TO the uninitiated prox is prox is prox. You hold the card towards the reader and thanks to the mystical powers of something called RF, the reader interrogates and then recognises a card, and activates an electric strike to facilitate access.
Of course, things are obviously more complex than this and I recently visited the folks at BQT Solutions for a demonstration on the way various proximity technologies function, as well as a behind the scenes look at ways in which they can be defeated. Suffice to say, this was an eye opening experience.
When I arrive BQT’s office, Dave Tullipan and Matt Green have a table load of gadgets, readers and laptops ready to outline the variations between 125kHz read-only prox (about 90 per cent of the market) and higher frequency technologies like 13.56mHz Mifare, whose higher frequency and smart processor offers more security.
When it comes to all important issues of cost, 125kHz prox to Mifare is not a huge jump in price, while Mifare to DESfire is a bigger jump for far higher levels of security and greater operational flexibility.
According to Green, the prevalence of 124kHz proximity is cost convenience and ignorance. He says that for very little cost difference you can get a much more secure solution – you can go for slightly more security or much more, depending on budget.
“125kHz proximity has been around since 1990 – it’s basically a physical RFID chip and you present it to an EMI field, the antenna inside is excited and responds with a signal that is identified by the reader,” he explains.
“There’s a 26-bit format, which comprises of a site/facility code and the card number – site code from 0-255 and card number from 0-65500 – which is 16,702,000 possible permutations but prox has been around for a long time.
“In addition, installers will often label a site, Site 1 and then Card 1, Card 2, Card 3, Card 4, etc, so if there’s no deliberate attempt to increase the complexity of a customer base, then there are many, many duplications. It’s human nature for a Site to be Site 1 and Cards to be 1-100. You have to wonder, how many sites like this are out there?”
As Green explains, 125kHz prox is a read-only technology – there’s no or very little encryption.
“There is certainly a place in the market for this low security technology and we supply these cards – if you need a cheaper alternative to a key and a lock then 125kHz cards are useful but if you want a system that offers security then you’re best to move to higher frequency options.”
Next we look at 13.56 mHz Mifare. With Mifare you are getting a smart card so you can write data to the device. We are playing with a 1Kb smart card with data spread over 16 sectors, each sector able to hold its own application and set of encryption keys. Worth noting is that fact that every Mifare card has its own unique identifier hard stamped from the factory.
“What happens with Mifare is that it can either just read from the card which is not great security, or we get that serial number and along with our key in the reader we encrypt that as a key to lock up a sector so the card and the facility number are locked in a secure sector and there’s an encrypted key we have that you need to unlock that container and read the code,” explains Tullipan.
“Mifare Classic, which works this way, was hacked in 2008, so we go a step further in that that we combine the encrypted key with the card serial number and apply an algorithm – key diversification – what this means if that an attack does compromise a Mifare system, only that one card is compromised.
“It’s a lot more flexible than prox because you can use multiple applications, you can have a sector for base building, a sector for tenancy, a sector for biometrics, a sector for time and attendance.”
Most secure of all is DESfire, which while it’s a type of Mifare card is significantly different. A 4k DESfire card has 4 times the amount of data so you’re not restricted in card layout, you’re not restricted to the 16 different fixed-size sectors. Instead you’re allowed up to 28 applications and they can vary in size. Any card can have 20 apps and any app 15 files inside, the benefit being a solution that is much more flexible, more dynamic.
“The other main difference is that while the encryption algorithm for Mifare Classic has been compromised, DESfire using Triple DES/AES and has not been compromised – so it’s more secure,” Green explains. “It’s the only completely secure RF technology and is projected to remain secure until 2030, based on current technological trends.
Central to the operation of DESfire access control credentials is the 3-path mutual authentication process.
“The key difference between read-only prox and DESfire is that it waits for a card to enter the field, then sends a request saying are you a DESfire card, it says yes here is my CSN, then the reader asks for a key, the card references the key using a random number, the reader decrypts and sends the de-encrypted number back with another number that’s been encrypted.
The card then responds and says yes, you decrypted that properly, and delivers a decryption of the second number. Once all the handshaking is done, the reader can access the card data and the door can be opened. There’s more data so it’s a longer read process (80 milliseconds) and a reduced read range but the result is far higher security.
“DESfire is the benchmark and BQT Solutions is working to bring DESfire access solutions into commercial markets which currently use low security 125kHz cards,” Green explains. “Our recommendation is to update from Prox or Mifare to Desfire and so you update to a dual technology reader and this allows a longer process of upgrade.
“Once dual technology readers are installed, the existing cards can be used while higher security cards are issued. Later, when all the cards are higher security you can disable the Prox or Mifare capability of the reader, or both.”
Card sniffing
You could describe an urge from a supplier of high security prox solutions to upgrade to higher security prox solutions as predictable if not for fact empirical evidence clearly shows what BQT Solutions is saying is 100 per cent correct.
Most readers would know that 125kHz prox is a compromise that offers convenience and low cost. We’ve run a dozen articles in SE&N over the years pointing out the problems with facility code duplication. But once the BQT boys start showing me how easily these prox cards can be defeated it becomes clear that 125kHz is only secure if no one is trying to get around it.
Selecting a power source, antenna and a little controller all bought without effort at little expense, Green prepares for a card sniffing test.
“Using this group of devices I bought from Dick Smith and on Ebay, including a high frequency antenna, I can read a person’s card when it’s in their pocket or bag, and then turn the device to write and use it to open a door,” he explains.
Green then promptly carries out the sniff by bringing the antenna into range of the card. It’s all so simple and instantaneous and it really works. According to Green, the components to beat prox cost about 300 bucks.
“Once you have the information it’s very easy to decrypt the 26-bit information, you know what the facility code is, you know what the card number is,” he says. “It’s very simple.”
Mifare classic is harder to breach but we watch a uni research team in the Netherlands employ a logical shift register to find keys and walk through a controlled door. We watch as the team goes through the process of sniffing a card, breaking the keys and creating new cards and accessing the main doors. The fact the researchers all look about 15 makes the process seem even more threatening.
When presented to readers, the cards appear on the system as an existing user – it’s frightening stuff. Later on, Green replicates this test using a card and quickly extracts the necessary information to breach Mifare classic. Yikes.
Next, we discuss Weigand attacks. It goes without saying that if it’s Weigand coming out of the back of the reader it’s very insecure, regardless of how secure the cards and readers are and this vulnerability applies to all systems. Here BQT has designed a reader to meet the threat.
“A person can get up into the ceiling, find the Weigand data and sniff the data off the data cable and using the data to reverse engineer a card and gain entry or do a replay attack. It’s not specific to any card technology it applies to all systems,” Green explains.
“To get away from that we use encrypted data out of our BQT Solutions’ DESfire reader so it’s a much bigger string and is random, this means the identification numbers are always changing and that means even if a sniffer gets the numbers they are not going to match the next output from the reader – they can’t be predicted.
“There’s also a built-in tamper with our readers so that if data stops running, the reader will see there’s an error and send a tamper message to the controller or trigger an alarm relay.”
Musing over this demonstration later on it’s obvious that the majority of Australia’s 125kHz proximity-based access control solutions contain an inherent security weakness that installers, integrators and consultants are duty bounds to point out to end users.
Going with 13.56mHz Mifare credentials does offer more security but for high security sites – genuine high security sites – Mifare is not enough to guarantee protection. If you’re serious about access control you’ll need to think about DESfire solutions.
