Attack of the clones
Cloning of tokens used in access control systems is a serious issue faced by many commercial premises, especially where there are high security requirements.
Credentials such as badges, RFID tags or entry tokens can all be used for granting entry to a facility or restricted areas. With token cloning technology easily available, duplicating a token can be undertaken within a few seconds.
Access control systems provide the essential services of authorisation, identification authentication, access approval and accountability. Electronic credentials are stored in the memory of a card or token and, theoretically, it is possible to clone any of them. Technologies used for storing data in tokens are usually based in open standard hardware which is easy to duplicate.
There are several reasons why people clone tokens and cards. Sometimes it is with criminal intent in mind, but most times it is simply to obtain duplicates in case of loss and to avoid paying official fees for replacement devices. This puts companies and individuals at risk if tokens end up in the wrong hands.
Mechanical vs. electronic
One question that crops up in response to this is whether it might be better to use mechanical locks and keys in place of electronic access control readers and RFID tags to avoid the whole issue of token cloning altogether.
Whilst key based locks remain the most popular door security by some considerable way, they can also be copied and locks are vulnerable to picking. Cloning a token is more complex than cloning a key, requiring a device to read and reproduce the RFID signal in a blank token.
However, this question really isn’t the right one to be asking in the first place. The starting point should be to assess what level of security is required. Where a higher degree of security is needed, electronic solutions are a better fit because they provide the user with a wide range of added benefits that are particularly useful to larger sites with larger volumes of ‘key holders’.
With electronic access a single entry token or access code can grant access to every door in a building, so there’s no chance of forgetting the key for a particular door.
An additional benefit of electronic access control is complete history logging. This can be an invaluable tool when investigating vandalism or theft, or for tracking response times or technical activities internally. Furthermore, when an outside contractor or visitor needs access, the door can be opened remotely without any effort.
If a physical key is lost there is no way to block it or be sure that it has not fallen into the wrong hands. The only way of blocking access to the lost key would be replacing the original lock. This is not the case with electronic credentials as revoking access privileges is as easy as telling the system to stop trusting the revoked key.
An access control point can be a door, turnstile, parking gate, elevator, or other physical barrier, where granting access can be electronically controlled and can contain several elements.
Access control systems can vary from basic solutions that simply read a card number or PIN and forward it to a control panel, to the more secure intelligent readers that comply with strict security legislations, such as AES-128.
Depending on the level of security needed, manufacturers offer different types of access control solutions. If high security is a must, a system that features an AES-128 bit certification might be the best solution.
AES is available in many different encryption packages, and is the first publicly accessible and open cipher approved by the US National Security Agency (NSA) for top secret information when used in an NSA approved cryptographic module.
The AES-128 encryption is one of the most secure and the only known attack to successfully break it requires about 38 trillion terabytes of data, which is more than all the data stored on all the computers on the planet. AES-128 bit encryption is available from manufacturers such as Stanley Security Products, with affordable readers that can be installed on top of a legacy system to upgrade it to a smart system. Smart readers, such as the Oneprox GS3 HF range, used in conjunction with smart credentials, offer a secure access control solution suitable for any commercial environment.
While one may think that upgrading a system is a costly and time consuming procedure, more often than not there is no need for a complete system upgrade. The new smart readers can be incorporated into the existing system without too much effort or costly procedures.