Securing Campus Contactless Card-Based Access Control Systems

Article originally posted on CampusSafetyMagazine.com.

RFID devices are typically used as proximity or smart card identification in tracking and access control systems. These systems operate on the assumption that the token is in close proximity to the reader because of the physical limitations of the communication channel. However, current RFID devices are not suitable for secure proximity identification. They can be subject to skimming, eavesdropping and relay attacks. An attacker can fool the system by simply relaying the communication between the legitimate reader and token over a greater distance than intended.

As these facts become known, there has been a drive by campus security directors to overcome such shortcomings.

The Vulnerabilities Are Real
First, let’s review the threats. Skimming occurs when the attacker uses his reader to access information on the victim’s RFID token without consent. The attacker has the ability to read stored information or to modify information by writing to the token, so he can control when and where the attack is performed. In practice the attacker’s main challenge is to increase the operational range by powering and communicating with the token over a greater distance, as the owner might become suspicious of somebody in his personal space.

An eavesdropping attack occurs when an attacker can recover the data sent during a transaction between a legitimate reader and a token, which requires the attack to be set up in the vicinity of a likely target. The attacker needs to capture the transmitted signals using suitable RF equipment before recovering and storing the data of interest. The degree of success that the attacker will achieve depends on the resources available to him. An attacker with expensive, specialized RF measurement equipment will be able to eavesdrop from further away than an attacker with a cheap, home-made system. The attack is still a viable threat either way.

RFID systems are also potentially vulnerable to an attack where the attacker relays communication between the reader and a token. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing him to gain the associated benefits. It is irrelevant whether the reader authenticates the token cryptographically or encrypts the data, since the relay attack cannot be prevented by application layer security.

What’s scary about all this is that the equipment needed to perpetrate the above attacks can be quite inexpensive and is widely available.

Multi-Factor Authentication Improves Security
Because of such threats, single factor verification no longer provides the access security that many campus access control systems now require. Today, they want to have multi-factor verification with what they have (a card) plus what they know (a PIN.) With a combination reader/keypad, access control manufacturers and their integrators can provide them with a simple, reliable solution for shoring up their system, the combination card reader/keypad.

To enter, the individual presents her proximity or smart card, gets a flash and beep and then enters her PIN on the keypad. The electronic access control system then prompts a second beep on the reader and the individual is authorized to enter.

Another novel way of protecting card-based systems is to provide a high-security handshake or code between the card, tag and reader to help prevent credential duplication to ensure that readers will only collect data from these specially coded credentials. In a sense, it’s the electronic security equivalent of a mechanical key management system in which this single campus is the only one that has the key they use. Such keys are only available through the campus’ integrator and that integrator never provides another campus with the same key.

In the electronic access control scenario, no other campus will have the reader/card combination that only it gets from its integrator. Only their readers will be able to read their cards or tags and their readers will read no other cards or tags.