Access control devices often serve as the first line of defense for protecting a building and its occupants. These solutions typically rely on issued RFID cards to give access only to authorized personnel. In the second part of this Access Control Blog Series, learn about the ways identities are verified using RFID cards, as well as the reasons why many organizations are moving away from older card standards.
Background
Access credentials come in many models and formats but the access control industry is dominated by two main types of card: Low Frequency (LF) cards that use the 125 kHz band, and High Frequency (HF) cards that operate on the 13.56 MHz band.
The LF format contains extremely well-known and well-documented security vulnerabilities. In response, both access control customers and manufacturers have advocated for a market-wide shift to the newer and more secure HF format. When installing or modernizing an access control installation, organizations should weigh the risks and advantages associated with the 125 kHz low frequency standard versus its more modern counterpart.
LF vs HF breakdown
As their names imply, low and high frequency cards are differentiated primarily by the frequency bands at which they operate. These distinctions make them appropriate for different use cases. Low frequency credentials are an older technology and are cheaper to manufacture, meaning they are more appropriate for circumstances where cards are frequently lost or replaced. However, these cards are comparatively less secure than their higher frequency counterparts, making them less popular in cases where access security is a serious concern.
Vulnerabilities associated with LF
The reason low frequency cards are known for being less secure is a lack of encryption which leads to their stored credential being more easily stolen. LF cards provide this credential to any device they perceive to be a card reader.
Above is the bit architecture of the HID 32-bit HP Low Frequency line of cards. The bits in yellow represent the unique card number which is unencrypted and thus trivial to rip straight from the card itself. This card architecture and many others can be found at https://cardinfo.barkweb.com.au/
Bad actors use specialized tools such as the Proxmark, which is designed to mimic a card reader, prompting nearby cards to send along their stored credentials as if they were being used to open a door. All that is required of a thief is to get within a few feet of their mark in order to make off with their secure credential. This process is known as “sniffing.”
High Frequency cards implement safeguards to avoid this vulnerability to sniffing. Instead of revealing credentials directly, they wait for a challenge prompt from a corresponding HF reader. If the reader is of a compatible type (ex: an NXP MIFARE 1k reader for a MIFARE 1k HF card), the reader will be able to use a pre-programmed decoding algorithm to extract the card’s onboard credential. Other readers and sniffing tools without access to this proprietary algorithm are not able to decode the card and thus the stored credential is protected from theft.
Some lines of HF cards have had their encoding mechanisms leaked or reverse-engineered, meaning they can be sniffed similarly to LF cards. However, this process is comparably more intensive than LF sniffing and thus HF encoding still acts as a more effective deterrent than no deterrent at all.
The Case for LF
Survey results from Cigital Asia’s presentation at Nullcon
Despite the LF 125 kHz band being notorious in the access control space for its inherent vulnerability to credential cloning, it still sees widespread use by integrators across the globe. There are many reasons for this as each industry has unique needs and use cases, but most would cite one factor in particular–price. HF cards and readers are generally around 25% to 50% more expensive than their LF counterparts; this differential varies by manufacturer and has been shrinking as the HF market matures.
The difference in price point creates an interesting dynamic where organizations must weigh the value of added security versus the costs of upgrading an entire network of cards and readers. Every access control installation is different and there is no objectively correct choice.
For example, LF cards will most likely remain the industry standard for parking passes. HF cards require very close proximity to their reader–usually within inches. This is cumbersome for users trying to unlock a mechanical gate from their car, so higher range LF cards are almost always more appropriate. Additionally, parking garages typically have extra layers of access security deeper in, so the threat of credential theft is less of an issue.
Adoption of HF
Despite its higher price point, global adoption of HF cards has been steadily increasing. Over the past several years, many organizations have made the switch in response to LF’s noted vulnerabilities and to the gradually shrinking price difference between the two standards.
