The firewall -- has the "magic" box lost its mojo?
May 3, 2016
Badge Access Systems - Important, But Not a Panacea
November 3, 2014
Proximity Badge access systems are hardly new. My first exposure was with a major PC hardware manufacturer over 20 years ago. Of late, they have become common, even in small businesses. The cost per door for a badge access system is a fraction of what is was a few years ago. Such systems have many points in their favor:
Granularity - you can easily control which people can enter which doors, and at what times. This allows you to control who gets into the data center, records storage, etc.
Tracking/Audit - If there is ever a security incident, you can determine who came and went around the time of the incident. if you concerned about compliance requirements such as HIPAA, system logs allow you to demonstrate who accessed critical areas.
Termination - If an employee leaves, you can quickly disable their access to your facility without worrying about getting physical keys back.
Identification - In combination with a photo, they can be used for identification as well.
Badge systems today are capable and reliable enough that we ten d to trust them implicitly, as a substitute for paying proper attention to overall physical security. This can prove however to be a big problem.
Despite their advantages, badge systems have numerous exposures, particularly when used to control building/suite entry. First and foremost, they are frequently lost. Unlike a physical key, they often include information allowing someone finding a badge to know where to use it. Most organizations that use access badges have a policy in place requiring employees to report the loss immediately. Unfortunately this often does not happen. Employees are either too embarrassed to admit the loss, or are convinced that the lost one will turn up sooner or later.
A more esoteric but real exposure is the threat of RFID hacking. To properly understand that threat, you need to know a bit about system architecture, A badge is basically an RFID transmitter. A badge reader scans for cards nearby, obtains coding information from the card, verifies the validity and access limits via the controller, and decides whether or not to open the door. The number encoded on the card includes a facility code, intended to make sure your card does not work on your neighbor's door, and a unique card number. There are a variety of bit lengths transmitted, depending on the particular product in use. There are a few different frequencies in use, with reader ranges from a few inches to 30 feet. According to manufacturer HID Global, over 80% of systems in service use the 125 kHz frequency range. For those of you with propellers on your hats, this site provides a more detailed explanation. of encoding and operation.
There are two common approaches to RFID hacking:
RFID Information Capture - For less than $300, anyone can by a small USB device that will scan and decode the information from any card within range. If your employee has a card visible or in their wallet, someone with such a device can capture the information, and easily duplicate it, without possession of the card.
Brute Force Attacks - The hacker uses a readily available device near a reader, which cycles through possible facility codes, badge numbers, and formats, until a working combination is found. These are legitimately used by auditors in some cases, but can be obtained by anyone.
From the information available, I do not think such hacking is highly prevalent at this point. That being said, the threat cannot be ignored. There are some actions you can take to protect yourself from a variety of badge access threats, which range from easy and cheap, to difficult and expensive:
Don't put any information on a badge that would allow someone who finds it to know where to use it. Many companies prominently display their logo on the cards, but this is as bad as writing your home address on your house key.
Consider using biometrics, such as fingerprint recognition, in addition to a badge for building/suite entry. In the multi-factor identification world, this is known as requiring something you have (a badge), and something you are (your finger).
Use cameras to monitor and record access to major doors.
Use time controls to prohibit employees from entry outside of hours they are allow to be present. If someone finds a badge, they are most likely to try it after hours.
Periodically audit the badge system user database and access logs. Make certain that employees who have left do not have active badges, that no unknown individuals are present, and that no anomalies exist in the access logs (such as an employee entering at an unusual time, or someone entering geographically disparate doors near the same time). Ideally, these checks should NOT be done by the department responsible for maintaining badges, to eliminate any risk from insider fraud . Use a different department, such as Accounting, or an outside firm.
Use an RF sleeve for cards, which prevent their information from being captured. This is one example of an inexpensive RF sleeve.
If you are installing a new system or looking for a replacement for an old system, consider a more secure technology, such as HID iCLASS, which properly secures RFID transmissions.
In summary, badge systems are of great benefit to physical security, but they are not in themselves the answer to physical security.