In today’s digital age, it’s crucial for organizations, including universities, to identify vulnerabilities in their security systems to prevent unauthorized access and data breaches. From cybersecurity breaches to physical security risks, weaknesses in systems can leave sensitive information exposed and facilities compromised. Recent events at a university campus highlight how a simple vulnerability, like the cloning of key fobs, can have serious consequences.
A university undergraduate student has been charged with two felonies and one misdemeanor for allegedly cloning key fobs, granting him access to campus buildings he wasn’t authorized to enter. According to the university police, the student used an RFID (Radio Frequency Identification) device to duplicate others’ key fobs, which allowed him to unlock doors and gain access to restricted areas for several months. These areas included residence halls, a fire equipment room, a private apartment, and even attempts to access offices in search of a master key.
As part of the investigation, the authorities seized three cards, three key fobs, and an RFID reader from the student’s dorm room. This incident has raised concerns among students and staff about the security vulnerabilities within the campus, particularly with the use of key fobs as access control systems.
RFID Technology and Its Vulnerabilities
RFID technology, commonly used in access control systems across universities and other institutions, has long been considered a less secure form of authentication. An Executive Director with extensive experience in cybersecurity shared some insights on why RFID is vulnerable. According to the expert, obtaining and using RFID devices is relatively simple, and the technology itself is not designed with robust security features in mind. RFID key fobs transmit an ID number wirelessly, which can easily be intercepted and cloned by anyone with the right device.
One of the biggest issues with RFID systems is that victims of cloning may not even realize their data has been compromised. As the expert pointed out, an attacker can carry an RFID reader in their pocket or backpack, scanning for key fobs without needing to make it obvious or engage directly with the target.
While most card readers are designed to communicate with the card at a very short distance, some specialized readers can work at longer distances, up to three feet away. This makes the act of cloning key fobs deceptively easy and difficult to detect.
Furthermore, many institutions continue to rely on RFID technology despite its flaws, primarily due to the high costs associated with upgrading or replacing these systems with more secure high-frequency cards, which are not as susceptible to cloning. This lack of urgency in addressing security vulnerabilities creates an ongoing risk to physical security across campuses.
How Can Universities Improve Physical Security?
To prevent incidents like this from occurring, it’s essential to conduct regular assessments of physical security controls. One of the most effective ways to identify vulnerabilities in access control systems is through a physical penetration test (pen test).
Ethical hackers, or penetration testers, can simulate an attack on the system by attempting to clone RFID cards from several feet away, often without the victim’s knowledge. Within minutes, these hackers can successfully duplicate a key fob to gain access to restricted areas.
Pen tests can also identify other weaknesses, such as easily accessible entry points, potential bypass methods for keyed or keyless systems, and issues with tailgating, where unauthorized individuals follow authorized personnel into secure areas. Additionally, further testing can be performed on sensitive areas, including data retrieval and exfiltration attempts, using rogue devices to assess the overall integrity of the system.
Actionable Items
The recent case of a student cloning key fobs to gain unauthorized access to university buildings serves as a wake-up call for institutions and organizations that rely on outdated or vulnerable access control systems. To mitigate the risk of similar incidents, universities must recognize the limitations of RFID technology and take proactive steps to strengthen their physical security measures. Regular security audits, ethical hacking assessments, and investment in more secure systems can help ensure the safety of both physical spaces and sensitive data.
RedLens InfoSec, a division of CampusGuard, can perform a comprehensive check of your physical security controls, including checking all the doors and entryways for easy access points, attempting to bypass keyed and keyless systems, and gaining access to sensitive areas through tailgating or covert methods.
Contact us to learn more!