Survey results from Cigital Asia’s presentation at Nullcon
As an example, the hospitality industry once largely preferred low frequency cards for their ease of replacement. If a guest were to lose or take home their room key, it could cheaply and easily be replaced. However, as room cards begin to take on new uses, 13.56 MHz cards installations have become the majority across the industry. The reason for this shift can be attributed to three primary factors.
- Mobile Integration: Many HF readers support technologies such as Near-Field Communication (NFC) and Bluetooth Low-Energy (BLE), which opens the door for wider usage of personal mobile devices in place of a keycard. Guests can unlock their hotel room using their phone or wearable device instead of relying on finicky LF or Magstripe cards.
- Expansion of Use Cases: The usage of hotel keycards has expanded beyond straightforward access to one’s hotel room. Many hospitality organizations have introduced a single-credential solution to enable universal access to dining, events, and transit options. Instead of using a credit card or other payment method, guests can use their room key or mobile phone to simplify their business trip or vacation.
- Security Concerns: Parallel to the increasingly diverse key credential deployments, the hospitality industry has placed a greater emphasis on card security. As the key card takes on applications such as making payments and serving as a form of identification, it becomes increasingly important to secure each card’s stored credentials. For reasons explained previously, HF cards have access to much more advanced security and privacy features than their LF counterparts, such as modern encryption standards. The hospitality industry is just one example on the worldwide shift towards HF credentials.
Given the early success and improved user experience of these installations, it is highly likely that other industries and global enterprise as a whole will follow suit. If your organization exclusively uses an LF credential installation, it may be a good time to make the switch to a more modern access control solution. High frequency cards and readers are more affordable than ever, and the risks associated with 125 kHz cards are only becoming more widely publicized.
In determining if now is the right time to upgrade, there are two major considerations that need to be made: what are the risks posed by credential theft? And what are the costs of upgrading?
Assessing security risks
The security benefits of upgrading an existing access control solution are less inherently visible than the costs associated with doing so. Credential theft, while a lesser known and lesser used method of gaining unauthorized access, is becoming increasingly easy to perform. For this reason, it can be difficult to precisely weigh the threat it poses. However, comprehensive security requires the consideration of every possible worst case scenario.
This scenario may vary door by door. The consequences of unauthorized entry into a lobby are generally less serious than unauthorized entry into a server room. For this reason, a holistic approach might not be viable. Consider saving on installation costs by using HF cards only in areas where high security is absolutely necessary.
Assessing upgrade costs
- Cards– The most obvious step in upgrading to a new HF credential system is replacing all of the old LF cards. Employees must all be issued a new card, each of which costs around double the price of a comparable LF model. Printing and assigning new cards also costs money, so this process can quickly become costly if there are a large number of cardholders who will require new credentials.
- Readers– High frequency cards require their own type of readers, which can cost anywhere between $75 and $150 apiece depending on the model and included features. On top of this, the process of ripping-and-replacing old readers is expensive and time consuming, especially done at scale with dozens or hundreds of doors.
- Logistical Costs– whether being installed in a new building, or replacing an existing system in an old one, the operational costs of integrating a new access control solution are certainly non-negligible. Depending on the scope and scale of the project, it may be infeasible to entirely replace the existing system over the course of a single weekend. Many organizations opt for a gradual rollout for this reason, replacing cards and readers over the course of weeks or months which helps spread out costs and logistical complexity.
To avoid locking out current LF users while a HF system is being installed, security teams will frequently install migration readers. These devices can read both low and high frequency credentials of various formats. Migration readers allow organizations to standardize card formats without impacting normal business operations.
Ultimately, neither low frequency nor high frequency credentials are an unequivocally correct choice for every organization. Every access control installation is different and every organization has different needs with regards to security and price. For this reason, it’s best to rely on skilled security experts as well as experienced installers to understand which choice is best for a given situation.
The Verkada AC41 door controller unit is compatible with both low and high frequency readers. Verkada also partners with some of the best and most knowledgeable security integrators in the industry.