As the landscape of access control technology evolves, a significant vulnerability persists: the cloning of cards and tokens used in both residential and commercial security systems. This issue, often underestimated, poses a serious threat to the integrity of these systems, as cloning can be executed with alarming ease and minimal cost.
Richard Tweedie, Head of Engineering at Comelit-PAC, presents the extent of the issue and explores the security solutions available. He offers expert advice on how to safeguard against these risks in today’s increasingly connected world.
The Growing Threat of Cloning
Today, contactless access control systems are becoming a staple in both residential and commercial sectors.
These systems store data in cards, tokens, and increasingly mobile phones. However, the alarming reality is that in some cases, these can be cloned with relative ease. What’s particularly concerning is, depending on the level of security, this can be accomplished using tools that are easily purchased online for as little as £10.
Manufacturers are proactively incorporating advanced encryption into their devices, rendering them resistant to copying. They are producing access control systems with various levels of security tailored to specific applications, ensuring that users have the right level of protection for their needs.
Motivating Factors Behind Cloning
The reasons behind cloning are as varied as they are concerning. In the residential sector, cloning may be done to avoid paying fees for replacement devices, to grant access to a friend or relative, or simply to circumvent the hassle of replacing a lost device. There are growing reports of staff keys being cloned to gain access across entire estates.
In corporate environments, cloned copies of access credentials can be used to gain unauthorised entry to properties. They can duplicate access privileges, commit time and attendance fraud, carry out monetary transactions such as cashless catering or transport fares, and even access privileged systems or facilities.
The ease and affordability of compromising access control systems have increased significantly. In the early days of cards and tokens, radio frequency identification (RFID) using 125/153kHz unencrypted technology was the go-to for most manufacturers.
Although it took hackers several years to infiltrate these systems, a simple YouTube search now yields numerous videos demonstrating how to clone cards and tokens with apparent ease.
In some instances, they can be copied using radio or ‘skimming’ techniques to extract data. The same holds true for 13.56MHz card serial number (CSN)-based credentials, which can also be readily cloned.
Addressing the Risk
For systems using older technology, the only effective countermeasure has been to adopt multimode authentication.
This includes the use of PIN and card readers that require an identification device in addition to a user-specific PIN code. While still valid, this solution is most effective when coupled with the right access control readers and best practices in keyholder management.
When selecting an access control system, it is vital to conduct a comprehensive risk assessment. Standards such as UL294 or IEC6039 can be instrumental in planning a secure system deployment.
During this process, end users should consider whether they want all credentials to be unique, whether system administrators should have the ability to generate duplicate cards or tokens, and how easily a card or token could be copied without access to administrative software.
The adoption of higher security measures, such as encryption, should be evaluated to determine if they are more suitable.
For systems already in place, a highly recommended course of action is to conduct a penetration review to identify whether credentials can be cloned or copied. The internal threat also demands consideration. For example, audit report transactions are no longer sufficient proof of someone’s activities, as an individual can simply claim their card or token was copied.
Many corporate compliance rules can easily be violated by employees modifying their cards and tokens for unauthorized uses, such as secure document printing or logging onto unauthorised IT equipment.
Choosing the Right Level of Security
Access control devices come in various levels of security—low, medium, and high. Low-security devices are at a higher risk of being cloned. While these solutions may be practical due to their on-site generation capabilities, they also present the possibility of duplicate credentials being easily cloned.
High-security solutions employ encryption to prevent cloning. For instance, Advanced Encryption Standard (AES) compliance is recognised as ultra-secure.
Devices incorporating AES can better protect data by ensuring that a reader validates the credential before processing the data and forwarding it to the system.
The National Institute of Standards and Technology (NIST) has also published guidance to help improve the evaluation of the administration, enforcement, performance, and support properties of mechanisms embedded in access control systems.
Addressing Spoofing and Signal Security
Another cloning-related concern is spoofing. Modern systems increasingly offer protected or encrypted communication from the RFID reader to the controller. This protection is critical against injection attacks, where a key-code is replayed to the door controller, with technologies like Wiegand being particularly susceptible.
To combat this, reader tampering and signal line detection have been developed to safeguard against such activities. The appropriate security level for the installation must be carefully considered to ensure optimal protection. Newer generations of readers now support secure bi-directional communications, which, while more complex to deploy, are essential in preventing security breaches.
The Future of Mobile Credentials
Mobile credentials offer a promising high-security alternative, allowing users to authenticate their smartphones and use them as keys.
These credentials are highly resistant to cloning, particularly when information is stored in the cloud or mobile wallets.
The reason for this is people generally keep their smartphones close and rarely share them with others. These devices often incorporate two-factor authentication (2FA) with biometrics and have tracking functionalities.
The mobile access control credentials market is projected to grow significantly, with estimates suggesting it could reach over $750 million by 2028, up from $295 million in 2022.
Leading access control providers are developing Bluetooth-based systems with various identification modes, such as placing a smartphone in front of a reader, placing a hand close to a reader, simply passing in front of a reader, or tapping a smartphone screen twice.
Users can configure virtual credentials in their smartphone wallets, allowing multiple virtual ‘keys’ for different areas or sites. Some systems also offer configurations using proximity-based near-field communication (NFC) instead of Bluetooth, or a combination of both.
Staying Vigilant in the Fight Against Cloning
The widespread issue of cloning persists because the likelihood of getting caught is minimal. Even in serious cases, prosecutions are rare, and by the time an alarm is raised, the culprits have often covered their tracks.
Linking CCTV to access control events is a common way to review suspicious activity and devise plans to mitigate risk.
In a world where 100% protection is unattainable, it is crucial to regularly review and test access control systems to identify vulnerabilities. Even the most secure systems can become less resilient over time as copying and spoofing techniques evolve. Continuous vigilance and adaptation are key to staying ahead of potential threats.
