HID Proximity Cards: Decoded Versus Undecoded Outputs?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Can someone explain the difference between an HID proximity card's decoded
and undecoded outputs?    My guess is that number printed on the card is an
undecoded output, and it's just there to make it easier for humans to type
in a number to a software application.    Probably the real number is on the
card as is longer or more complex format?    How many digits are there and
in what format (e.g., alphanumeric only).

I saw a demo on TV recently of some guy who using a home made circuit board
was able to swipe any person in his vicinity's prox cards, then record that
and play it back to get access through any prox reader.   Pretty scary
stuff, and it's obviously not a very secure architecture if they are sending
out numbers in a way that doesn't use some kind of private and public key

We are thinking of using the proximity cards as part of a two factor
authentication system to login to computers, which is why I would like to
understand the length and structure of the number on the card.   We would be
using PCPROX readers.


Re: HID Proximity Cards: Decoded Versus Undecoded Outputs?

There is no decoded and undecoded outputs in the HID Proximity format you
mention. At its simplest the prox card has a chip inside it creating a pulse
output. There are many physical forms of "active cards" and "passive cards"
and fobs and "lick and sticks" etc. The unique card number is programmed
into the chip inside the card. The HID Proximity format has become an
industry standard so many manufacturers use it since the HID patent expired.
So the chip inside the card creates the same type output as the original
Wiegand pulse-generating cards that used bits of wire inside the card and no
chips. So that's it. It is a pulse. The "pulse" can be different lengths.
There is the standard 26 bit format, meaning a "pulse" of 26 pieces or bits
of on or off data. In that output format you have the card number, the
facility code or site code etc. (because the nomeclature varies a lot). To
make it more interesting one can vary the location of the start bit location
and scramble things  up a little. Different access control manufactureres
have their own formats. Continental Instrumants 36 bit, Card Key 35 bit,
Infographic Systems 34 bit, CEM 33 bits etc. Therefore what is printed on
the card may be the actual card number output or something else not at all
related to the card number in any way. When you get the cards from the
manufacturer there is a sheet that cross references what is printed on the
card versus the actual output.
You can certainly defeat the security of a card access system by using a
device like the one you saw on TV. You don't even have to be cleaver enough
to build your own device, you can buy it complete and ready to use right off
of the Internet and start spoofing.
I don't think that one would install simple weigand cards on a facility
where high security was a concern. There are other technologies besides
weigand. One step up would be to use the Indala reader. Indala is now a part
of HID. You get a more unique communications going between the card and the
reader that makes it a bit more difficult to spoof.
HID is not stupid. They do make cards that you can't easily spoof and
formats that are unique. The HID iCLASS format, combined with an Elite class
reader and Corporate 1000 format would pretty much rule out spoofing or
duplication completely. The iCLASS would mean what the spoofer read would
not work when "played back" to the reader. It is unique evey time (well the
challenge repeats every 1.5 million years or some ridiculously long time)
because there is a two way communication going. The Elite ties the reader
and the card together so even another iCLASS card won't be acknoledged. And
the Corporate 1000 means HID will never produce another card with that
number on it so there are no duplicates ever produced by HID.
Does it worry anyone in the industry that Weigand Prox format cards can be
spoofed? I don't know.  If you put a reader on a glass door and have a
strike on a door lock I think not. A prox card is not like a door key that
works 24/7/365. For the most part a card is programmed to work normal
business hours on a limited set of doors. Even if you spoofed a card and
antipassback was in play you couldn't just spoof a card of a random person
passing by and then walk in. In most cases the bad guy wanting in will pick
up a rock and smash out the glass. If the bad guy is a bit more resourceful
or skilled he will pick or pry the lock. I have never been made aware of a
successful (or unsuccessful) spoof attack in real life. If I do I'll try and
post the video clip of the guy here because I am sure there will be one.
There are almost always other sorts of security measures to have to get
around like cameras, or in the reader itself, like PIN numbers, biometric
interfaces, face matching, etc. Remember we're only talking about Weigand
Prox formats. There are other formats like MiFare, RFID etc. I think the
career of a Weigand Prox format spoofer would be very short. But don't let
me disabuse anyone here from a career choice. I know some guys that work
with prison ministries and they hear from the inmates that the food is good
and the sex is great.

Quoted text here. Click to load it

Site Timeline