A Reality Check on the Cloning of Proximity Cards

Why a controlled setting hack doesn't necessarily weaken prox-based access control

[Editor's note: At the RSA Conference in San Francisco earlier this month, InfoWorld magazine released a video from tech firm IOActive, where the companies tech staff claimed to have been able to build a prox card cloning device. The video of that claim from the conference is available at this link. What's more, the threat of cloning proximity cards (not smart cards) is something that's been picked up by the consumer broadcast media, including KOMO-TV in Seattle. SecurityInfoWatch.com responded by asking leading card supplier HID Global to respond to the allegations that RFID-based proximity cards could be easily cloned and to discuss the related security measures that should be involved in any electronic access control system. Their op-ed response appears below.]

Yes, some proximity access cards can be cloned as demonstrated at the RSA Conference held recently in San Francisco. The question is: Does the ability to clone a proximity card in a controlled setting translate into a real-world possibility? Whether the answer is yes or no may be open to debate but that does not mean we should ignore the possibility.

What we need to recognize is that perfect security does not exist, but in the real world, we accept reasonable security for our homes, for our workplaces, for our loved ones, and for our data. Using accepted standards of reasonableness, we can examine the proximity card cloning demonstration and question the likelihood of such an event occurring in actuality.

This risk-benefit play is faced by magnetic stripe credit card users on a daily basis, where cardholders assume that the implicit level of security outweighs fear of fraud - credit cards are notoriously easy targets for cloners, and yet the economic fabric of commerce relies on their secure use. And, as with any security solution, we should ask what level of physical security is reasonably needed for a particular facility taking into account such factors as ease of use and cost.

Only then can we determine if a proximity-based security system delivers reasonable security. So let's begin with an analysis of the cloning demonstration at RSA where the demonstrator uses his "homemade" cloning device to read the access card - a process that requires the proximity card be placed close to the reader (hence the term proximity) in order for a valid data read to occur.

In the real world, a perpetrator would have to know exactly where an individual holds the access card. For example, if the card is kept in a breast jacket pocket, the perpetrator would have to bring the cloning device within inches of the pocket - hardly a scenario for surreptitious reading. Or, in many cases, employees wear their cards around their necks. How would a perpetrator surreptitiously read one of those badges without attracting attention? A more likely scenario is an intentional perpetrator using inside knowledge to gain access to secure information.

Any organization that understands risk management understands that an access control system alone does not a security solution make. To prevent an access card from being read for nefarious purposes, HID Global recommends that employers implement policies and procedures that:

  • Require immediate reporting of lost or stolen cards
  • Prohibit sharing or lending of cards
  • Encourage employees to shield their cards from public view when not at work (this makes sense from a privacy perspective as well if a name and picture are printed on the card)
  • Encourage reporting of suspicious activity at the facility
  • Discourage "tailgating" where one employee uses a card to gain access and others follow without using their own cards.

As mentioned earlier, most enterprises undertake an analysis of their security needs before committing the monies to be spent. Reasonable security suggests that you don't need a $400 security system to protect your 10-year-old automobile but the investment might be worth it if you own a brand new Porsche 911. The same holds true for physical access control solutions.

This content continues onto the next page...