Is my door access control system secure? The answer may surprise you. If you use contactless credentials and card readers it would be dangerous to assume they are secure. Here are a few facts to consider.
While door access control systems have been around for at least 40 years, contactless (proximity) technologies only became available in the 1990’s. In 2002 the popular Indala format was created. Both technologies depend on the ubiquitous Wiegand Format which is an open binary format with little standards. Wiegand utilizes a standard 26 bit format which goes all the way back to the magnetic stripe cards. The standard 26 bit format is an open format and is identical in both the 125 kHz and 13.56 MHz Smartcard formats for cards and readers.
The bad news is that both the Prox Card and Indala formats have been hacked. Technologies available through online shopping sites and websites that offer cloning services can easily duplicate any card or fob with these outdated formats. Check out CloneMyKey.com if you don’t believe me. For under $50 anyone can purchase a device to clone credentials using these older formats. This means that likely the access control technology you are using to secure your business, community center or gate, RV parking lot, or other entry has a high probability of being easily breached by anyone that gets ahold of a credential or has a wireless reading device to capture the card data from your pocket or that of your employees.
The first generation of 125kHz Proximity in the 1990’s had no encryption. The 26 bit binary code was simply handed off the to the Wiegand card reader which matched up the code to the resident data base and allowed or disallowed the transaction. The second generation of contactless cards using 13.56 MHz in the early 2000’s contained a unique encryption key. After the 26 bit binary code is presented to the reader it shakes hands with the card using the encryption key before the 26 bit code is allowed to be passed to the control for a decision. Both versions have been hacked and the cards can be duplicated.
Your access control system doesn’t have to be older to use this technology. Manufacturers still build and sell these hacked technologies. Unless you are informed and ask the right questions or work exclusively with a security integrator who educates their customers you could easily end up with an insecure access control solution.
The future is more secure with new Smartcard and Mobile ID technologies using Card Encryption with Secure Identity Object (SIO) and SEOS (Secure Electronic Operating System). These new cards contain multiple security vaults that could take 30 or more years to hack. Unfortunately, you’re probably looking at an upgrade of field equipment to support SIO and or SEOS, but once you make the investment it will likely be the last one you ever make. Before you invest in your next system reach out to an expert and ask the important cybersecurity questions. Don’t waste valuable resources on outdate insecure security.