Skip to content

Access Control

How You Can Respond to the Flipper Zero Threat

A $100 handheld consumer-friendly device named the Flipper Zero got our attention in 2022, when its Kickstarter was a viral success.

Its continued popularity more recently got the attention of the New Jersey government, who correctly called it a potential threat to any company or school with access cards.

For those new to the topic: In the hands of a moderately tech-savvy person, it can be configured to copy the digital credentials from someone else’s access card. This almost always happens without permission. Once the other person’s credentials are on the Flipper Zero, then the bad actor can gain unauthorized access to your premises.

Card-copying, an established technology, is now packaged in consumer-friendly devices and thus much more of a threat to certain access control systems.

125kHz “Prox” card systems are the most vulnerable and you should plan your eventual migration away from them.

The most popular upgrade path is to switch over to 13.56MHz “Smart” cards, which come in various crytographic strengths:

  • NXP’s Mifare Classic/Plus/DESFire/DESFireEV3
  • HID’s iClass Legacy/SE/SEOS

At this writing, the first two of each type have been cracked. DESFireEV3 and SEOS are the most secure.

We can help review your card access system vulnerabilities, and create a roadmap to a more secure state.

Roadmap Considerations

Card Readers. You may need to upgrade the readers at each door, replacing or reprogramming them with multiclass readers which handle both kinds of cards (Prox and Smart) and mobile credentials. New cards can be issued once all the readers are installed and active, and the prox cards disabled. The capital expenditure can be spread out by doing it in stages, which can be somewhat more complicated in large-population corporate campuses and universities.

Credentials. Physical cards are a good solution, but the case for switching to mobile credentials has been improving. They are fundamentally more secure than cards (with two-factor authentication), can be provisioned remotely and in stages, and are more extensible. Mobile makes sense right now for smaller organizations (in terms of doors and people), but the economics at scale has been improving quickly.

Multipurpose cards. Universities and colleges often issue cards that work for doors, lockers, POS/vending, the library, and so on. It’s very convenient for the user, but moving to a less-crackable card system takes more effort to get the systems in sync.

High-traffic areas. The low-latency symmetric encryption in the vast majority of card access systems allows people to move through turnstiles quickly. Mobile credentials act somewhat slower, which may be a concern for high-flow areas. We are seeing good biometric (face identification) solutions in the market, and over time expect less user resistance to the technology.

Centralizing Your Security Systems

It’s common for large companies with multiple facilities in the US (and overseas) to have a fragmented set of security systems at all those sites. You might have several kinds of video surveillance solutions running at the same time, and access control systems that don’t talk to each other or your HR database.

How Managed Services Improve Your Security System’s Uptime

This is part of our series on how a managed services team helps your system deliver the required level of corporate safety and security.

(If you’re new to this series, a third-party “managed services team” is a remote set of security experts who assume responsibility for your security system’s day-to-day operation. Here’s our team.)

Today, we’ll focus on how they help deliver a high level of system uptime.

Our Perspective on Open Architecture

We firmly believe in the long-term value of using open-architecture security hardware and software. In other words, fundamentally extensible components that can easily integrate together.

In contrast, some security product lines lock users into a proprietary platform. This may meet your requirements and save capital expenditure in the first few years, but at the cost of higher operating expense and narrowed future choices.

Systems based on open architecture can accommodate new innovations faster, easier, and at lower cost.