If you can gain access to your office building, school, or hotel room by simply tapping a card, then there is a possibility anyone with the right hardware could get in just as easily as you can. These “tap and go” cards may be vulnerable because they utilize a technology called radio-frequency identification or RFID for short. RFID technology works by encoding digital data into RFID tags or smart labels which can be stored and read from the RFID card later. Most businesses in the U.S. have security systems in place that use RFID key cards to determine who has access to vulnerable areas within their building. Unfortunately, these cards can be cloned without much effort, sometimes from several feet away, without anyone ever noticing their security has been compromised.
For example, consider the venerable Proxmark3 RDV. This device is an example of a hardware instrument capable of cloning most RFID card types. The Proxmark3 tries to mimic the card reader and if successful, can access any data stored on the card. Once that data is stolen from the RFID card, the Proxmark3 can clone that data into a duplicate blank RFID card. This duplicated card can then be used to bypass any lock or security system the original card had access to. The Proxmark3 is also user-friendly enough so that any amateur could leverage it to gain access to your organization’s environment.
RFID Risk Management
There are security mechanisms that can help mitigate the risk associated with using RFID technology to control physical access. The simplest way is to use a modern RFID system that supports encryption technology. The encryption scheme makes it so that the key cannot simply be copied into a cloned card. While encrypted, RFID cards can still be vulnerable to attacks if the encryption scheme is cracked. This is still a much safer option than non-encrypted RFID cards, however. While encrypted, RFID technology is becoming more prevalent as nearly 80% of organizations still rely on the vulnerable, unencrypted protocols.
An even safer technology to invest in is the use of “physically unclonable functions”, also known as PUFs, to differentiate each card’s chip from another. In this situation, each card has a unique identifier as well as a cryptographic key. Because the unique identifier is based on the physical properties of the RFID chip itself, and not on data stored within the chip, cloning becomes nearly impossible.
Finally, it’s important to remember the merits of multi-factor authentication. A truly robust physical access control system may rely on multiple forms of authentication in order to grant access to certain highly restricted areas. For example, while the main office space may be protected via standard RFID keycard access and monitoring, the organization’s data center and wiring closets may require biometric (i.e. fingerprint) or an additional PIN code for a second layer of identity verification. In this way, multi-factor authentication helps to mitigate the risk of unauthorized access to highly sensitive areas due to a cloned RFID card.
Finally, if your organization already has questionable RFID security, and is not in a position to upgrade this infrastructure, there are still basic steps one can take to protect RFID cards from being cloned. For example, there are RFID blocking wallets that will protect your cards from being cloned by blocking any unsolicited RFID transmissions. And, as a best practice, never let any other users, known or unknown, handle your RFID card. It takes only seconds to successfully read (i.e. steal) the required data. This data can then be copied to a blank card at the attacker’s leisure. If you are unsure of your organization’s physical security controls, a physical security assessment is a great way to identify potential risks to your organization’s operating environment. Contact OCD Tech today with any questions on RFID technology and vulnerabilities, or to get ahead of the attacker and plan a physical security assessment.
