4 Physical Access Control Vulnerabilities Putting Your Facility at Risk, And How to Fix Each One

Technology has made access control more secure than ever. Unfortunately, it has also made older systems more vulnerable than ever. Despite years of investment in security infrastructure, many organizations are still running systems with exploitable gaps that attackers can take advantage of with off-the-shelf hardware and a few minutes near an unsuspecting employee.

This guide breaks down the four most common physical access control vulnerabilities, how each attack works, and exactly what to do to close the gap.

‍

01. Credential Cloning: When Your Badge Can Be Copied in Seconds

Credential cloning is one of the oldest and most accessible attacks in physical security. Low-frequency proximity (prox) cards, still widely deployed across healthcare, education, and commercial real estate, transmit their data with no encryption whatsoever. An attacker equipped with a $15 RFID cloning device can silently capture a badge number while standing near an employee in an elevator or while in line for coffee, and the cardholder will never know it happened.

Even some smart card technologies that replaced prox carry documented weaknesses. iClass in legacy mode and MIFARE Classic both have well-known cryptographic vulnerabilities that can be exploited with commercially available hardware, allowing credentials to be duplicated and used to unlock doors as if the attacker were the legitimate cardholder.

How to fix it

Migrate to encrypted credentials that don't expose raw badge data. LEAF Verified takes this further by using public key cryptography to verify that a credential is authentic, and manufactured securely from NXP’s secure chip facility, all without requiring organizations to manage complex key infrastructure. Even if an attacker could intercept credential data in transit, the authenticity check would prevent them from getting through the door.

02. Downgrade Attacks: Exploiting the Credentials You Already Upgraded

Upgrading your access cards is only half the equation. If your readers still accept legacy formats alongside the new ones, which is common during a migration, an attacker can exploit that backward compatibility to undermine your newer, more secure credentials.

The attack works by using a portable device to pull access data from a modern card and copy it onto a cheap, legacy-format card. That cloned card is then presented to a reader that still accepts the old format. No encryption is broken. The attacker is simply using a door your system left open.

What makes this particularly dangerous is how invisible it is in your access logs. The reader records a valid credential read. Nothing looks out of place.

How to fix it

Audit your reader configuration and disable legacy format support on any readers that no longer require it, this setting is often left at factory default long after a migration is complete. For organizations mid-migration, Wavelynx's Prox Filter provides a transitional safeguard by blocking downgraded credentials at the reader level.

‍

03. Wiegand Sniffing and Replay Attacks: The Wire Between Your Reader and Panel

Most physical security attention focuses on the credential itself, but the communication path between your reader and access control panel is a separate, and often overlooked, attack surface.

Wiegand, the communication protocol that has connected readers to panels for decades, transmits all credential data in plain text with no authentication between devices. A sniffing device tapped onto the wire can passively capture every badge read. A replay device can retransmit that captured data on demand to trigger door unlocks with no physical credential required.

OSDP (Open Supervised Device Protocol) was developed to address these weaknesses, and many organizations have upgraded their infrastructure accordingly. But there is a critical catch: OSDP does not encrypt communication by default. Enabling Secure Channel mode is a manual step that is easy to skip and frequently overlooked. An organization that upgrades to OSDP but never verifies Secure Channel may believe they have solved this problem when they have not.

How to fix it

Migrate from Wiegand to OSDP, and explicitly confirm that Secure Channel is active on each device. Don't assume it was enabled during installation. With OSDP Secure Channel active, communication between reader and panel is AES-128 encrypted and mutually authenticated, closing off both passive sniffing and replay attack vectors.

‍

04. Lost Credentials and Tailgating: The Human Side of Access Control Risk

Not every physical access control vulnerability is technical. Physical credentials get lost and stolen, lifted from a bag, left on a desk, or quietly dropped from a lanyard. The real problem isn't that it happens. It's that organizations often don't know when it has. Employees may not report a missing badge right away, may assume it will turn up, or may not realize it's gone at all. That window between loss and revocation is when the credential is fully active and valid at every reader in your building.

Tailgating is a related but distinct risk. A valid credential doesn't need to be stolen for unauthorized access to occur, simply following an authorized person through a secured door bypasses the system entirely, leaving no anomalous event in your access logs. Both problems share the same root cause: physical credentials can be separated from their rightful holder with little friction and no automatic detection.

How to fix it

Mobile credentials significantly reduce both risks. A phone is something people notice immediately when it's missing, unlike a badge clipped to a lanyard. Mobile credentials can be revoked remotely the moment a device is reported lost or stolen, without waiting for a physical card to be returned. For tailgating, mobile credentials pair well with anti-passback rules and occupancy monitoring to flag access patterns that wouldn't register as anomalous with a traditional card system.

‍

Ready to assess your current exposure?

Wavelynx helps organizations identify gaps across credential, reader, and communication infrastructure, and build a clear path to close them. Whether you're running legacy prox cards or mid-migration to modern credentials, we can help you understand exactly where you stand and what steps to take next.

‍

Request a product demo.

‍

‍

‍

‍

Frequently Asked Questions

‍

Can proximity cards be cloned?

Yes. Low-frequency proximity cards transmit credential data without any encryption, making them trivially easy to clone using inexpensive hardware available online. Attackers can capture badge data from several inches away without the cardholder knowing. The only reliable protection is migrating to encrypted credential formats that include authenticity verification.

What is a downgrade attack in physical security?

A downgrade attack exploits readers that still accept legacy credential formats alongside newer, more secure ones. An attacker extracts data from a modern card and copies it onto a legacy-format card that the reader will still accept. The attack doesn't break any encryption — it simply takes advantage of backward compatibility that was never disabled.

Is Wiegand still used in access control systems?

Wiegand remains one of the most widely deployed reader-to-panel communication protocols in the industry, despite being decades old and transmitting data in plain text with no encryption or device authentication. Most organizations with aging access control infrastructure are still running Wiegand. Migrating to OSDP with Secure Channel enabled is the current best practice for securing this communication path.

Does OSDP encrypt communication by default?

No. OSDP supports encryption through Secure Channel mode, but this must be explicitly enabled after installation. Many organizations that have upgraded to OSDP assume encryption is active when it is not. Verifying that Secure Channel is enabled on every device is a critical step that is frequently skipped.

What are the advantages of mobile credentials over physical access cards?

Mobile credentials offer several security advantages over physical cards. They are harder to lose without noticing, can be revoked instantly and remotely, are resistant to cloning, and can be paired with device authentication for additional assurance. They also reduce the administrative burden of issuing and collecting physical cards during onboarding, offboarding, and role changes.

How do organizations prevent tailgating at secured doors?

Tailgating is primarily addressed through a combination of technology and policy. Anti-passback rules prevent a credential from granting access again before it has been used to exit, flagging patterns consistent with tailgating. Occupancy monitoring can detect when the number of people inside a space doesn't match the access log. Physical controls like man-traps and turnstiles eliminate the problem mechanically for high-security areas.

‍