Introduction to Physical Access Control Systems

Physical Access Control Systems (PACS) are systems that control access to a physical location - they are often used to prevent unauthroised access to buildings, restricted areas and through barriers using Radio Frequency Identification (RFID). You have almost certainly seen them in use at some point, and maybe even interacted with them during a hotel stay.

Introduction

Most PAC systems rely on PVC key cards or key fobs. These do not use embedded batteries, but instead contain a coil of wire connected to a chip. The reader emits an electromagnetic field which induces a current in the cards internal coil (when in close proximity). This current is then used to power the contained chip, which then begins shouting identification information over radio waves.

For some reason, this particular subject is kind of gatekept. There is some great knowledge out there, but it is much less of a hot topic than other security niches. As with most technologies, the less the general public knows about them, the more comfortable instutions feel using outdated components. For this reason, the majority of PAC systems in the wild are incredibly outdated and insecure. In this article I will try to cover the most common technologies, identification techniques and attack vectors.

There is a multitude of different forms that PAC systems can take. For the sake of brevity, we will focus on the two most common forms:

• Low Frequency (LF)
• High Frequency (HF)

Low Frequency (LF)

LF PAC systems most commonly utilise the 125kHz frequency band. Some popular families include:

• EM410x (eg, EM4100, EM4102, EM4103)
• HID Prox
• Indala
• Awid
• Gallagher

As you have probably guessed, LF systems are considered the most insecure of the bunch. The majority of them use static, unencrypted and immutable UIDs for identification. This means that you can easily lift UIDs from one card and use them on another using something like a proxmark. The hardest part of attacking these systems is getting a valid UID.

High Frequency (HF)

HF PAC systems operate at 13.56 MHz and include a wide range of technologies with varying security models. HF is significantly more capable than LF with support for mutual authentication, encrypted communication, secure storage, and more robust anti-cloning features. HF systems can offer stronger protection but their security depends heavily on implementation choices:

• MIFARE Classic
Once extremely common, MIFARE Classic uses the proprietary Crypto-1 cipher, which has been extensively studied and found to be vulnerable. Although still widely deployed, it is considered a legacy technology. Resistance to cloning is very limited due to known vulnerabilities.


• MIFARE DESFire
DESFire EV1/EV2/EV3 improve dramatically on Classic. They support AES-based cryptography, mutual authentication, and flexible application structures. When properly configured, DESFire cards are regarded as highly secure for modern PAC environments.


• iCLASS / iCLASS SE
Original iCLASS cards rely on the older, proprietary “iCLASS standard key” system, which has known weaknesses. Newer variants—such as iCLASS SE and iCLASS Elite support improved key management models and stronger cryptography, making them substantially more resistant to cloning or credential harvesting.


• Mobile Credentials (NFC / BLE)
Many organisations now use smartphone-based HF credentials. These can provide enhanced security by leveraging the phone’s secure enclave, biometric unlocks, and dynamic credential models. Their security depends heavily on backend configuration, mobile OS protections, and the vendor ecosystem.

Identifying Systems

Particularly experienced individuals (nerds) can often identify PACS just by looking at them - branding is always a dead giveaway (HID loves the look of their own logo).


Lucky for you however, if you don't have the time or experience, this is a solved issue. Tools called field detectors can be used to determine the PAC frequency and type, and only require temporary local access to a reader. Field detectors are really cool, because much like credentials themselves, they don't require a power supply. The reader is the power supply. The voltage drawn from the reader is used to power the detector and light up an indicator LED, which tells you what frequency the reader is expecting.

Identifying Cards

To state the obvious, the best way to identify a PAC system is to get hold of a physical credential. There is a lot of tools that can be used to interface with credentials such as:

• Proxmark - The gold standard of RFID tools with a bit of a steep learning curve. Capable of reading and writing, emulation and exploitaiton of well documented family-specific vulnerabilities.



• Flipper Zero - A portable, user friendly tool with support for low and high frequency RFID credentials. Can read, write and emulate many different families of credentials, but also offers a ton of features outside the scope of this article.



• Chameleon Ultra - A (really) small and portable device used to read, write and most famously emulate low and high frequency RFID credentials - lesser known and therefore less documented, but still very powerful.

Some tools offer higher levels of functionality at the cost of portability, and vice versa. For example, as the Proxmark is a very powerful desktop tool, but it is unlikely you would be able to swipe unattended credentials with it. On the other hand, the Flipper Zero is great for opportunistic lifting and cloning, but might not be able to crack keys.

Conclusion

In general, PAC systems present a wide attack surface. With the (still) widespread use of legacy systems, unauthorised credential theft and replication is still a viable method of entry to restricted areas.

I think this topic of conversation highlights a strange quirk of the security industry. I remember in an episode of the Darknet Diaries podcast with Deviant Ollam, the host mentions that he knew a locksmith. The locksmith gatekept knowledge and tools from the general public and insisted that this was the done thing in that profession, to keep "forbidden knowledge" away from the general public. Security through obscurity is not a good strategy; instead, we should focus on educating institutions and individuals on the risks of using vulnerable systems. Educate, don't gatekeep!

← Back to Home