Posted by Bryan on 9th Nov 2015
First let’s start off with the basics. What is RFID access control and HOW does it work?
Access control is any system that regulates people from accessing a property such as an apartment, condo, or office building. Radio frequency identification (RFID) access control uses a key with an embedded radio transmitter that allows authorized users to place their key in close proximity to a door sensor to gain access.
RFID access control has many great benefits including logging, scheduling, rule based configuration, and most importantly, the ability to instantly rekey locks for a specific user. Most keys work using a proximity based RFID chip which commonly comes in a key fob or card form factor. Within this key there is a digital unique identification number (UID). This UID is also stored in a central database, which is located inside the central controller installed on the property. This database contains the privileges associated which each UID, the real name of the person the UID is assigned to, and often an expiration date for the UID. Once a key is presented to a door’s RFID reader, the UID of that key is transmitted to the central controller and compared against the database. If the central controller identifies the UID as valid and authorized it will then check to ensure the user has privileges to the requested door. If the user has the required privileges, it will grant access. The most common privileges associated with access control are authorized time periods and specific door access, but a large variety exist.
Now that we have a general understanding of the technology, let’s discuss some common tips often ignored by installers, managers, and security professionals. Our work expertise has been acquired through a combined total of 11 years within the access control field while operating CloneMyKey.com, LLC and its predecessor Extended Home Technologies, LLC.
Do not order keys in sequential order.
Keep in mind, most key fobs and cards used today do not contain security against duplication. RFID based access control offers greater convenience than standard metal keys but typically does not increase security. Most access control suppliers offer the option to order additional fobs and cards using a certain range of UIDs in sequential order. While this offers the user the convenience of easily keeping track of already used UIDs it also presents a specific vulnerability in access control systems.
Known appropriately as a sequential attack, this method helps an individual gain entry to a zone that they are not authorized in. This individual only requires one piece of information in order to perform such an attack, and that is the UID of a key belonging to the access control system. The key that the attacker needs isn’t required to be authorized; it simply has to contain a UID that once was used within the target system. This UID will provide the attacker with enough information to make an educated guess as to what an authorized UID for the target system could be. This is done by guessing UIDs close to the one on the key that the attacker acquired. Devices exist today that allow individuals to test multiple educated guesses very quickly. As made apparent above, having a random set of UIDs will help guard against a sequential attack.
It should also be noted that this attack can be used to gain higher privileges within a target system. For example, mail-room John who is also a corporate spy has access to the basic rooms of the office building but nothing that contains confidential data. In a sequentially programmed system, mail-room John could simply increment/decrement UIDs above or below his key’s UID until he finds one being used by someone with privileges to the room containing company secrets. To make matters worse, once the company finds out that their secrets have been stolen, the logs will show the UID of the person whose UID John stole.
Rotate keys with users using a lot system
Duplication or “cloning” of access control key fobs and cards has been around for years and is becoming more accessible through services such as CloneMyKey.com. Using the lot based method can help protect properties from past tenants or disgruntled ex-employees. Implementing the lot method requires an investment of three times the required amount of keys. These keys then need to be divided into three different lots. A special note for license based systems: while buying multiple lots of keys is required, it is only required to purchase licenses for one lot as only one will be used at any given time.
While it does take a technical background to complete, the concept of cloning an RFID based key is straight forward. An individual simply has to take the UID from their original key and transfer it to a suitable blank. Since the UID is the same in both keys, the clone will only work while the original is authorized, and it will also enable the same privileges. This feature is what can assist property owners in ensuring previous users do not retain an authorized clone after surrendering the original. In order for this protection to be effective, property owners should not re-authorize the same key, for a new user, immediately after the old user surrendered it. It’s required that the owners cycle the lots through. For example, if tenant John just surrendered his apartment key fob at the end of his year lease, the property management company would place that key in lot 1. The key fobs in lot 1 would be stored until both lot 2 and lot 3 were cycled through, meaning that if John kept a cloned copy of his key fob, it wouldn’t work until the property cycled back to lot 1.
There are also other variations of this, depending on budget and property structure. Adding additional lots of keys will increase security as it will increase the time between potential clones becoming authorized again. If the property management company also manages other properties with the same formatted access control system, rotating lots between properties can also be effective. Of course, the knowledge that the property management employs these methods should be kept confidential to maximize effectiveness.
Order large format keys
Selecting a format with the most potential users is recommended, even if you do not intend to reach the maximum. As mentioned before, there are devices capable of guessing potential authorized UIDs. Using a format with more possible combinations will make guessing more difficult.
Offer multiple form factors
RFID access control keys come in a variety of form factors. The most common is the key fob that can be conveniently attached to a key chain. Second most popular is the key card form, which is typically the size of a credit card and can easily be placed in a wallet. Other not as well known form factors include waterproof silicon wristbands, enjoyed by sports and outdoor enthusiasts and also sticker keys, which contain an adhesive backing allowing for the attachment to objects such as smart phones.
We hope that this post was informative and useful. Access control is a great technology when used and understood correctly. On a final note to parties who are considering an investment in a new access control system, it is always important to evaluate what you are trying to protect because price ranges for both hardware and installation vary widely. As with any potential investment, it’s smart to compare several quotes before deciding to purchase.