Prox card, proxie card, keycard, hid card, smart card, access badge, corporate 1000 card, 26 bit card – whatever you call it, the 125 kHz radio frequency card is still the most widely used card for electronic access in North America. Unfortunately, few people are aware of recent developments that threaten the security status of these familiar cards.
The word “prox” is an abbreviation of “proximity,” which just means “near.” Proximity cards are a significant upgrade for users of mag stripe or Wiegand access cards, which have to be swiped through a reader. Prox cards only need to be held near a reader to open a door, and they work through a wallet, purse, pants pocket or whatever else they are in at the time. Cardholders have enjoyed the convenience of prox cards for nearly three decades.
Since their operation was so mysterious, prox cards were generally thought to be as secure as they were convenient. For a long time, this was mostly true because the technology needed to clone a card was big and expensive. However, as with all things technical, the price for cracking a prox system has come down tremendously. Today, anyone can buy a device at a large online retailer for under $20 which can read the data from most 125KHz prox cards, store it, then write it to an unprogrammed card with just the press of a button. There are also more powerful devices for under $500 that fit in a backpack and can read the data from a prox card several feet away, even if it is inside a wallet or purse. Both types of devices can be used to create unauthorized cards that the access control system cannot distinguish from officially issued prox cards.
These readily available and inexpensive devices for cloning, or copying, prox cards introduce a new level of threat to the security landscape. When a malefactor wants to breach a system to steal, destroy or injure a person or asset, or to cause embarrassment to an institution, they look at the means available to accomplish that end. Not too long ago, it was easier to pick a lock, break a window or socially engineer a password attack than it was to tamper with a prox-based electronic access control system. However, with online retail outlets now offering effective tools for opening locked doors or allowing access to other electronic systems such as health records, what used to be a remote threat has now moved into the foreground of possibility.
Legacy prox cards and readers were designed to communicate small amounts of data, usually 8-16 digit card numbers, in the 125 kHz radio frequency range. Convenience and function were far more important design considerations than security, so data was transmitted in unencrypted form. Later attempts by manufacturers to bolster the security of simple prox technology ranged from proprietary card number formats and ranges based on end user licensing (e.g. Corporate 1000), to simple data scrambling techniques that were used as a perennial freshman code-breaking exercise at one well-known engineering school. These techniques were effective as long as the few prox card and reader manufacturers controlled access to the technology. Unfortunately, prox reading and writing technology is now so widely understood and available that the primary access card and reader manufacturers have lost their gatekeeper status and the doors of their customers’ buildings and systems are virtually standing wide open.
While most institutions have layers of security such as video monitoring, human patrols and employee awareness programs that mitigate risks to prox-based access control systems, the vulnerability of a virtually unlocked access point is addressable in a direct manner. Prox-based electronic access systems for doors and networks have relatively inexpensive end points, namely cards and readers. In most cases, legacy prox cards and readers can be replaced with new advanced technology cards and readers which communicate using modern encryption techniques that are essentially unbreakable. The new readers are typically interchangeable with legacy readers, so they can be used with existing access control systems.
Many corporations and institutions have migrated from legacy prox systems to more secure cards and readers. Some of these migrations were made voluntarily and in advance of any problems, but many were made after a breach revealed the unsuspected vulnerability. Card and reader security is often overlooked for technology refresh scheduling, but the recent dramatic increase in the vulnerability of prox-based systems should move this item up in an organization’s security priorities.