How should organizations be mitigating these significant risks to their environments? For one, the notion that having RFID physical access control systems guarantee that they are secure needs to be abolished. It is far too often forgotten that there are no "silver bullets" in security and RFID security is a perfect example.

Organizations need to stop relying solely on their RFID badge systems to provide security assurance for physical access control. Other mechanisms need to be implemented in conjunction with their RFID systems (i.e., defense in depth).

Probably the most low-cost option involves educating your employees about RFID security. Organizations need to be instructing employees to not wear their badges in plain view while off company property (such as the aforementioned coffee shop in Part One).

Another inexpensive mitigating control could be the use of RFID blocking sleeves when not in use (though, the practicality of ensuring all employees abide by this control is questionable at best). If you do decide to pursue the badge sleeve route, thoroughly test them with your organization's badges. RFID operates at different frequencies and not all sleeves effectively block all frequencies.

A basic model which is often applied to IT security is time-based security. Time-based security is the idea that if you can decrease your detection and response times you will, in turn, reduce your exposure time if an attack is leveraged against your system. An example would be ensuring that video surveillance is located at all ingress and egress points.

While having video surveillance in and of itself will not prevent the attack, it does provide a means to quickly identify unauthorized individuals, and provide a way to corroborate electronic logs generated by the badge system to an actual image of the event. The response to an attack would be much faster and more accurate if armed with the information provided by a video surveillance system.

Another way that organizations can mitigate the inherent risks of RFID badges is to use variable, high-level controls on the system itself. One of the most common responses to RFID risks is the idea that if anyone gained access to a location they were not supposed to be in, they would be recognized by other personnel. However, if you were trying to gain access to a secured location, would you try doing it during business hours when the location is occupied? No, you would attempt access after-hours.

If nobody needs to be accessing secured areas after-hours, implementing a control that denies all access after a particular time mitigates risk related to attack timing. An organization could go beyond this for locations that are not frequently accessed by default disabling all access and implementing a process for requesting access and only granting it for a specific time period.

So while all of these controls would be a step in the right direction, none of them address the root cause of the risk, HID, and many other RFID technologies are fundamentally insecure. There are alternative systems that have been pushed to market in recent years which utilize secured technologies. One possible option to consider is active RFID systems. These are known as "contactless smart cards" which incorporate encryption, mutual authentication and message replay protection, essentially mitigating most RFID attack vectors.

A quick note on biometric scanners. As a self-described "geek", biometric scanners are on the top of the list for their cool factor. While these systems are not traditionally vulnerable to a remote "sniff" attack, or theft of credentials, many biometric systems still use the Wiegand protocol to communicate to the controller.  As previously discussed this is an insecure protocol which is (unfortunately) the standard form of communication in many physical access control systems. If the Wiegand protocol is used in any physical access control implementation, transmissions are plain text, easily intercepted (depending on physical implementation) and easily replayed reducing potential security assurance gained from use of biometrics (2).

Physical access controls need to be thought of and managed just like any other form of security. Much like a reserve parachute, mitigating security controls need to be implemented alongside your main method of security because sooner or later your main chute will fail. When it does, you do not want to leave your facility's doors wide open.

Delap is one of Portland’s largest local tax, audit, and consulting accounting firms, located in Lake Oswego, Oregon.


(1) Fransis Brown, "Live Free or RFID Hard" Black Hat 2013 presentation

(2) Zac Franken "Physical Access Control Systems" Black Hat 2008 presentation

(3) Brad Antoniewicz "ProxBrute: Taking ProxCard Cloning to the Next Level"