Earlier this year, KeyMe, makers of the “Locksmith In A Box”, began offering cloning, or duplicating, services for 125 kHZ RFID access control credentials at select kiosks around the country. Customers could present their credential (usually a card or fob) at one of these kiosks, have the data read, and a duplicate credential would then be shipped to the customer within 2 or 3 business days. KeyMe, which already offers standard key duplication services, said the decision to begin offering RFID credentials was in response to customers “asking for more opportunities”. KeyMe’s decision to offer this service fascinates me for a number of reasons but it also creates a lot of thoughts and questions for me:
First, it’s the first time I’ve seen a retail company openly circumventing an access control system by allowing users to obtain duplicate credentials from a source other than the systems’ administrator(s). Sure, there are online services and aftermarket cloners available/able do the same but how many people know this? And how convenient is it for someone to go that route as opposed to visting one of these kiosks on a Saturday afternoon while already out shopping?
Second, what’s the limit for these types of services? If the technology and/or knowledge to clone other formats is either known or discovered, would KeyMe begin offering cloning services for those formats if demand were large enough? Would KeyMe either develop or lease an app along the lines of the MIFARE Classic Tool to assist in the process? The potential is there for some very, very interesting possibilities if KeyMe is so inclined.
Third, what does this mean for access control? It may seem that I’ve been picking on access control lately (I promise, that’s unintentional) but there is no question that we’re seeing more and more mainstream sources openly promoting what most would consider flaws in existing access control systems. Whether it’s Kisi publicly discussing and demonstrating the vulnerabilities of their competitors’ products or companies like KeyMe and CloneMyKey.com allowing users to clone their cards or fobs on their own accord, it appears as if Pandora’s box has been opened for access control vulnerabilities and it’s going to be fun to watch moving forward. Who’s going to be the next manufacturer to say this or do that? What’s next?
I talked about “cannibalization” in When Will The Future Arrive? but only as it relates to markets. We may be seeing unintentional corporate cannibalism, or companies competing against themselves. Throwing other companies or systems under the bus or circumventing them to make a dollar may be good for the short game, but for the long game? Reputation is everything and if you help devolve the very market you serve, well, you might just go down a slippery slope that you can’t come back from. Time well tell but I’ve got my popcorn ready to watch how this all unfolds.