Recently, security professionals have become aware of a new process for cloning office keycards. Using a hidden reader and encoder, hackers can learn the language used to shield credentials during data transfer, obtain the authentication keys meant to protect against this type of hack, and create cloned cards that allow them full facility access.
Any business that uses a proximity (“prox”) card or smart-card-based system faces this issue. Older and less secure, the hackability of prox cards has long been known since they have less encryption. More recent research has shown that even robust smart cards are vulnerable. However, smart cards are more difficult to manipulate and replicate because their encryption is more extensive.
The newest office security hack we’re discussing here involves top-of-the-line smart card encryption. In this instance, the code is harder to crack but still vulnerable.
To more fully secure corporate office portfolios, businesses must look toward more sophisticated asymmetric encryption. Otherwise, the hackability of symmetrically encrypted systems will remain a looming security threat in office access control.
Symmetrical Encryption Explained
Encryption keeps the credentials of each individual secure while their information is transmitted throughout a security system to unlock doors and log access. When using symmetrical encryption, the coding language that hides this information is the same for every card, fob, and reader.
Why Symmetrical Encryption Is Less Secure
When it comes to physical access control, many companies splurge on new locks, well-enforced doors, and a robust interface. However, this approach ignores a vulnerable piece of equipment — the key card reader.
Offices throughout the world are using a 50-year-old technology in their keycard readers to secure their spaces. This tech, often using the “Wiegand protocol,” takes information from key cards and communicates it to the larger access control system. If hackers can learn the language used by the keycard system to allow access, they can get into any door.
Building hackers work to intercept, unencrypt, and replay signals sent from the reader to the unlocking mechanism. When an office’s security system uses symmetrical encryption, hackers only need to achieve this once to easily read every credential and even create a master access card. This compromises every key card and lock on the premises, resulting in costly and time-consuming fixes.
Access control companies release patches for these kinds of issues, but without changing the system entirely, updated firmware only provides a temporary solution. While a more complex, higher security symmetrical encryption might make it take longer for hackers to achieve access in the future, it can’t completely eliminate the vulnerability. In other words, companies can use patches to mitigate office security risk in the short term but can’t avoid potential recurring issues in the long term.
Examples of Symmetrical Encryption Gone Wrong
In March of 2024, a vulnerability in hotel key card readers — named the Unsaflok hack technique — was discovered by a team of hackers attending conferences in Las Vegas. This hotel problem involves lower security and more outdated technology than the most recent office exposures, making the initial hacking process faster and easier.
However, the outcome is the same, once again demonstrating the major problem of symmetrical encryption. Using this technique, once hackers achieve access, every single key and reader within the hotel is compromised. Hackers can enter every room without needing to know the unique codes assigned to each.
In another scenario involving symmetrical encryption, security professionals recently discovered that access system vulnerabilities identified in 2019 were not properly patched until 2024. This led to the security issues — initially found by experts at a cybersecurity conference — being exploited in attacks.
This problem demonstrates another symptom of the symmetrical problem: the inability to permanently solve vulnerabilities. All security providers can do is create patches to “re-complicate” the encryption until the new code gets hacked.
Creating patches for exposed vulnerabilities can take significant time, especially when, as in this example, business considerations like costs or mergers and acquisitions stand in the way. Even after developing these patches, security providers can’t ensure that every affected company will update their system in a timely manner, potentially leaving known vulnerabilities exposed to bad actors for years.
How Asymmetric Encryption Better Protects Access
Given the inherent hackability of symmetric encryption, asymmetrically encrypted access is the solution. While smart card systems are still a useful defense, they’re just not as impenetrable as asymmetric access control options.
Asymmetric encryption means the coding is different on each side of the access transaction. The user’s encryption is totally unique to their individual identity, held in a “private key” on either a card or their smartphone. The private key transmits their access rights to a “public key” still on the card or phone.
Then, using Bluetooth or NFC (“Near Field Communication”) technology, the phone- or card-based public key speaks to any other public key on the receiving end. This allows a reader to translate the user’s identity and access rights, allowing entry without giving away encryption.
When using a mobile access system like the one described, exponentially more sophisticated coding complexity can reside within the smartphone than on a smart card. Also, the asymmetry of the encryption makes the code unique and specific to that one identity on that one device, solving the most prominent issue with symmetric access. If hacked, the breach is confined to that one person, limiting both impact and the time and money costs of updating access.
Why Companies Are Adopting the New Aliro Access Standard
The new “Aliro” standard created by the CSA (Connectivity Standards Alliance) is endorsed by tech giants like Apple, Google, and Samsung for the greater good. It aims to standardize efficient, high-security access solutions across disparate systems using asymmetric encryption and mobile keys.
The Aliro standard allows facilities to use an open-access platform that provides additional security through asymmetric encryption. This empowers building managers to run software from different providers on one piece of highly secured access control hardware, making security infinitely easier and less expensive for all.
Once it’s adopted, the shared technology standard will enable two unlike devices to recognize access credentials from other manufacturers. For example, if two different companies secure a user’s apartment building and office, they will no longer have to carry two separate keys. Both systems will understand and process the credentials from the user’s phone. This allows the user’s device to grant entry into every place they are authorized — such as their office, gym, residential building, and parking garage — making access more convenient.
This new process will also save ample time for landlords, building owners, and IT teams, who will no longer have to manage hundreds of tenant or employee credentials. Instead, people’s identification credentials will already exist on their smartphones. Those in charge of access management will simply enroll employees and tenants into a master access database that notifies all locations where they have authorization that the person has access rights.
How Kastle Incorporates Asymmetric Encryption to Keep Your Facilities Safe
As long-time champions of the Aliro access standard, Kastle’s leaders even helped to develop and announce the protocol. We have been a leader in asymmetric open technology that supports the coming standard for years.
Already a trusted security vendor with ample five-star reviews on G2, Kastle launched the first universal mobile access platform in 2023. The cutting-edge system, called Kastle EverPresence, operates by today’s standards while being configured for asymmetric encryption under the new Aliro standard. EverPresence prepares commercial real estate properties, business workplaces, and multifamily community properties for the future of access control without having to switch technology when Aliro becomes more widely implemented.
On top of helping customers reduce risks by switching to asymmetrically encrypted tools, we offer security as a service. Our security professionals will expertly manage your access control systems, threat response, and more to keep your office safe and productive. Request a quote to find out how Kastle can secure your space.