In the security world, few technologies have become more entrenched than proximity-based access control. The cards and readers are everywhere – and overall, they provide a level of convenience and security that far exceeds the systems they replaced, such as mechanical locks, barcodes, magnetic stripes, and the like. A typical access card operates in the same manner as an RFID tag – since it is essentially the same thing. A reader emits RF energy, which energizes a coil inside the card powering a small circuit, which in turn, communicates a unique ID number back to the reader. There are many data formats and matched reader/card frequencies involved, but almost all systems operate in this (simplified) manner.
Over the years, there have been many documented examples of proximity access control hacking. From card emulation and brute-force transmissions at the reader, to surreptitious card data capture. So with that in mind, why revisit the subject here? The answer lies in the proliferation and rapidly declining cost of RFID components and other low-energy RF communications, which are poised to transform the way in which we connect and interact with systems and assets of all types.
The growing popularity of RFID tagging (especially in retail), environmental monitoring, intelligent edge devices, and building automation has spurred the development of a wide range of wireless/RF-enabled data collection and triggering. Examples include Zigbee (and similar 802.15.4 products), advanced RFID readers, and Z-Wave. For some developers, security is an afterthought, since the equipment is believed to be so obscure and/or specialized that it is unlikely to be attacked. What we are beginning to see, however, is that the same tactics used by “war-drivers” in the early days of commercial WiFi can expose insecure platforms and potentially open the door (pun intended) to serious security problems.
The good news is that security can be engineered into most of these platforms – in fact, it is often a core component – but it must be “switched on” and used properly. Follow the links below to read about some of the vulnerabilities and hacks that exist today. In practice, being aware of the potential for hacking – especially with immature products, proximity cards, etc… will help you make good design decisions. For example, once you understand how an access badge can be cloned – you probably won’t allow that badge to also disarm your alarm system, even if the vendor promotes it as a convenience feature. Likewise, if you are testing a new Zigbee-based data collection solution in your retail store, have a discussion with your vendor about how security has been implemented – and even if you like the answer, keep that network isolated until it is well-proven.
More on this subject:
Wardriving for Zigbee: Blog article describing a method for finding and mapping Zigbee networks
Kisbee: Open-source hardware project to capture Zigbee wireless communication
Bootable RFID Live Hacking System: A platform for hacking MIFARE access control cards
Proximity Card Cloning: HID ProxCard-II, ISOProx, and others
Long Range Cloning: 125KHz Proximity Cards