Protecting your customers’ organisations from hackers is imperative. Threats have grown from teenage mischief-makers to sophisticated government-backed entities and, now, even advertising and analytics companies. With knowledge of what these hackers seek and the straightforward, undemanding remedies that are becoming available to thwart them, there is little reason not to incorporate basic cybersecurity into your access control solutions.
Interestingly, not reviewing vulnerabilities becomes a major blunder when installing an access control system. Ask your vendor for their cybersecurity vulnerability checklist. It should cover a range of topics that can help protect security-related systems, networks and programs from digital attacks. Sections should include handling default codes, Wiegand issues, reader implementation tips, card protection solutions, leveraging long-range readers, assuring anti-hacking compatibility throughout the system and adding security components.
Some security professionals don’t secure their own security equipment. Unsecured, they provide irresistible backdoors for hackers. For instance, if the installer does not change the default alarm code, the user might as well be giving its user code to everyone. It takes less than 30 seconds to view the master, all other user codes or even create a new one. Unfortunately, these codes can often be found online and once inside the system, the hacker can access the rest of the computer system.
And, too many installers simply disarm the default installer code. This may let the user codes be viewed, including the master code. If an unauthorised person accesses an unarmed panel and uses the installer code, they gain access to all installed hardware and can create a new user code or change a current user code. This code then trumps the master of other user codes.
Sometimes, the problem is within the software. Often, the default code is hard-coded in the app, providing a means by which the device can still be managed, even if the administrator’s custom passcode is lost. It is poor practice for developers to embed passwords, especially unencrypted, into an app’s shipped code.
The difference between physical and cyber hacks
There are three main physical ways to assault a card-based electronic access control system – skimming, eavesdropping and relay attacks. Skimming occurs when the attacker uses an unauthorised reader to access information on the unsuspecting victim’s RFID card or tag without their explicit consent. As a result, the attacker is able to read stored information or modify information by writing to the credential. From that point on, the attacker can control when and where unauthorised entries may occur.
An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. For example, the user is accessing their building. As a result, the attacker can recover and store the data of interest. From then on, the attacker can use this stored data at will.
Lastly, RFID systems are potentially vulnerable to an attack in which the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically or encrypts the data, since the relay attack cannot be prevented by application layer security.
What’s scary about all this is that the equipment used to perpetrate the above attacks can be quite inexpensive and is widely available.
Cyber-attacks can be new to many chief security officers. Internet of Things (IoT) devices are common. Mass port scanning identifies port availability by sending connection requests to a target computer and recording which ports respond and how. Determining which ports are in use lets hackers choose which applications and services the device is running. The bad news is that almost all IoT devices get port-scanned at some point. Authentication could be compromised.
Caveat emptor
Here’s an even scarier, more subtle way of using cyber tactics to get you or your customers’ personal information. Do you use a mobile access control system, one where your smartphone acts like your ID badge? There has to be a special word of caution emphasised when changing over to mobile systems.
Many legacy access control systems require the use of back-end portal accounts. For hackers, these portals can become rich, easy-to-access caches of personal end-user data containing potentially private information, such as names, addresses and emails. These older mobile systems will force the user to register themselves and their integrators for each application; door access – register, parking access – register.
Knowing this, users can employ a physical solution, credentials with features that allow them to register their handset only once and need no portal accounts, activation features or hidden fees, annual or otherwise. Instead of developing a software cyber solution, all that should be needed to activate your systems is the phone number of the smartphone. If you need to fill out several different forms or disclose private data to install your mobile system, demand this better solution.
In addition, 26-bit Wiegand is no longer inherently secure due to its original obscure nature. It also suffers from a lack of data bits. Consider a range of big-number options. Use custom Wiegand formats, ABA Track II magnetic stripe emulations or today’s serial options including Open Supervised Device Protocol (OSDP), RS-485 and TCP/IP. Make use of additional reader control lines. A simple example is the ‘card present’ line commonly available on today’s access control readers.
Options are now available that can be added to many readers. The first is MAXSecure, which provides a higher-security handshake, or code, between the proximity, smart or mobile card, tag and reader, as well as long-range transmitters and receivers to help ensure that readers will only accept information from specially coded credentials.
Valid ID is a relatively new anti-tamper feature available with contactless smartcard readers, cards and tags. Embedded, it can add an additional layer to boost authentication assurance of NXP’s MIFARE DESFire EV2 smartcard platform, operating independently in addition to the significant standard level of security that DESFire EV2 delivers. Valid ID lets a contactless smartcard reader effectively help verify that the sensitive access control data programmed to a card or tag is indeed genuine and not a cloned counterfeit.
Leading readers additionally employ sophisticated symmetric AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers may also resist skimming, eavesdropping and replay attacks.
Remedies easily available to you
If the new system leverages the Security Industry Association’s (SIA) OSDP protocol, it will also interface easily with control panels or other security management systems, fostering interoperability among security devices. OSDP may eliminate the need for custom system interfaces, a fertile hunting ground for hackers.
OSDP takes solutions beyond the limitations of Wiegand and lets security equipment such as card and biometric readers from one company interface easily with control panels and equipment from another manufacturer. This standardised two-way channel paves the way for forward-looking security applications such as the handling of advanced smartcard technology, PKI and mobile device access. Not only does it provide a concise set of commonly used commands and responses, it eliminates guesswork, since encryption and authentication is predefined.
OSPD also secures smartcards by constantly monitoring wiring to protect against attack threats. The specification for handling LEDs, text, buzzers and other feedback mechanisms provides a rich, user-centric access control environment.
Be sure you only install readers that are fully potted to limit access to the reader’s internal electronics from the unsecured side of the building. When installing, use tamper proof screws. For physical card-based solutions, offer only smart cards that employ sophisticated cryptographic security techniques. Make the internal numbers unusable through encryption, and offset the printed numbers. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security.
It will be beneficial if your system uses HTTPS (Hypertext Transfer Protocol Secure), widely used on the Internet, to provide secure communication over the computer network. In HTTPS, the communication protocol is encrypted using Transport Layer Security, or TLS, a protocol that provides authentication, privacy and data integrity between two communicating computer applications.
Cybersecurity need not be a mystery
Products that used to comprise only mechanical and electrical parts have now transformed into complex, interconnected systems combining hardware, software, microprocessors, sensors and data storage. These so-called ‘smart’ products are the result of a series of rapid improvements in device miniaturisation, processing power and wireless connectivity. All of these things are connected to the Internet. Once the access control system becomes linked with other smart systems in the world of IoT, the cloud and big data, immense, new security challenges will confront integrators.
Since networking appliances and other objects are relatively novel, product design has often not yet incorporated security.
As inferred earlier, integrated products are often sold with outdated, open embedded operating systems and software. Furthermore, as with enterprise security system products themselves, too many integrators simply don’t change the default passwords on smart devices, segment their networks or have network access restricted.
Scott Lindley, general manager, Farpointe Data, is a 25-year veteran of the contactless card access control industry. He can be contacted at scott.lindley@farpointedata.com
© Technews Publishing (Pty) Ltd. | All Rights Reserved.