The $7.99 vulnerability in your building security system

Security card cloningDid you know, that with access to an eBay account and the princely sum of $7.99 (plus postage and handling) you can clone an unlimited number of access cards to many buildings that have an electronic access control system installed?

The consequences of this happening would pose a serious safety and security risk to a business and its people, particularly to enterprise level organisations that are more likely to be the targets of this type of card hacking activity.

As we all know, the use of electronic access control systems is common place today across most types of commercial properties. They are deployed in place of mechanical keying systems wherever there is a need to restrict and control access to our buildings and car parks.

The appeal of using electronic access control is not just so that access can be controlled. It also means that if a tag or card is lost or stolen, the card can be deleted from the system quickly and easily.

Usually when a mechanical key is lost, it results in an entire building being re-keyed which can be a very expensive exercise.

Of course the main advantage of using electronic access control, is that the movements of people and vehicles are logged and recorded with each use. From a security and audit perspective, this is one of the strongest features of these systems.

The main advantage of using electronic access control, is that the movements of people and vehicles are logged and recorded with each use.

The perception is that the use of electronic access control systems is far more secure than issuing keys, and it is, for all the reasons I have just mentioned above.

However, if the cloning and duplication of these cards is now as easy as spending $7.99 on eBay, then we need to ensure the technologies we select are inherently secure and less exposed to card hacking.

The number of access control systems available to us in Australia is extensive. The most popular are: Tecom and Concept for smaller systems, through to Gallagher, Integriti, Forcefield, Lenel, Honeywell and numerous other offerings for larger applications.

If the cloning or duplication of these cards is now as easy as spending $7.99 on eBay, then we need to ensure the technologies we select are inherently secure and less exposed to card hacking.

Which one you choose will come down to personal preference, your specific requirements and the needs of the property to be secured.

At the heart of any access control system, is the user database.

This is where we establish our user groups, access levels and enter all the data relating to the individual system users.

This data collectively forms the basis for which areas of a building people are allowed to access and when.

This data would typically include:

  • Cardholders name and details
  • Cardholders department
  • Cardholders photo
  • Facility code
  • Card number
  • Days of the week access is allowed (access groups)
  • Hours access is allowed (time zones)
  • Card expiry date

Once the user database is established, the data can then be transferred onto the access card, tag or other type of credential.

Each user is given a credential with a unique identifier. This will be a number that is unique to the facility the security system is installed in.

The cardholders data is encoded onto the access card so the system knows that when that card is presented at an access control point, whether to grant access. This is a simple and highly effective way of securing any sort of property without the need to keep track of keys.

One of the most popular formats of credential for many years has been the 125 range. They are called this because they operate at a radio frequency of 125khz. They can also be called proximity or contactless access cards. Both terms can apply equally to a range of formats and technologies – not just the 125 range.

As security technologies evolve, so do the means with which people will try to defeat or bypass them. And for 125khz access cards and fobs, they have well and truly been defeated.

And it has been done in a way that can’t be identified or detected.

All it takes is a $7.99 device from ebay which can quickly and efficiently clone any 125 access card or fob.

This is how it works.

In order to clone a card, an active card has to be copied. The cloned card will have all the access privileges of the original and to the access control system, it just sees it as another valid access card.

The access control system will not be able to identify that there are multiple cards in use. Neither will it be able to know that if a card is used in one location, that it can’t be used at another just a few minutes later.  Access control systems do not understand the physical differences in location, only if the access credential belongs to that security system or not.

Access control systems do not understand the physical differences in location …

Therefore, there could be dozens of a given card in use and it would never be detected unless the activity logs for the card were specifically audited. That means that the use of multiple cards could go on for some time.

The result being that any number of unauthorised people could be accessing your premises without your knowledge.

What can you do to prevent your electronic access control system being hacked?

    1. Firstly, cardholders need to appreciate than an access card is exactly like a door key. They have to be used appropriately and kept secure at all times. That means they should not be lent to anybody or left unattended. In fact, cardholders should be made to sign an appropriate use policy when the card is first issued to them; and
    2. Secondly, it’s time to move on from what is a very basic and inherently unsecure access format and use something better and far more secure.

The technologies we are recommending include the HID Multiclass readers and cards which operate in the 13.56 MHZ range. The upgrade path is simple and relatively inexpensive and the cards have multi-layer security built into them which ensures they can’t be copied or tampered with.

There are other types too, some of which are able to be used as stored-value cards so they can be used on vending machines and the like.

If security has any level of importance in your organisation, it’s probably time to re-think your access technologies.

 

About the author

Luke Percy-Dove

Luke is one of the most respected and highly regarded Security Advisers and Security Design Consultants in Australia and has been a trusted key player in the security industry for more than two decades, delivering security solutions for hundreds of businesses and organisations nationally.