A $100 handheld consumer-friendly device named the Flipper Zero got our attention in 2022, when its Kickstarter was a viral success.

Its continued popularity more recently got the attention of the New Jersey government, who correctly called it a potential threat to any company or school with access cards.

For those new to the topic: In the hands of a moderately tech-savvy person, it can be configured to copy the digital credentials from someone else’s access card. This almost always happens without permission. Once the other person’s credentials are on the Flipper Zero, then the bad actor can gain unauthorized access to your premises.

Card-copying, an established technology, is now packaged in consumer-friendly devices and thus much more of a threat to certain access control systems.

125kHz “Prox” card systems are the most vulnerable and you should plan your eventual migration away from them.

The most popular upgrade path is to switch over to 13.56MHz “Smart” cards, which come in various crytographic strengths:

  • NXP’s Mifare Classic/Plus/DESFire/DESFireEV3
  • HID’s iClass Legacy/SE/SEOS

At this writing, the first two of each type have been cracked. DESFireEV3 and SEOS are the most secure.

We can help review your card access system vulnerabilities, and create a roadmap to a more secure state.

Roadmap Considerations

Card Readers. You may need to upgrade the readers at each door, replacing or reprogramming them with multiclass readers which handle both kinds of cards (Prox and Smart) and mobile credentials. New cards can be issued once all the readers are installed and active, and the prox cards disabled. The capital expenditure can be spread out by doing it in stages, which can be somewhat more complicated in large-population corporate campuses and universities.

Credentials. Physical cards are a good solution, but the case for switching to mobile credentials has been improving. They are fundamentally more secure than cards (with two-factor authentication), can be provisioned remotely and in stages, and are more extensible. Mobile makes sense right now for smaller organizations (in terms of doors and people), but the economics at scale has been improving quickly.

Multipurpose cards. Universities and colleges often issue cards that work for doors, lockers, POS/vending, the library, and so on. It’s very convenient for the user, but moving to a less-crackable card system takes more effort to get the systems in sync.

High-traffic areas. The low-latency symmetric encryption in the vast majority of card access systems allows people to move through turnstiles quickly. Mobile credentials act somewhat slower, which may be a concern for high-flow areas. We are seeing good biometric (face identification) solutions in the market, and over time expect less user resistance to the technology.