No hackers!

Access & Identity Management Handbook 2021 Editor's Choice

Protecting your customers’ organisations from hackers is imperative. Threats have grown from teenage mischief-makers to sophisticated government-backed entities and, now, even advertising and analytics companies. With knowledge of what these hackers seek and the straightforward, undemanding remedies that are becoming available to thwart them, there is little reason not to incorporate basic cybersecurity into your access control solutions.

Interestingly, not reviewing vulnerabilities becomes a major blunder when installing an access control system. Ask your vendor for their cybersecurity vulnerability checklist. It should cover a range of topics that can help protect security-related systems, networks and programs from digital attacks. Sections should include handling default codes, Wiegand issues, reader implementation tips, card protection solutions, leveraging long-range readers, assuring anti-hacking compatibility throughout the system and adding security components.

Some security professionals don’t secure their own security equipment. Unsecured, they provide irresistible backdoors for hackers. For instance, if the installer does not change the default alarm code, the user might as well be giving its user code to everyone. It takes less than 30 seconds to view the master, all other user codes or even create a new one. Unfortunately, these codes can often be found online and once inside the system, the hacker can access the rest of the computer system.

And, too many installers simply disarm the default installer code. This may let the user codes be viewed, including the master code. If an unauthorised person accesses an unarmed panel and uses the installer code, they gain access to all installed hardware and can create a new user code or change a current user code. This code then trumps the master of other user codes.

Sometimes, the problem is within the software. Often, the default code is hard-coded in the app, providing a means by which the device can still be managed, even if the administrator’s custom passcode is lost. It is poor practice for developers to embed passwords, especially unencrypted, into an app’s shipped code.

The difference between physical and cyber hacks

There are three main physical ways to assault a card-based electronic access control system – skimming, eavesdropping and relay attacks. Skimming occurs when the attacker uses an unauthorised reader to access information on the unsuspecting victim’s RFID card or tag without their explicit consent. As a result, the attacker is able to read stored information or modify information by writing to the credential. From that point on, the attacker can control when and where unauthorised entries may occur.

An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. For example, the user is accessing their building. As a result, the attacker can recover and store the data of interest. From then on, the attacker can use this stored data at will.

Lastly, RFID systems are potentially vulnerable to an attack in which the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically or encrypts the data, since the relay attack cannot be prevented by application layer security.

What’s scary about all this is that the equipment used to perpetrate the above attacks can be quite inexpensive and is widely available.

Cyber-attacks can be new to many chief security officers. Internet of Things (IoT) devices are common. Mass port scanning identifies port availability by sending connection requests to a target computer and recording which ports respond and how. Determining which ports are in use lets hackers choose which applications and services the device is running. The bad news is that almost all IoT devices get port-scanned at some point. Authentication could be compromised.

Caveat emptor

Here’s an even scarier, more subtle way of using cyber tactics to get you or your customers’ personal information. Do you use a mobile access control system, one where your smartphone acts like your ID badge? There has to be a special word of caution emphasised when changing over to mobile systems.

Many legacy access control systems require the use of back-end portal accounts. For hackers, these portals can become rich, easy-to-access caches of personal end-user data containing potentially private information, such as names, addresses and emails. These older mobile systems will force the user to register themselves and their integrators for each application; door access – register, parking access – register.

Knowing this, users can employ a physical solution, credentials with features that allow them to register their handset only once and need no portal accounts, activation features or hidden fees, annual or otherwise. Instead of developing a software cyber solution, all that should be needed to activate your systems is the phone number of the smartphone. If you need to fill out several different forms or disclose private data to install your mobile system, demand this better solution.

In addition, 26-bit Wiegand is no longer inherently secure due to its original obscure nature. It also suffers from a lack of data bits. Consider a range of big-number options. Use custom Wiegand formats, ABA Track II magnetic stripe emulations or today’s serial options including Open Supervised Device Protocol (OSDP), RS-485 and TCP/IP. Make use of additional reader control lines. A simple example is the ‘card present’ line commonly available on today’s access control readers.

Options are now available that can be added to many readers. The first is MAXSecure, which provides a higher-security handshake, or code, between the proximity, smart or mobile card, tag and reader, as well as long-range transmitters and receivers to help ensure that readers will only accept information from specially coded credentials.

