Tech Trends: Prox Cloning Goes Mass Market

Nov. 9, 2018
The inherent weaknesses of proximity cards have created an opportunity for integrators

125 KHz based proximity cards (aka “prox” cards) have been susceptible to cloning for several years. Instructional videos abound, and equipment can easily be purchased on Amazon, eBay or elsewhere. While this is old news for the hacker population, the word has apparently not reached many in the security community; in fact, getting a prox card or key fob cloned is easier and more convenient than ever.

Jim Elder, President of security consulting firm Secured Designs, recently asked me if I was aware of the KeyMe Kiosks that are springing up in places such as grocery stores and pharmacies (see “I just used it to duplicate a 35bit Corporate 1000 prox card, and no one seems to be aware of (the kiosks’) existence – integrators included,” Elder told me. “I was visiting one of the best integrators in town a couple of weeks ago, and he is still selling prox.”

You do not have to look very hard to find a KeyMe kiosk – they can be found in stores such as Safeway, Bed Bath and Beyond, and Kroger, just to name a few. They are convenient machines that enable a user to create a duplicate traditional key in a matter of minutes. Recently, however, the company has expanded its duplication capabilities to RFID cards.

Rolled out in April of 2018, KeyMe says in a statement that users can simply visit a kiosk, hold a low-frequency (LF) 125 kHZ RFID proximity card or fob to the scanner, and the unit will read the critical information “so that our technicians can create a spare key” that is mailed to the customer. The statement goes on to add: “Our customers often ask if they are allowed to copy RFID keys, fobs and access cards. To be sure, check with your home or office building’s management, or check your lease to see if copying of keys is prohibited. Additionally, some RFID keys have security measures that prevent copying.”

So, now with little effort or investment, anyone can clone an access card or key fob based on125 KHz prox technology. Of course, this can turn into a real problem for a business if the card or fob itself is the only authentication factor it uses.

Why Prox is Still Attractive

Understand that prox has several attractive features:

  • Ubiquitous – Millions of readers and cards and fobs have been produced and are deployed everywhere.
  • Cost – Reputable readers can be purchased in the $100-$200 range, and the cheap stuff can be bought for as little as $10.
  • Range – While dependent on the reader/antenna configuration, typical distances are <10 cm, and semi-active and active configurations for longer range systems are offered on the order of 10m.
  • Concealment – Readers can be mounted behind any non-metallic substrate, including glass and drywall.
  • Convenience – No need to take a card out of a wallet or purse, as prox is a “non-contact” technology.
  • Prox Alternatives

    A range of possible options exist for those who want additional security, but, like anything else, they come with added cost.

    The first is to add additional authentication factors. Shep Sheppard of Farpointe Data wrote in a rdcent LinkedIn post: “If you have concerns that your EAC system may be at risk from a cast of bad actors, or you simply want to heighten security without having to issue all new credentials, then consider simply upgrading the readers on the perimeter. A high-quality combination reader and keypad on the perimeter with broad protocol support is critical.” He goes on to suggest a combination of PIN through the keypad in addition to the card.

    In some instances, a keypad may be deemed insufficient, for example, where the requirement is for a truly contactless solution. Here is where biometrics can come into play. One solution I recently found is offered by StoneLock Inc, which is based on highly accurate, proven facial recognition technology. The StoneLock Pro and StoneLock Go products are designed to provide a “frictionless” experience, and they can be obtained in a multi-authentication format or provide the capability to integrate with existing readers. Jeff Sebek, StoneLock’s VP of Business Development, says his customer base is pushing his company toward “true identity” contactless authentication.

    For new and selected retrofit applications, higher technology cards such as those based on MIFARE DESFire offer a higher level of security. MIFARE is the NXP Semiconductors-owned trademark of a series of chips widely used in contactless smart cards and proximity cards. Transmission is at the much higher 13.56 MHz frequency over distances of less than 10 cm (HID ~2 inches). Versions range from MIFARE Classic up to MIFARE DESFire EV2, reflecting evolving levels of ISO/IEC 14443 compliance, encryption (DES, 3DES, AES) and other security techniques.

    HID Global’s proprietary protocol iClass also employs 13.56 MHz technology. Obviously, compatible readers are required, and some are offered in a multi-protocol format.

    Emerging Technologies

    For long-range prox applications, such as those used for vehicular access, facial recognition could also be helpful – although the driver would have to get within range of the facial scanner. Alternatively, License Plate Recognition (LPR) could serve to validate the vehicle, unless the plate was stolen. Nedap’s Craig Wilson told me their in-vehicle Prox Booster 2G product can add a second factor of personal authentication to the card credential and is identified up to 33 feet away.

    Finally, watch for increasing use of mobile credentials in a variety of applications. Smartphones offer fingerprint and facial biometrics in conjunction with the phone as “something you have” for a more secure multi-factor solution.

    These approaches offered varied opportunities for integrators and consultants to provide more secure identification and access solutions as the lack of security in the legacy “tried-and-true” prox card becomes more impactful. “The good news is this should really help all of us explain the need for technology upgrades,” says Dean Forchas, HID Global’s Consultant Relations Manager.

    With opportunity, though, comes responsibility. Understand potential liability if offering possibly insecure technology or systems. Program the access control system to flag the use of the same card with readers in disparate locations. And integrators should make system administrators of risks, encouraging strong policies dealing with duplication and reasonable use.

    Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and the CONSULT Technical Security Symposium. Email him at [email protected], or contact him through LinkedIn at or follow him on Twitter: @RayCoulombe.