Campus ID News
Card, mobile credential, payment and security
FEATURED
PARTNERS
ColorID prox 1

A reminder of why 125kHz Prox isn't secure

ColorID details technology underpinning prox, how it can be cloned

Andrew Hudson   ||   Mar 08, 2019  ||   ,

After nearly three decades in the field, the 125 kHz prox card remains one of the most widely used card technologies for electronic access. Still, it seems that many are unaware of more recent developments that now threaten the security of these cards.

In the latest installment of copmany's Spotlight Series newsletter, David Stallsmith, Director of Strategic Initiatives at ColorID, details prox technology, its susceptibilities and just how easy it is to clone these credentials in the field.

Prox, short for “proximity,” once offered a significant upgrade for users of mag stripe or Wiegand access cards, which have to be swiped through a card reader. Prox cards only need to be held near a reader to open a door, and can work through a wallet, purse or pants pocket.

"​Since their operation was initially so mysterious, prox cards were generally thought to be as secure as they were convenient," writes Stallsmith. "For a long time, this was mostly true because the technology needed to clone a card was big and expensive."

Over time, however, the price for cracking a prox system fell dramatically making it far less prohibitive to compromise the credentials at scale.

"Today, anyone can buy a device at a large online retailer for under $20 that can read the data from most 125KHz prox cards, store it, then write it to an unprogrammed card," explains Stallsmith. "There are also more powerful devices for under $500 that fit in a backpack and can read the data from a prox card several feet away, even if it's inside a wallet or purse. Both types of devices can be used to create unauthorized cards that the access control system cannot distinguish from officially issued prox cards."

These more readily available, inexpensive devices for cloning and copying prox cards has introduced a new threat level to the security landscape.

Legacy prox cards and readers were originally designed to communicate small amounts of data -- usually 8-16 digit card numbers -- in the 125 kHz radio frequency range. "Convenience and function were far more important design considerations than security, so data was transmitted in unencrypted form," explains Stallsmith. "This led to later attempts by manufacturers to bolster the security of prox technology by introducing simple data scrambling techniques or leveraging proprietary card number formats and ranges based on end-user licensing (e.g. Corporate 1000)."

These techniques, though initially effective, were ultimately a Band-Aid rather than a permanent solution. "Unfortunately, prox reading and writing technology is now so widely understood and available that the primary access card and reader manufacturers have lost their gatekeeper status," says Stallsmith. "The doors of those prox-protected buildings and systems are virtually standing wide open."

But what if your campus is leveraging prox? What can be done to mitigate the security risk?

"Prox-based access systems for doors and networks have relatively inexpensive end points, namely cards and readers," says Stallsmith. "In most cases, legacy prox cards and readers can be replaced with new, advanced technology cards and readers that communicate using modern encryption techniques. These new readers are typically interchangeable with legacy hardware, so they can be used with existing access control systems."

An increasing number of institutions are now ditching low-security credentials for more robust card technologies. The key to this migration, however, is to be proactive rather than reactive.

"Many corporations and institutions have migrated from legacy prox systems to more secure cards and readers. Some of these migrations were made voluntarily and in advance of any problems, but many were made after a breach revealed the unsuspected vulnerability," says Stallsmith. "Card and reader security is often overlooked for technology refresh scheduling, but the dramatic increase in prox system vulnerability should really move this item up in an organization’s security priorities."

Related Posts

Subscribe to our weekly newsletter

RECENT ARTICLES

Feb 06, 25 / ,

Amazon stores remove their company’s own Just Walk Out technology

While Amazon Just Walk Out technology seems to be succeeding in campus c-stores and stadiums, the retail giant has failed to make a go of it in its company-owned stores. Just Walk Out is a cashierless shopping solution that allows customers to enter a store, pick up items, and leave without stopping at a checkout […]
Phone with dead battery
Feb 05, 25 / ,

Student ID in Express Mode lets mobile credentials work even when phone dies

Ever since student IDs were stored in Apple Wallet, perhaps the most frequent question was “what happens when the battery dies?” Administrators were rightfully concerned about how their students were going to buy a meal or access their dorm rooms. The answer to the question is found in two important iOS concepts, Power Reserve and […]
Lady showing a digital ID in car

Digital IDs and mobile driver’s licenses take cues from college campuses

We are on the verge of a digital ID revolution that will bring enhanced convenience and security across industries. Government-issued digital credentials will enable online service delivery with massively enhanced security levels that can help eliminate fraud and make it easier on users. Mobile driver’s licenses will be more than just a replacement for a […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.
Twitter

Attn: friends in the biometrics space. Nominations close Friday for the annual Women in Biometrics Awards. Take five minutes to recognize a colleague or even yourself. http://WomenInBiometrics.com

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Load More...
Contact
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301
www.AVISIAN.com[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2025 CampusIDNews. All rights reserved.