I recently came across a post that was being shared on Twitter of a display in a retail store showing that they can now duplicate key fobs for access control systems. The company offering this service is Minute Key, those kiosks you see at Walmart and other big box retailers, these kiosk have been around for some time and can duplicate your home keys with an automated machine.
Access control systems are put in place to enable building administrators to keep track of and control access to the building by issuing numbered key cards that are issued to specific individuals. This would typically mean administrators would know that John Doe would have key card number 7 and only one copy of that card. If Johns wife Jane also needed access to the building then the administrator would issue a different card number to her.
The problem these kiosk introduce into the world is now John Doe can go to his local big box store and make as many copies of his access card as he would like. These cards can be handed out to anyone he desires, giving John the power to decide who enters your building. The copied card will still register as John in the access controls audit log, but these are not routinely checked if there is no suspicion of foul play.
Most people might not think of this as a big deal, he made a copy of his key to give his wife. Here are some scenarios that make this a bigger issue:
- John has a gym membership he pays for that only allows him access, he can now handout copies to his friends to access the gym for free.
- John is a college student living in an apartment building, he makes copies of his card to give his friends so they can visit anytime. Now his friends have access into the building anytime, putting the other residents at risk.
- Jane has a child in a daycare facility that issues the parents key cards for child pickup. Jane made a copy without the daycares consent and gave one to John. Next year they split up and have a custody battle, John is not supposed to have access to the daycare which according to them shouldn't be an issue. John shows up at the daycare and enters the building with Janes card.
The good news is that at this point in time these machines can only copy low frequency cards (125khz) which have been know to be insecure for some time. They are still widely used, as they are cheap to implement.
You can upgrade your system to use high frequency cards such as iClass, Mifare, and other more secure card formats. While some of these formats are more secure than others, they all fix the problem of Minute Key duplicating your access cards.
At the end of the day it can be almost impossible to have your building 100% secure, people will always find a way to bypass any measures put in place. I think it is irresponsible for a company like Minute Key to offer this service. The reason most building administrators implement access control systems is to insure a higher level of security and accountability, they know how many keys have been issued and who they were issued to. Offering this service undermines that and potentially puts people at risk.