Author: Paul Griggs
Many workers are familiar with the venerable HID access card. You present the card to a badge reader and the door opens. The badge itself, about the same size as a credit card, identifies the holder to the access control system that controls door access. But are these badges secure?
In the physical lock industry, there is a concept known as a “restricted keyway." These keyways are tightly controlled by the lock manufacturer. In theory, only authorized entities, presumably lock customers, may acquire keys for their locks. You shouldn’t be able to copy a restricted keyway key at the hardware store.
But what about HID badges? Originally marketed by Hughes Identification Devices, now HID Global, these badges require no external power. They are energized when placed into a low-power radio field generated by the badge reader. The badge then outputs an identifying number to the badge reader via a 125khz radio signal, which is then passed to the access control system, typically a dedicated PC, for authorization. If the number is associated with a known authorized user, the access control system triggers the door to unlock.
In the 1990’s and on into the 2000’s, this system was widely adopted by many commercial entities, from office buildings to factory floors. It was secure in that producing a copy of a badge was unfeasible. This changed in 2006 when chipmaker Atmel started producing the T5557 chip, a field-writable RFID chip that was quickly adapted to HID proximity card applications. Essentially, HID’s “restricted keyway” approach was no longer applicable. Anyone, with the right tools, knowledge, and experience, could now copy any HID card.
By this time, many other RFID applications were being examined and reverse-engineered by security researchers. Use of the Atmel chip was common among these researchers but the cracks were beginning to show. Those in the security field knew these systems were not nearly as secure as others assumed they were. Still, in the late 2000’s, copying or “spoofing” these cards was a bit of a black art. Using cloned access cards was rare.
In a classic case of the “Smart Cow Problem”, where one smart cow opens the gate and all the other cows follow, the knowledge of how to use the Atmel chip became commonplace. Manufacturers started making HID-compatible writable access cards. These were to compete with HID’s own offerings that, up to this point, were the sole source for access cards that were widely adopted.
The cows are gone.
Now, with T5557 card blanks commonly available and HID patents expired, card duplicating devices from China are cheap and plentiful. HID card duplication is being offered as a service at some key duplication kiosks. You can now find these devices online at the usual suspects’ web sites.
What to do?
If you’re dependent on HID 125khz proximity access cards, you have a risk that you likely didn’t consider until now. Controlling that risk will be difficult, yet there are concrete steps you can take. Consider the following:
- Video – Have video surveillance at all badge swipe locations. Unfortunately, this may only be valuable for after-the-fact investigations.
- Building security – If you use security guards, make sure they know the risk of counterfeit access badges. Many of these systems can display the badge-holder’s photograph on the guard’s console. Vigilance in watching the people entering and their corresponding photo can spot unauthorized access attempts.
- Add a PIN requirement – Some systems can support using a PIN as well as a badge.
- Increase Logging – The access control system can log badge use. Watch for badge access that’s unusual, say at off-hours or for doors not commonly used
- Phase out affected systems – Start making your plans/budgets for replacing these systems.
In summary, HID 125khz Proximity access systems are easily exploitable. Key control has been compromised. Knowing your risks is the first step in risk mitigation.