Threat Forward

What’s a “static proximity card”?

Proximity cards used in physical security applications generally work on low frequencies, and are energized by ‘proximity’ to a reader.  Upon being activated, a static proximity card will respond by modulating the signal to send out a sequence of bits.  Static cards have no handshake, no ‘smarts’, and will always spit out the same sequence of bits to anything that manages to energize them.  They are a single-purpose ID code transmitter.

What’s wrong with static cards?

Static cards will broadcast their ID anytime they are activated.  They cannot determine if the signal activating them is from a legitimate reader or not.  Conversely, static card readers cannot verify that the ID code they recive is from a legitimate card.  The ID code, once intercepted, can be used in place of the card to gain surreptitious access for the entire lifetime of the original card in the security system.  In addition to stealing ID codes from cards, an attacker can attempt to guess codes by using the readers in the system.  While static protocols claim between 44 and 128 bits for the ID codes, the differences between cards enrolled in the same security system can be as low as 16 bits.

Why pick on HID?

It’s not personal.  HID http://www.hidglobal.com is the single most common vendor of proximity card physical security systems I’ve come across.  There’s an industry of other manufacurers that make equipment compatible with the static “Prox” and “Prox II” protocols that HID created.