Campus ID News
Card, mobile credential, payment and security
FEATURED
PARTNERS
ColorID prox 1

A reminder of why 125kHz Prox isn't secure

ColorID details technology underpinning prox, how it can be cloned

Andrew Hudson   ||   Mar 08, 2019  ||   ,

After nearly three decades in the field, the 125 kHz prox card remains one of the most widely used card technologies for electronic access. Still, it seems that many are unaware of more recent developments that now threaten the security of these cards.

In the latest installment of copmany's Spotlight Series newsletter, David Stallsmith, Director of Strategic Initiatives at ColorID, details prox technology, its susceptibilities and just how easy it is to clone these credentials in the field.

Prox, short for “proximity,” once offered a significant upgrade for users of mag stripe or Wiegand access cards, which have to be swiped through a card reader. Prox cards only need to be held near a reader to open a door, and can work through a wallet, purse or pants pocket.

"​Since their operation was initially so mysterious, prox cards were generally thought to be as secure as they were convenient," writes Stallsmith. "For a long time, this was mostly true because the technology needed to clone a card was big and expensive."

Over time, however, the price for cracking a prox system fell dramatically making it far less prohibitive to compromise the credentials at scale.

"Today, anyone can buy a device at a large online retailer for under $20 that can read the data from most 125KHz prox cards, store it, then write it to an unprogrammed card," explains Stallsmith. "There are also more powerful devices for under $500 that fit in a backpack and can read the data from a prox card several feet away, even if it's inside a wallet or purse. Both types of devices can be used to create unauthorized cards that the access control system cannot distinguish from officially issued prox cards."

These more readily available, inexpensive devices for cloning and copying prox cards has introduced a new threat level to the security landscape.

Legacy prox cards and readers were originally designed to communicate small amounts of data -- usually 8-16 digit card numbers -- in the 125 kHz radio frequency range. "Convenience and function were far more important design considerations than security, so data was transmitted in unencrypted form," explains Stallsmith. "This led to later attempts by manufacturers to bolster the security of prox technology by introducing simple data scrambling techniques or leveraging proprietary card number formats and ranges based on end-user licensing (e.g. Corporate 1000)."

These techniques, though initially effective, were ultimately a Band-Aid rather than a permanent solution. "Unfortunately, prox reading and writing technology is now so widely understood and available that the primary access card and reader manufacturers have lost their gatekeeper status," says Stallsmith. "The doors of those prox-protected buildings and systems are virtually standing wide open."

But what if your campus is leveraging prox? What can be done to mitigate the security risk?

"Prox-based access systems for doors and networks have relatively inexpensive end points, namely cards and readers," says Stallsmith. "In most cases, legacy prox cards and readers can be replaced with new, advanced technology cards and readers that communicate using modern encryption techniques. These new readers are typically interchangeable with legacy hardware, so they can be used with existing access control systems."

An increasing number of institutions are now ditching low-security credentials for more robust card technologies. The key to this migration, however, is to be proactive rather than reactive.

"Many corporations and institutions have migrated from legacy prox systems to more secure cards and readers. Some of these migrations were made voluntarily and in advance of any problems, but many were made after a breach revealed the unsuspected vulnerability," says Stallsmith. "Card and reader security is often overlooked for technology refresh scheduling, but the dramatic increase in prox system vulnerability should really move this item up in an organization’s security priorities."

Related Posts

Subscribe to our weekly newsletter

RECENT ARTICLES

Mobile credential buy-in video image
Dec 14, 24 / ,

Key steps to get buy-in for mobile credentials on your campus

  In this episode of CampusIDNews Chats we explore how to get buy-in for mobile credentials on your campus and lay the groundwork with your colleagues and administration. Our guest Tim Nyblom, Director of End User Business Development for Higher Education for HID Global, starts with the concept of university branding. But often the ID […]
Penn State Go mobile app
Dec 05, 24 / ,

Penn State moves to Transact Mobile Ordering

After years of experience and a variety of mobile ordering solutions, Penn State is transitioning to the Transact Mobile Ordering app. At the institution’s main location – the University Park campus – a number of dining locations have already launched the service. All on-campus locations will be up and running by spring according to an […]
Spreadsheet
Dec 04, 24 /

UConn card office's recently published budget shows declining revenues

Like other institutions, University of Connecticut students pay mandatory fees to fund various non-academic programs and services. One of these fees, UConn’s General University Fee, helps support the One Card Office as well as Recreational Services, the performing arts center, Student Activities, the Student Union, and more. The General University Fee for the 2024/2025 academic […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.
Twitter

Attn: friends in the biometrics space. Nominations close Friday for the annual Women in Biometrics Awards. Take five minutes to recognize a colleague or even yourself. http://WomenInBiometrics.com

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Load More...
Contact
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301
www.AVISIAN.com[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.