Risks rapidly increase to both cybersecurity and physical access security when proximity access control systems for both physical access to areas and authentication to computers and other devices is implicated. In this potential attack vector, the devices “leak” electromagnetic fields that can manifest in the pulsing of lights or interference sounds in audio equipment, both often imperceptible to the naked eye or ear. However, high-resolution cameras in cell phones and surveillance equipment can record pulses of light, enabling the attacker to gain the keys to the encryption, and therefore, access. These attacks can lead to theft of sensitive confidential information, including intellectual property. The potential for attack is immense, as these proximity readers are ubiquitous in doors and computers.
In response to this threat, all organizations using these access control devices should consider the following mitigation steps:
- Switching to biometric or two-factor access for sensitive areas or systems. The use of a keypad or the use of fingerprints or retina scans for access control to sensitive areas mitigates this threat (when permitted by law).
- If continuing to use proximity access for sensitive areas, place an individual near the door for a human to visually control access.
- Reviewing encrypted systems and networks, considering vulnerabilities, and continuing to monitor this potential exploitation.
- Updating security and access policies to align with mitigations and therefore increase the difficulty for attackers.
Many organizations use card readers and other tokens with proximity connectivity for access to sensitive areas and information. These attacks increase the risk of physical access, as well as access to computers and the data therein. Liability and loss of intellectual property present reputational and monetary damage to organizations.