By Todd Burner
The days of tumbler locks and keys are fading, especially in high-traffic areas. Proximity cards—those credit-card-sized, contactless devices that grant users access to a variety of areas—have largely taken their place. But for too many facilities that card represents one of its biggest security gaps.
Proximity cards (also known as keycards) are incredibly convenient—and certainly have some security and financial benefits. With personnel changes, there’s no need to physically rekey the office or change the locks. That can all be handled electronically without replacing the hardware. The problem is: Security protocols in many of those cards are nowhere near as secure as many security and property managers believe them to be.
Instructional videos on how to clone the technology are easily found online—and the equipment to do so can be found on popular major online shopping or auction sites. And if that’s too complicated for the would-be cloner, the cards can be duplicated at many neighborhood hardware or convenience stores.
Put another way: In a world where people can copy those cards, you don’t have the control you thought you did.
The good news is there are several different encryption technologies to choose from with these sorts of credentials. Prox, the most open of those, has become the most vulnerable, but it’s still widely employed. Millions of readers and cards are still in use today, thanks to the technology’s low cost and high convenience.
It’s not just prox cards at risk, either. Several other credentials that have come out since that technology’s debut have subsequently been broken by hackers since their release.
Encryption is a never-ending game. As long as there are good people trying to protect things, there are going to be bad people trying to break it. It will never be perfect.
The current gold standard of encryption on fob keys and key cards these days is DESFire EV3. That’s a mouthful, yes, but the critical thing to know is it can’t, at present, be cloned.
DESFire EV3 is a technology that offers enhanced performance and provides improved transaction speed. It’s highly secure and non-cloneable—and because it’s not a closed system, you’re able to use the cards with a variety of readers. It’s what we use at Kastle, part of our continuing commitment to offer the latest technological upgrade when it becomes available.
Unfortunately, when many property managers begin thinking about access control for their buildings, they don’t consider the credential that will be used. And that’s where security gaps happen.
Even the newest, most “secure” system will have a significant security flaw if it defaults to using the radio frequency-based prox card. You can have top-of-the-line hardware and software, but if you’re using technology that can be cloned, your security is compromised.
Too often, the use of that vulnerable tech happens simply because it’s easy and well-known. The property manager might not realize the severity of the decision they’re being asked to make, because there’s no user education on encryption tech. And that can have a real impact on their building, regardless of who they choose to work with.
Someone with access to all of a building’s keys can take advantage of gaps in unsecure credential technology to create an all-access fob, which is a tremendous security and liability threat.
This can all be solved by adopting smartphone-based access credentials. These send individually encrypted Bluetooth signals with every entry, making them impossible to copy and virtually impossible to share with others, short of the user giving up their smartphone and their phone’s passcode.
Knowledge is power in this situation. Property managers who know to ask about the type of encryption technology that’s powering a system can protect their building and limit their risk by avoiding insecure systems. And they can simultaneously make things easier for their residents by finding an entry system that’s both convenient and secure—without having to worry about unauthorized visitors.
Todd Burner is Chief Product Officer for the managed security company Kastle Systems.