Access Control Card Reader and Credential Vulnerability

Transition Access Control Proximity / Legacy Technology to High Frequency Credentials

The vulnerability of Proximity type card access credentials has been known for several years now. Proximity credentials are easily duplicatable with inexpensive, readily available cloning devices. Devices such as Flipper Zero, selling for less than $200 can easily clone existing proximity credentials and some of the more advanced, but not yet fully secured credential technologies. Other devices can be found on the internet for less than $20. The cloned credentials can allow unauthorized access to seemingly secure facilities.

TSG Security has advised clients to replace proximity credentials with more secure credential technologies. While there are many options for higher security credentials, many clients choose to use a high frequency credential, commonly referred to as Smart Card. Smart Cards are a preferred choice for many customers since the user experience is the same in that a card or fob is presented within a few inches of the card reader. Both readers are contactless and thus appear to have identical functionality to the user.

The advantage of high frequency credentials is that the card data can be secured through encryption and other methods. These additional security features have so far provided the intended security making it impossible or extremely expensive to duplicate the new higher security credentials. However, a potential exploit, known as a downgrade attack, has recently been reported and action may be required to maintain the security of access control systems.

Downgrade Attack Warning

The potential exploit stems from the use of legacy technologies on high frequency credential readers. Recent testing has demonstrated that where non-secure, legacy credential formats remain enabled on high frequency card readers, those less secure technologies can be duplicated and used to gain access.

The exploit is made possible by allowing the reader to continue to read less secure technologies, like Proximity, after the transition to higher frequency has occurred. Reports from multiple sources show that the devices and service applications are now available that can read certain high frequency legacy credentials, in addition to Proximity, and encode it to a card and use it to gain access to legacy enabled readers exploiting the downgrade attack vulnerability.

Effectively, the attack uses the weakest link — an available path to low frequency or legacy technology to clone or attack the high security portion of the reader/credential system. The best way to protect your system is to disable the low frequency / legacy options on the reader. In some cases, this may require a firmware upgrade to each of the access control readers.

Recommendations

TSG Security recommends the following actions to address these potential vulnerabilities:

1. If you are using proximity or other legacy credential technologies know that those credentials are highly susceptible to duplication. Consider additional layers of security for susceptible areas such as PIN codes.
2. Continue efforts to eliminate the use of legacy credentials. Move to high frequency, high security credentials.
3. Ensure that legacy technology has been disabled on card readers including iCLASS legacy, iCLASS SE, MIFARE Classic, HID Proximity, AWID proximity, HID Dorado Proximity, EM Proximity and CSN over HF credentials.
   

Feel free to contact TSG Security to discuss your options in more detail.