Valid ID is a relatively new anti-tamper feature available with contactless smartcard readers, cards and tags. Embedded, it can add an additional layer to boost authentication assurance of NXP’s MIFARE DESFire EV2 smartcard platform, operating independently in addition to the significant standard level of security that DESFire EV2 delivers. Valid ID lets a contactless smartcard reader effectively help verify that the sensitive access control data programmed to a card or tag is indeed genuine and not a cloned counterfeit.

Leading readers additionally employ sophisticated symmetric AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers may also resist skimming, eavesdropping and replay attacks.

Remedies easily available to you

If the new system leverages the Security Industry Association’s (SIA) OSDP protocol, it will also interface easily with control panels or other security management systems, fostering interoperability among security devices. OSDP may eliminate the need for custom system interfaces, a fertile hunting ground for hackers.

OSDP takes solutions beyond the limitations of Wiegand and lets security equipment such as card and biometric readers from one company interface easily with control panels and equipment from another manufacturer. This standardised two-way channel paves the way for forward-looking security applications such as the handling of advanced smartcard technology, PKI and mobile device access. Not only does it provide a concise set of commonly used commands and responses, it eliminates guesswork, since encryption and authentication is predefined.

OSPD also secures smartcards by constantly monitoring wiring to protect against attack threats. The specification for handling LEDs, text, buzzers and other feedback mechanisms provides a rich, user-centric access control environment.

Be sure you only install readers that are fully potted to limit access to the reader’s internal electronics from the unsecured side of the building. When installing, use tamper proof screws. For physical card-based solutions, offer only smart cards that employ sophisticated cryptographic security techniques. Make the internal numbers unusable through encryption, and offset the printed numbers. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security.

It will be beneficial if your system uses HTTPS (Hypertext Transfer Protocol Secure), widely used on the Internet, to provide secure communication over the computer network. In HTTPS, the communication protocol is encrypted using Transport Layer Security, or TLS, a protocol that provides authentication, privacy and data integrity between two communicating computer applications.

Scott Lindley.

Cybersecurity need not be a mystery

Products that used to comprise only mechanical and electrical parts have now transformed into complex, interconnected systems combining hardware, software, microprocessors, sensors and data storage. These so-called ‘smart’ products are the result of a series of rapid improvements in device miniaturisation, processing power and wireless connectivity. All of these things are connected to the Internet. Once the access control system becomes linked with other smart systems in the world of IoT, the cloud and big data, immense, new security challenges will confront integrators.

Since networking appliances and other objects are relatively novel, product design has often not yet incorporated security.

As inferred earlier, integrated products are often sold with outdated, open embedded operating systems and software. Furthermore, as with enterprise security system products themselves, too many integrators simply don’t change the default passwords on smart devices, segment their networks or have network access restricted.

Scott Lindley, general manager, Farpointe Data, is a 25-year veteran of the contactless card access control industry. He can be contacted at [email protected]

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Enhance control rooms with surveillance and intelligence
Leaderware Editor's Choice Surveillance Mining (Industry)
Dr Craig Donald advocates the use of intelligence and smart surveillance to assist control rooms in dealing with the challenges of the size and dispersed nature common in all mining environments.

A long career in mining security
Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

A constant armed struggle
Technews Publishing XtraVision Editor's Choice Integrated Solutions Mining (Industry) IoT & Automation
SMART Security Solutions asked a few people involved in servicing mines to join us for a virtual round table and give us their insights into mine security today. A podcast of the discussion will be released shortly-stay tuned.

Risk management: There's an app for that
Editor's Choice News & Events Security Services & Risk Management
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Integrated information platform for risk management
Editor's Choice News & Events Security Services & Risk Management
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Unlocking Africa's AI potential
Editor's Choice News & Events AI & Data Analytics
Africa's AI market is set to grow exponentially; by investing in AI education, training, and ethical practices, African nations can harness the power of AI to transform the continent and create a brighter future for its people.

The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Security Services & Risk Management
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.

Entries to southern Africa OSPA Awards now open
Technews Publishing Securex South Africa Editor's Choice News & Events
The southern Africa OSPAs are part of a global awards scheme that recognises and rewards teams, individuals and organisations for their commitment and outstanding performance within the security sector.

Securex has moved to June
Technews Publishing Editor's Choice News & Events
Following the formal announcement of the date for South Africa’s national election, 29 May 2024 , which happened to be in the middle of the planned dates for Securex South Africa, Securex will now take place from 11 – 13 June 2024 at Gallagher Estate in Midrand.