The problem with prox cards

April 22, 2020
Why organizations should be looking to migrate to more secure access technologies in light of cloning vulnerabilities

The warnings have been posted for years; proximity cards, for decades an access control standard, may have outlived their value to organization with security concerns. Yet, proximity cards (or prox cards for short) are still in use at many locations. Some organizations figure now is the time to make a change.

Prox cards, available from many manufacturers, can be cloned in a matter of minutes by using an inexpensive device easily available on the internet. There are even YouTube videos showing how simple it is to clone a prox card. What may be even more concerning is that more recent basic smart card technologies, despite their added data encryption, can also be cloned. It’s a more difficult process, but still well within the skillset of an adept hacker.

This leaves the security of thousands of organizations using prox at risk. Fortunately, there’s an alternative – DESFire EV2 cards – readily available from multiple sources that offer a higher level of encryption that continues to leave hackers frustrated.

Let’s take a look at the vulnerabilities of some proximity cards.

A hacker’s nearby cloning device can activate a prox card much like a reader. This could take place while a card-carrying employee is having lunch or shopping after work. Once activated, the card transmits its easily captured unencrypted payload. This enables a hacker to create a clone, providing access to every entry approved for that employee without any outward indications that this has occurred. There will be two identical cards, but a system won’t recognize the difference. Imagine having your data rooms, human resources office, laboratories and more, all readily accessible to unauthorized persons.

Lately, card duplication has become a mass-market experience. Recently introduced kiosks, found in many supermarkets, pharmacies and other retail stores, were initially intended for duplicating traditional mechanical lock keys. However, they also now scan data from low-frequency 125 kKHZ prox cards to create duplicates that are mailed to a customer’s home.  This activity can allow lost cards to remain in the wild without security teams being made aware by the offending employee, or virtually unlimited numbers of people could be given cards to gain unauthorized facility access.

Prox cards no longer have a security advantage over the magstripe technology they replaced. Magstripe cards also transmit data in the clear, but a hacker needs brief possession of a card to run it through a reader to gain the card’s payload.

DESFire EV2 cards take security to a much higher level with their embedded microcontroller-based integrated circuits. The cards also use AS-128 encryption. Let me give you an idea of how effective that is. The encryption scheme has been widely published, allowing hackers to attack it day-in and day-out. Even with today’s powerful computers, at the time of this writing, the encryption schemes have not been broken.

But, let’s say someone gets lucky and determines the secure encryption key from an EV2 card. The card’s technology enables an end user to simply change the code throwing a hacker’s hard work out the window. Additionally, the EV2 code can be changed more than 10 times without ever having to touch system infrastructure.

DESFire EV2 cards are available from many sources, both in open and proprietary formats. For customers looking to control their own keys and willing to bring encoding functions in-house, un-programmed cards are the most flexible choice. Customers may purchase these cards from suppliers that best meet their needs. For customers lacking the manpower or expertise, pre-programmed DESFire EV2 cards are a great compromise. They provide the benefits of the EV2 environment without the hassle of managing keys, encoders or the manpower associated with these tasks. The pre-programmed card formats also allow sectors to remain ‘open,’ allowing other applications to be written to the card. This provides greater flexibility without compromising the security of an access control system.

What are the downsides of migrating to DESFire EV card technology? The cards are marginally more expensive, but those per-unit costs narrow significantly for enterprise organizations ordering thousands of new credentials each year. Card readers may also need to be replaced. If so, select a multi-technology reader that can work in a mixed-card environment. The multi-tech reader allows an organization to gradually standardize on the EV2 credential without disrupting their current processes until they are ready to change.

There are other benefits offered by DESFire EV2 technology. EV2 cards, in particular, offer tremendous flexibility for future proofing an investment. Available cards offer up to 8K capacity, enough to partition data ranging from biometrics, point-of-sale transactions and transportation. These applications can be encoded all at once or over time without sharing secret keys with other applications.

The price and simplicity of older card technologies keep them in widespread use, but evolving security challenges warrant migration to DESFire EV2 cards. It’s always better to make a decision like this voluntarily prior to a costly security breach.

About the Author:

Greg Berry is vice president, mobile credentials for LenelS2, a part of Carrier, a  global provider of HVAC, refrigeration, fire, security and building automation technologies.