an apartment or condo, you almost certainly had to pay a deposit for your credential which you hopefully get back when you move out. If you lose your credential, you forfeit your deposit and must get a new credential (with another deposit). In many cases, the deposit is very large – as much as $50 or more. If you want to get a second credential for a spouse, the tooth fairy or whatever, you pay a second deposit. If people can simply clone their credential for $10-$15, you can guess what they will do.”
This is not a major security issue, Dawber says. “Keep in mind that the cloned credential is just that, an exact clone of the original. It has exactly the same ID data encoded in it. The bad news is that the access control system cannot differentiate between the original credential and the clones. The good news is that if the ID of the original credential is deleted from the access control system, the original credential and all cloned credentials are no longer granted access.”
“So how worried should you be about cloning in that environment? I suggest – not so much. Think of it like regular mechanical keys. Unless it is a restricted keyway, you can go to the hardware store and ‘clone’ your key. You can make as many as you want and hand them out to everyone on your street. But no one is going to do this. You are going to give one to someone that you trust. Same goes for cloned access keys except the risk is much less since the ID number of the cloned key can be removed from the access control system which renders the original credential and ALL cloned credentials inoperative.”
Using electronic credentials with a secure app (software program) and BLE (Bluetooth Low Energy) reader is an interesting option for many reasons, according to Dawber.
1. People want to use their phones for everything
2. People may lend their access card but are much less likely to lend their phone
3. With tons of processing power available, communication between the phone and the reader can be very highly encrypted (up to 256 bit)
4. Since communication from the phone to the reader is BLE, the reader is placed on the secure side. The Wiegand lines are therefor not accessible
5. The app can be bound to the reader as part of a system. An app will only “see” readers which are part of their system. This means that the historic weakness with the open 26 bit Wiegand format is totally eliminated. Specifically, that there are only 255 possible system codes available and cards can be purchased everywhere and by everyone. If a product is designed accordingly, there is no danger of a 26 bit electronic credential from one site being used at another site.
6. Electronic credentials can be purchased online and are immediately made available for assignment to users. Because the app is bound to the readers for its assigned system, the system administrator can define the credential numbers as they are issued rather than have to work with pre-defined credential numbers. This makes the job a lot simpler
7. With some systems, electronic credentials can be transferred from your old phone to your new phone. This eliminates the cost of buying another credential and reprogramming the access control system to use the new credential number
8. Some system will credit your account with a credential when an issued credential is revoked. This can significantly reduce the ongoing cost of credentials.