Proximity Cards, or Prox Cards, have been a staple of the Access Control industry since the 90s. You've almost certainly used one, either in a hotel, your office, or more recently, in keyfob form in your car. The technology behind what makes these keys work is impressive, but like with any technology it has become dated and more importantly, insecure.
How is a prox card any less secure than a key? After all, if somebody gets ahold of your keyring, they can simply take it to any locksmith (or grocery store nowadays with their simple to use key-making-machine) and have it copied. The simple answer is; because they don't even need to take your card to make a copy of it.
Now, this sounds like a scare-tactic, but it is unfortunately true. The technology and security industries are always pushing to make their products more secure and safe for their customers. But from time to time, certain developments render their technologies obsolete—or even "dangerous," according to IPVM, one of the leading industry reporters of security statistics.
The development we're discussing today is the Flipper Zero and its relationship to 125kHz credentials in access control systems.
According to IPVM, the main problem with 125kHz credentials is that they are unencrypted, which makes them very susceptible to having their data lifted with something like the Flipper Zero.
What is the Flipper Zero? Here is a short demonstrating the copy capabilities of the Flipper Zero on a hotel room key.
Our goal with this article is to present a few key facts about the changing state of Access Control.
As Phil Coppola, the current Business Development Director for Mobile Solutions - PACS North America at HID says in his LinkedIn post from last year:
"Here is your daily reminder to TURN OFF THE PROX RADIO in your readers. This person obviously doesn't know the different between low and high frequency credential technologies, but their landlord certainly does...
Which is why the FlipperZero doesn't work at the lobby turnstiles. Those are likely using iClass or SEOS and therefore cannot be emulated by the Flipper.
Unfortunately, his office space is still using Prox. Which means this person could make an unlimited number of copies of their card[...]
This is nothing new for Prox, but the reality is that the FlipperZero has emboldened folks to try things they wouldn't have tried before due to its power and flexibility. If you wanted to clone a prox card before you needed to know that it was even possible, buy a special device off the interwebs and clone the card [...]
TURN OFF PROX
Go SEOS with an Elite Key
Or better yet... Go Mobile! [...]"
The primary difficulty in upgrading these systems to a more secure version are not insignificant.
There are:
The primary issue is, of course, the cost. The time it takes to uninstall the old system, install the new one, and train the entire company on best practices is substantial.
However, as Matrix Integration, an IT and Cyber Security Company based out of Kentucky and Indiana points out:
"End-of-life technology may not meet compliance and regulatory requirements, increasing legal risks."
And according to a study done by Aberdeen Strategy & Research in the State of IT Report posted on SpiceWorks.com, the first and third BIGGEST reasons for an increase in IT budget is due to Increased Security Concerns and a Need to Upgrade Outdated Systems respectively.
The biggest companies in the world are reacting to the ease at which legacy systems are being copied and cracked.
It's an unfortunate reality that in the same breath that we ask if the budget is there for a system overhaul, we need to ask if the budget is there for the potential business downtime and in certain industries, legal repercussions of avoiding an Access Control upgrade.
There are a multitude of solutions available, however. Many large companies and IT specialists are pushing for a move to Mobile Credentials. We here at Leading Edge attended a webinar symposium with thousands of attendees where one of the leaders in Access Control Technology spoke about how mobile credentials were the future of not only Access Control, but Identity Control.
Before that future is here, we have many options to replace the old 125 kHz systems that operate similar to the older systems on the user-side, but have far more secure technologies inside. Not to mention the ever-increasing development of biometric-based access control.
Leading Edge Security is more than happy to discuss with you which type of upgrade best suits your needs and budget.
