Subtle failures in dual purpose ID/access card security

Many of the larger offices, hospitals, universities and schools around London and in other major cities have some form of ID or access control card system. There’s no doubt that these do help improve security. There are however frequently failures either in the designed or realised implementation. I think it is always important to separate the designed implementation from the realised – many systems have been designed to be secure, but factors such as excessive complexity or cost mean that the realised implementation is no longer secure.

Access and ID cards do indeed serve dual purposes:

Identification – this allows someone to verify who you are and to tie you to the card you are carrying.

Access control – the card will either allow or deny you access to the building, based on some form of authorization such as a list of ID cards which are allowed into the building.

By linking you to the card (identification), authenticating the card (which is normally done in the background using some kind of key exchange), and then checking to see if the card is authorized, there is a secure protocol to either allow or deny a person access. I’ve not included “authentication” as one of the purposes as really it is part of both the identification and access control.

A lot of sites don’t use the cards for both purposes however, and this can cause the protocol to break down.

Take a hospital for example, where staff are encouraged to visibly wear ID cards at all times. Many areas of the building will have no enforced access control – the system relies on people being vigilant and questioning anyone with ID. The same system is often used in schools and universities.

There are a number of problems with this system. There is no mechanism to revoke cards short of physical removing them from the holder. It’s also normally trivial to make a visually identical card that will pass all but the closest inspection. The fundamental flaw is that there is no access control in place.

Other sites use the system purely as access control. The card is used as an electronic key. The problem here is that they have some the disadvantages of a key – you have no way of checking that the person using the card is authorized. You can merely check that the card is authorized.

Of course, the most secure option is to use the card for both identification and access control. In fact, it could be perfect, but frequently the implementations have major shortcomings.

One of the big problems is that the two tasks of identification and access control are very different to one another. Humans are excellent at checking to see if a face matches a photo, but are terrible at checking lists of authorized names.

Machines can often be tricked when trying to match a face to a photo, but they excel at checking lists of names.

So often a hybrid solution is used – the human performs the identification and the machine peforms the access control. Sounds ideal, doesn’t it? The common implementation is to have a guard at each door checking the photographs before the holders walk up to electronic access control barriers.

The person checking the face matches the photo doesn’t just have to perform identification – they also need to check that the card is authentic. Authenticating a plastic card takes a lot longer than identifying the person, and frequently this step is skipped, or at best is purely visual. Anyway, why bother – the access control authenticates the card later…

So say I steal someone’s card, stick my photo onto the front, and walk in. The guard identifies me and authenticates the card visually. The barrier then authenticates the card electronically, and authorizes me. I’m in the building when I shouldn’t be.

How do we solve this? If we think about it, putting the photo on the card is a bit of a silly idea. Why not hold it centrally on a database, and allow the guard to both electronically authenticate and visually identify the person at the same time? The reason they don’t do this is because it would massively slow down entry to the building.

There are other issues. We can break the identification step by simply holding the ID card upside down. Humans are awful at matching upside down photos to faces, so this simple trick will often allow you to walk right past guards. You are relying on having a card with someone of the same sex and hair colour, and the guards being relatively polite. This does frequently work.

Commonly the card will give the users other powers as well, and it is possible to exploit these. I have a card for a building that I visit relatively infrequently, and I find that I need to get my card re-enabled each time I visit. I think it expires after a month of not being used.

I entered the building wanting to sign a guest in. I passed the guards, who identified me and let me past. I then went to the reception desk, and asked if I could sign in a guest. They looked at my card, decided it was authentic, but performed no authorization. They issued my guest a pass, and we walked over to the barriers. My guest was allowed through, but I wasn’t – as I expected, my card had expired. The reception desk doesn’t even ask for another form of ID from the guest – they are purely relying on my authorization, which they have implied from my authentic card.

Another interesting situation came up over Christmas. I had to visit a building but didn’t have my card with me. I went to the security desk, knowing that the response would be to call my manager and ask if I could be issued with a day pass. I also knew that on that day, no one would be there to answer the call.

The guard dialled the extension, and I heard it ring a number of times. My mobile started ringing, and I answered it, only to find I was speaking to the guard. What had happened here?

Our phones ring as a group so that if one person is busy, another can answer it. I knew I would be out of the office a lot, so I had set up call forwarding to my mobile. It seems that the entire group of phones was forwarded to my mobile, allowing my manager’s extension to be redirect to me.

The guard had no indication on his phone that the call had been forwarded. It would be possible for a malicious insider to engineer such a situation, allowing an accomplice to enter the building. Luckily, when issuing the day pass, security are presented with both your photo and access rights, foiling this attack. I still think it is worthy of though in other attacks though.


Leave a Reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.