Unlocking the Risks: Examining the Security Flaws of RFID Access Control Systems

In today's security-conscious world, access control systems play a crucial role in safeguarding various environments, from office buildings to parking decks. While basic RFID (Radio Frequency Identification) access control systems are commonly used, it is important to recognize their potential vulnerabilities and the security risks they may pose. In this article, we will explore the inherent weaknesses of such systems, using an example from a parking deck, and discuss the implications for security.

Understanding Basic RFID Access Control Systems

Basic RFID access control systems rely on access cards that contain a facility code and a serial number. These cards enable authorized individuals to gain entry to specific areas, such as parking decks or buildings. The facility code represents the particular location, while the serial number provides a unique identifier for each card.

Examining the Example

I've been experimenting with the Flipper Zero for a while now, and was absolutely thrilled when I find outside in the middle of the road an old, rain-soaked, beat-up access card. This card appears to have been there for at least a week, based upon the layers of rust on the lanyard. Undoubtedly whoever lost it has already gotten a replacement by now, so no sense in not letting this opportunity go to waste. I'm not going to tell you which parking deck it's for, but it is a local parking deck within a few miles of my house.

Once the card dried off, I used my Flipper Zero to examine it. Much to my excitement, the card still worked despite its damaged state. I found it to be a 125 kHz RFID card without any encryption whatsoever. The key type on the card is H10301, and the data is encoded in hexadecimal format as 20 01 8A. By decoding this data, we can analyze its structure and potential vulnerabilities.

All data is encoded in Hexidecimal format. The first piece of data we can decode is the facility code, which in Hex format is 20. Converting to Decimal, 20 becomes Facility Code 32.

Next we can examine the serial number. In this case, the serial number is as follows in Hex: 01 8A When converted to decimal, this becomes serial number 394, which matches the 00394 serial number on the card.

We can now reverse engineer this card, and make our own cards. Of course I have no intention of actually doing so (plus the card is for an open air parking deck I can literally walk into), but let's take a look at how simple the process is. (I've uploaded all of the files to my GitHub if anyone wants to play around with them)

So, if we wanted to gain access under someone else's card, all we need to do is view the back of their card, which has the serial number printed on it. For example, if we look at someone else's card and it has 00123, we just need to adjust our Flipper generated card accordingly. Facility code will stay at 32, so that converts to 20 in Hex. Serial number 123 becomes 00 7B in Hex. So our new card will need to have the data: 20 00 7B. Now I simply need to create a new RFID card file on my Flipper Zero with that data, and I should be able to park for free.

These old outdated systems are still commonly used across the globe. Unfortunately, as long as these older systems are still used, many places will be very vulnerable.

Identifying Vulnerabilities

• Unencrypted communication: Basic RFID access control systems often lack robust encryption protocols, leaving the communication between the card and the reader susceptible to interception. This vulnerability opens the door for potential unauthorized access and cloning attempts.
• Visible serial numbers: In the example of the access card found, the serial number is printed on the back of the card, making it easily visible to anyone who comes across it. This presents a significant security risk, as the exposed serial number can be exploited to create duplicate cards for unauthorized access.
• Limited authentication measures: Basic access control systems usually rely solely on the facility code and serial number for authentication. These simple identifiers are relatively easy to replicate or manipulate, thereby compromising the system's overall security.

Security Implications for Parking Decks and Similar Systems

• Unauthorized access to restricted areas: The vulnerabilities inherent in basic RFID access control systems create opportunities for unauthorized individuals to gain entry to restricted areas, such as parking decks or buildings. By obtaining or replicating a legitimate access card, malicious actors can bypass security measures and potentially engage in illicit activities or misuse parking facilities.
• Cloning attacks and misuse: The lack of encryption and the visibility of the serial number on access cards make them susceptible to cloning attempts. Malicious individuals can exploit this vulnerability by creating duplicate cards with adjusted facility codes and serial numbers, allowing them unauthorized access to parking decks and potentially causing disruptions or committing fraudulent activities.
• Social engineering risks: The simplicity of basic access control systems, coupled with visible serial numbers, increases the likelihood of social engineering attacks. By manipulating individuals or convincing them to share their access cards or card information, unauthorized individuals can gain entry, jeopardizing the security and integrity of sensitive areas.

Enhancing Access Control System Security

To mitigate the risks associated with basic access control systems, several security measures should be implemented. Some of these measures require complete replacement of access control systems with newer systems, while others address the human element.

• Encryption and secure communication: Employing strong encryption protocols between access cards and readers can protect against eavesdropping and unauthorized cloning attempts.
• Two-factor authentication: Implementing additional layers of authentication, such as PIN codes or biometric verification, can enhance the security of access control systems. This makes it more difficult for unauthorized individuals to gain entry, even if they possess a cloned access card.
• Regular audits and monitoring: Conducting periodic audits and monitoring access logs can help detect any suspicious activities or anomalies. This enables prompt identification and response to potential security breaches.
• Employee education and awareness: Training employees about the importance of access control system security, the risks associated with unauthorized sharing of cards, and the need to report lost or stolen cards can significantly improve overall system security.

Overall, newer systems contain much better security measures to prevent RFID card cloning, and hopefully will be adopted much more commonly soon.

Conclusion

While basic access control systems provide a level of convenience and security, it is crucial to acknowledge their inherent vulnerabilities. The ease with which access cards can be cloned or manipulated poses a significant risk to the overall integrity of the system. By implementing stronger security measures, including encryption, two-factor authentication, and regular monitoring, organizations can fortify their access control systems and mitigate potential threats. Maintaining a robust and secure access control system is vital for safeguarding sensitive areas and ensuring the protection of individuals and assets. The vulnerable access control systems of yesterday must be replaced, if we're truly going to properly secure our physical world.

Ken is a Cybersecurity practitioner with over 15 years experience. All opinions are his own, and do not reflect those of his employer or clients.