Since the development of new communication standards like Bluetooth Low Energy (BLE) and Near Field Communication (NFC), there’s been a lot of debate throughout the physical access control space on which one delivers the most bang for your buck. Additionally, with long-standing protocols like Radio Frequency Identification (RFID), the discussion then leads into a “if it’s not broken, why fix it?” kind of dialogue. While RFID has great use cases for applications such as inventory management and theft prevention, the 70 year old technology is becoming a limited communication protocol for the physical security space. Below we dive into the key differences between BLE, NFC, and RFID communication protocols and how they impact the overall security of physical access control technology.
First off, due to the industry’s long standing use of RFID, hackers and other bad actors have had plenty of time to identify the holes in the system. Moreover, several devices have been produced since RFID entered the physical access control space that make it simple for hackers to breach a system in as little as 30 seconds. These systems are being sold on sites like eBay at a low-cost; making it easy for anyone to intercept the data being communicated between key cards and your average 125KHz RFID powered system. Since awareness of RFID system vulnerabilities were brought to the security industry’s attention, efforts have been made to ameliorate the issues. However, according to Francis Brown, managing partner at security firm Bishop Fox, “despite increased efforts and progress made by some companies in recent years to upgrade to more secure contactless card systems, the large majority of physical access control systems out there are still legacy 125KHz proximity card deployments”.
Additionally, the credentials that are powered by RFID are (more often than not) hard credentials, making them easier to lose, steal, or copy. This is where using RFID’s successor, NFC, can improve on a system’s security, since it utilizes soft credentials like digital keys to distribute access. The caveat with NFC is that although these system’s soft credentials make it more secure, the communication protocol is still derived from RFID. As such, NFC communicates in a similar fashion to its predecessor; offering two-way communication between NFC enabled devices and their corresponding devices through HF (High Frequency) RFID. Ultimately, the communication protocol still holds the same kind of risks, unless companies utilize secure NFC channels with rich encryption to ensure that data is transmitted with full integrity.
BLE based systems also have the advantage of utilizing soft credentials like digital keys to facilitate tighter security. However, the key difference between both RFID and NFC with BLE is the communication process. Where RFID and NFC uses radio frequency to communicate, BLE utilizes outbound signals to find and communicate with other Bluetooth enabled devices. While the utilization of signals may sound like it could open BLE communication up to the same vulnerabilities found in RFID and NFC, the key difference lies within a systems approach to securing the transmission of the data.
For example, UniKey’s platform uses a heavily encrypted mobile application to communicate with an equally encrypted, BLE enabled, smart reader. While the mobile application is always broadcasting a signal, the reader remains idle; waiting for a user to touch it and trigger its search for a compatible, BLE enabled device such as the smartphone and its mobile application. The reader then 1) scans to see if the compatible device is within range of it and 2) holds proper credentials. All data that is passed from the phone to the reader is heavily encrypted, allowing for secure transmission and smarter access. Moreover, since native BLE security harbors several possible weaknesses and exploits, UniKey’s platform does not rely on it to hold down the fort. Instead, BLE is solely used as a point to point communication channel, and is undergirded by UniKey’s own crypto protocol. It also gives platform customers the ability to share keys among system users without requiring device pairing for every user. Notably, this is something native BLE security would require.
Overall, no matter the communication standard a security system uses, the level of security it can provide consumers is in the hands of the company that produced it. At UniKey, our mission is to provide our partners and the world with the most secure mobile access control solutions technology can offer. To learn more about how UniKey uses BLE to empower our solutions and partners, visit www.unikey.com.