The days when a lost card or key fob posed the biggest threat to residential and office building security are long gone. Today, credential duplicators can undermine all but the most secure access control systems--and they can be purchased online for about the same price as a pop-up toaster. What's more, because access control readers can't differentiate between an original key fob or card and a duplicate fob or card, ongoing security breaches of supposedly secure sites can slide under the radar of security and building management indefinitely.
Access control technology is designed to ensure that only authorized individuals gain entry to protected sites. In an access control system, identity-verifying data must be read and authenticated by access control readers before entry is allowed.
While there are several access control tools that can be used to secure residential and office environments, the most common tools rely on radio frequency identification (RFID) technology in key cards and key fobs. An access control reader can assess RFID keys from as far away as five feet to unlock doors or raise gates for frictionless passage.
In an RFID-based access control system, tiny antennas in keys and readers communicate back and forth by transmitting and receiving electromagnetic radio frequencies. The readers then translate the frequencies they receive from keys into data that represents the identity connected with the keys.
This RFID process is initiated by the electromagnetic field of an access control reader. The field stimulates an antenna in the RFID key, and that energy stimulates a capacitator, which in turn stimulates the key's circuit to send its identifying data to the reader via a tiny transmitting antenna. The tiny antenna broadcasts its identifying details in the form of electromagnetic radio frequencies made up of vibrating electrons.
An antenna in the reader receives the radio frequencies transmitted by the key, and the reader translates the frequencies back into identifying data. The reader then checks with its governing control panel to determine the permissions associated with the key before allowing or denying access.
As new technologies are developed by the security industry, malign actors keep up by developing new tools of their own. Just as people in the past had figured out how to use pins to open traditional locks--initiating a cycle of evermore sophisticated locks and evermore sophisticated tools for breaking into those locks--so too have our contemporaries used their ingenuity to breach RFID key security.
The original access control keys that became popular in the early 2010s were unencrypted, contained 125 kHz of data, and promiscuously broadcasted their data to any card reader around. Naturally, it took little time for hackers and others to identify and take advantage of this vulnerability: since access control cards would expose themselves to any reader, it was relatively simple to add a function to let readers store the card's data for later duplication.
By 2013, just as RFID cards had become the security option de jure for research, medical, and government institutions, a managing partner at the security firm Bishop Fox invented the RFID Thief. The RFID Thief was able to copy key fobs and cards from just a foot away. Using the RFID Thief, Bishop Fox associates were able to penetrate restricted networks and sites throughout their security firm.
Businesses that duplicate access control key fobs and cards appeared all over the internet. CloneMyKey® was the first company to offer duplication services at kiosks. On eBay today, a variety of competing access duplicators can be found at prices as low as $10. Some of them can clone RFID data in under five seconds from as far away as five feet.
This means that sensitive sites and restricted networks can be breached by malign actors who simply hang around locations in which people are likely to carry RFID keys with them. If you wanted to be a secret agent of some sort, you could enter a coffee shop near an access-controlled institution with an RFID copier discreetly resting in your briefcase or purse. You could order drinks and pastries and read a good book or work on your laptop while sitting at a table near the shop's checkout line--all the while capturing the identifying details of every RFID key of every customer that comes within five feet of you. At the end of the day, your reader will have copied plenty of badge information for you to make progress on some of your most pernicious goals.
While the majority of RFID key fobs and cards today carry the old, easily cloned 125 kHz frequency tags of the early 2010s, many companies have transitioned to more secure, higher frequency 13.56 MHz keys. These keys are more difficult to copy because they operate at a significantly higher frequency than the original 125 kHz keys. They contain much more data and are able to transmit more bits of data per second.
These cards are also safer than the first RFID key generation because they don't expose all of their most intimate information to just any reader. Instead, they only publicly broadcast public data--like the card's name and unique-but-not-door-opening ID.
While these cards are less easy to copy than 125 kHz tags, they are nevertheless possible to breach. If a person or machine knows the algorithm used to encrypt a tag, the most sensitive information can be exposed and duplicated.
A Handheld RFID Writer can cost anywhere from $1,250 to $20,000, but they can get through the hoops of even an encrypted 13.5 MHz key fob or card. The hardest part of using a Handheld RFID Writer is paying for one. After that, the process is easy: take your Handheld RFID Writer out of the box it came in and press the on button. Then hold a card or fob you'd like to copy against your Handheld RFID Writer and press the read button. Once the Handheld RFID Writer beeps, your 13.5 MHz card has been decrypted and recorded. The final step is to place a blank tag near the Handheld Writer and press the write button. Boom! You have a clone!
Even at its best, it seems that access control technology is never more than a step ahead of the tools to circumvent it. This unpleasant reality means that enhanced security measures are needed on top of RFID authentication.
With encrypted cards, which are sometimes known as smartcards, the card and the reader must authenticate each other. An encrypted card won't share information with just any nearby reader (and certainly not with one that sells for less than $1,000), but will instead attempt to authenticate the reader before transmitting its data.
Cards with encrypted data also provide more security than unencrypted cards because they convert text into a secret (i.e., encrypted) code. Encrypted data appears scrambled to an entity trying to access its information without the correct decryption key. Only an access control reader with the right encryption key is able to decrypt the code of an encrypted access control key.
The components of Mifare 13.5 MHz ID cards are relatively secure, but only if you change the default keys set by Mifare. Otherwise, even a Mifare can be easily cloned.
There’s actually an app available for Android phones called “Mifare Classic Tool.” With the app open and the NFC (near-field communication) setting enabled on your Android, the app can read the content of any Mifare card whose default encryption key has not been changed from the manufacturer's original setting.
Mobile access keys on smartphones are an excellent alternative to key fobs and cards because their account information can't be copied or duplicated.
Because of the security risks of cards and fobs, two-factor authentication is highly recommended at sensitive sites. For example, an access control key fob can be combined with a second authentication method--such a personal pin number--before a two-factor verification system will allow entry.
Biometric verification tools like facial recognition software and fingerprint readers, in combination with RFID keys, create the highest level of access security by assessing an individual’s unique physical characteristics before allowing access.
In an RFID access control system, tiny antennas on key cards and fobs receive and transmit information-containing radio frequencies to tiny antennas in key readers. Although the majority of RFID key fobs and cards use the easily cloned 125 kHz key to this day, there are more secure RFID key alternatives. A Mifare access card system is a smart choice for keys that can't be duplicated--but Mifare keys are only secure if their encryption code has been changed from their manufacturer's default settings. In the end, because of continuous advances in both access card technology and technology used to breach access cards, two-step verification is recommended to protect highly sensitive sites.