A significant number of the cards and tokens used in both residential and commercial access control systems are vulnerable to cloning. Richard Tweedie, product delivery and quality assurance manager at PAC, examines the scale of the issue, outlines the various levels of security available and suggests what to look for in order to mitigate any risk.
Contactless access control systems typically store data in cards and tokens, as well as increasingly in mobile phones, however, in some cases these can be cloned. What’s particularly concerning is that, depending on their level of security, it is possible to do this using tools that can be purchased online for as little as £10. As a result, manufacturers are increasingly incorporating advanced encryption into their devices so that they cannot be copied, while also producing access control systems with different levels of security to suit specific applications.
There are several reasons why cards and tokens are cloned, ranging from seemingly innocent to totally nefarious. For example, within the residential sector it is sometimes done to avoid paying official fees for replacement devices, to allow a friend or relative access, or to simply avoid any immediate hassle if a device is misplaced. Within corporate environments a copy might be used to gain unauthorised entry to property, duplicate access privileges, commit time and attendance fraud, carry out monetary transactions such as cashless catering or transport fares, or to access privileged systems or facilities.
It’s now easier and cheaper than ever before to compromise some access control systems. In the earliest days of cards and tokens, radio frequency identification (RFID) 125/153kHz unencrypted technology was the de-facto choice for most manufacturers, and many systems with this technology are still in use. Although it took hackers a number of years to work out how to infiltrate RFID systems, a cursory search on YouTube throws-up numerous videos of individuals cloning cards and tokens with apparent ease. In some cases they can even be copied using radio or ‘skimming’ techniques to extract data.
For systems utilising this type of older technology, the only way to protect against this threat has been to adopt multimode authentication, such as a PIN and card readers that require an identification device in addition to a user specific PIN code. This solution is still valid with the right access control readers, providing best practices on keyholder management are deployed.
A chain is only as strong as its weakest link, so when selecting an access control system it is advisable to carry out a comprehensive risk assessment. As part of this process an end user should consider whether they want all credentials to be unique and/or if a system administrator should be allowed to generate duplicate cards or tokens. They should also assess how easily a card or token could be copied without access to administrative software and if a higher level of security, such as encryption, would be more desirable. For systems already in-situ, one highly recommended course of action is to carry out a penetration review to identify whether credentials can be cloned or copied.
The internal threat should also be considered. For instance, the transactions on an audit report are no longer acceptable as proof of someone’s activities, as an individual can simply claim it was not them and that their card or token must have been copied. In addition, many corporate compliance rules can easily be broken by employees modifying their cards and tokens to perform actions such as secure document printing, and logging on to unauthorised computers and IT equipment.
Various types of cards and tokens are available but some offer greater protection against copying than others. There is no ‘one size fits all’ solution and the technology types can be broken down into low, medium and high grades.
Not surprisingly, low security devices have a higher risk of being cloned. These solutions can be generated on-site by an end user, which although practical, can allow duplicate credentials to be cloned quite easily. With medium security devices cloning is possible with the right knowledge and tools. Within this category are manufacturer generated cards and tokens that have identification data written on to a chip with no encryption in place between the reader and the credential. Generally, duplicates will need to be sourced through a manufacturer, a locksmith or somebody with specialist chip programming capabilities.
High security solutions, however, use encryption to prevent cards and tokens being cloned. For example, Advanced Encryption Standard (AES) compliance is recognised as being ultra-secure. Devices that incorporate it can better protect data by ensuring that a reader validates the credential before processing the data and forwarding it to the rest of the system. Furthermore, The National Institute of Standards and Technology (NIST) has published guidance to help improve the evaluation of the administration, enforcement, performance and support properties of mechanisms that are embedded in access control systems – and additional advice about the key security principles to be considered when procuring RFID smartcards and readers for access control system is on offer from Centre for the Protection of National Infrastructure (CPNI).
On the move
When it comes to high security, mobile credentials that allow a user to authenticate their smartphone and use it as a key to gain access can also be highly resistant to cloning, particularly when information is stored in the cloud. The reasons for this are quite straightforward – people generally have their smartphones with them at all times and rarely allow others to use them. These devices also feature two-factor authentication (2FA) incorporating biometrics and have functionality that allows them to be tracked.
In 2017, Gartner predicted that by the end of this year 20 per cent of organisations will use smartphones in place of traditional physical access cards and tokens. Recognising their growing popularity, leading access control providers have developed Bluetooth based systems with a range of identification modes including placing a smartphone in front of a reader, placing a hand close to a reader, simply passing in front of a reader, or tapping a smartphone screen twice. By downloading an app a virtual credential can be configured in a smartphone wallet, allowing the user to have multiple virtual ‘keys’ for different areas or sites. Some systems can also be configured to use proximity based near field communication (NFC) instead of Bluetooth, or a combination of the two.
One of the reasons that cloning has become widespread is that the chances of getting caught are close to zero. In even the most serious cases prosecutions are disconcertingly rare and by the time an alarm is raised the culprit has usually covered their tracks to evade detection. In a world where 100 per cent protection can’t be achieved, it is imperative that an access control system is reviewed and tested on a regular basis to highlight any vulnerabilities – even the resilience of systems with the highest levels of protection may decrease over time as copying techniques improve.