0

We are upgrading our office to have badged security doors. What I would particularly like to know is if Keyless Entry systems exist or are of decent quality. By this I mean, I would like the doors to behave like the new keyless entry cars (you get close enough to the car with the key fob in your pocket and it unlocks).

I've found plenty of door badges that use fobs, but they all need to be within 10cm to register... I was looking for more like 1 foot. So not just a badged door, but one in which I don't even need to swipe

So my questions:

  1. Do these systems exist?
  2. Are they reliable?
  3. Would they satisfy HIPAA regulations**?
  4. Would they offer an API that would let us tie them in with Active Directory or some other central management.

(Also, as a development shop, if there is a "rough around the edges" product, I am more than amiable to writing a custom solution against an API or SDK)

** On the HIPAA note: We are a software consultancy, so we as an organization are not required to be fully HIPAA compliant (as the physical security aspects of HIPAA go) but we have several clients who are, so we merely need to "make a good case" to a HIPAA clients that our machines and the code on them are only being protected by more than a deadbolt on the front door.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Rikon
  • 103
  • 4
  • I think topicwise it's likely okay, but I it may be too much of a product recommendation question. Is there any way you can make it more general to seeking out characteristics of these systems that one might demand in such a scenario? – jonsca Dec 03 '12 at 04:01

3 Answers3

3

Physically, it isn't difficult to make them read at a greater distance - get a decent antenna and power level and you can make it work. Some people locators in offices do this - not for access control, but for logging as you pass through doorways.

There is a very good reason why this is not done for access control - it presents a couple of considerable security risks:

  • With close proximity devices You require the person to be at the door scanner for it to register, so the card holder is the one entering. With a longer distance, someone else could when the card holder is nearby.
  • At close range, or contact, the signal strength is very low, which reduces the risk of an attacker picking up identifying information for reuse themselves**

**Had a play with some kit ADT were demoing on Thursday - a proximity cloner for RFID access cards. Hidden in your sleeve it could take 2 seconds to clone an access card in your target's pocket, and then can retransmit it to the door scanner!

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Thanks so much for this. I had considered the piggy backing prospects of this. In our case, however, it's a small enough office and we are looking at sub leasing some of our conference rooms to some of our start-up clients. So it's as much for peace of mind for our start up clients that while they're no where in the building, there's not someone rooting around in their room. While at the same time not making badging through multiple doors within the building a constant harassment. Thanks! – Rikon Dec 03 '12 at 16:05
1

It's easy to extend the range, just add a bigger aerial or more power to the signal.

Do remember however that someone who wants to clone the card can do this just as easily so they are virtually useless against someone who is actually planning into getting into a secure area. They are only really useful at stopping clients or prospective employees from walking into areas they shouldn't be allowed in inadvertently.

Inverted Llama
  • 553
  • 2
  • 10
1

I'm not aware of anything out currently with that kind of range and security without requiring its own power supply. One thing to note is that you do want to make sure that whatever solution you use is based on a challenge/response with embedded cryptographic processing. I know at least several NFC based solutions are capable of doing this. This would prevent the replay attacks mentioned in this thread since the private information is never disclosed to the reader, but rather a one-time use code which can't be reused.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110