Secured access control

March 2018 Cyber Security, Access Control & Identity Management

Living in an interconnected world leaves us vulnerable and exposed to cybercrime, and with the advances over the years in physical security products, these too have become open to cyber threats resulting in monetary and safety risks to the extent that many countries are now enforcing personal data protection laws.

Five major security points can be identified, namely: credentials, data in edge devices, communication between device and server, data in the server, and the communication between the server and the client.

The biggest threat in credential security is RF card cloning and fake biometrics. Among the major two types of RF cards, 125 kHz cards are easily cloned, and depending on the 13.56 MHz cards and their usage, these can be cloned as well.

No protection is applied in 125 kHz RF cards, which only support Wiegand formats, and it is possible to duplicate the card including format data. Mifare cards (13.56 MHz) have IC chips and support encrypted data but, when it comes to CSN and Mifare Classic, they are vulnerable to card cloning.

First of all, it’s necessary to choose the right cards that support strong encryption methods. Unsafe cards include: 125 kHz EM, 125 kHz Prox, and 13.56 MHz Mifare Classic. Safe cards include; 13.56 MHz Mifare Plus, 13.56 MHz Mifare Desfire, 13.56 MHz Mifare DesfireEV1, 13.56 MHz iClass SE, and 13.56 MHz iClass SEOS.

After choosing the right type of card, it is necessary to use a data area on the card that is protected by the encryption method. BioStar 2 supports smart cards that feature secure credential and access on card. Only a device with a matched key can access the data on the card.

Protect the edge

The second major security point to consider is data protection in the edge device and here we focus on two questions. How safe is the personal data in the device and what if a hacker removes a device from a wall to gain access to the data on the device?

To address these threats, Suprema encrypts all personal data on the device including the name, PIN, finger and face biometrics. User ID and card ID are categorised as system data and are therefore not encrypted. If a device is removed off of a wall, all user data and logs can be deleted at such a tamper event, however it must be stated that this is an optional setting available in device settings on devices loaded with compliant firmware versions and is supported from BioStar version 2.6 onwards.

The new CoreStation intelligent controller offers further security, with no need to store user credentials on edge devices. The CoreStation is based on a centralised topology, where the intelligence, including fingerprint matching, is done on the controller, all data storage and RS-485 communication to edge devices is encrypted according to the latest international standards, with no need to have a network access point available to hackers outside of your building.

Then there are the concerns surrounding communication between the device and the server/controller and here one needs to consider device hijacking or data snipping/snooping for both network and serial communication. In TCP/IP connections, Suprema offers the highest level of communication protection via optional TLS 1.2, which is widely used in the financial industry. Secure communication for RS-485 is through OSDP v2 Key. Keep in mind that Wiegand can be hacked because of its low-end protocol method which is without key change encryption, and therefore controllers only supporting Wiegand pose security threats.

Data on the server

When addressing the protection of personal data in the server in the event of server data leakage or hacking, BioStar 2 server efficiently encrypts all personal data including email, login password, PIN and fingerprint template. User ID and card ID are regarded as system, not personal data, and are therefore not encrypted. It’s recommended not to use ‘user name’ when adhering to personal data protection regulations.

Suprema also supports encryption key value for your own key value management in BioStar versions 2.6 onwards. Right to be forgotten functionality is provided and allows log data to be automatically deleted after a designated period.

The final risk point raises the question of the possibility of communication between the server and the client being hacked. BioStar 2 versions 2.5 onwards supports HTTPS as a default, plus TLS version 1.0 and higher to secure communication from poodle/man-in-the-middle attacks.

There are also additional personal data management methods to consider. Suprema’s BioStar caters for AoC (Access on Card) for both physical cards and mobile cards, taking away the need to store credentials and personal data on the device, controller or BioStar 2 server. From version 2.6 upwards, optional functionality is available to automatically delete credential and personal data upon issuing AoC cards for both physical RF and mobile cards.

In summary, Suprema’s BioStar 2 cyber-security protection features and data management options that help prevent cybercrime and comply with data protection regulations include enhanced security through encrypted communication, HTTPS encryption between the server and the client and 256-bit AES encryption of communication between the server and devices. Improved security is also offered through centralised, secure storage of biometric and access group data. There is no Ethernet connection to edge devices and no data is stored on edge devices. Communication is secured via TLS 1.2 and AES-256 encryption.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Minding the gaps to protect industrial PLCs from cyber threats
November 2019, AVeS Cyber Security , Cyber Security
PLCs, designed to control machinery and specific processes, were never built with cybersecurity threats in mind and protecting PLCs against these threats requires healthy isolation from the Internet.

Pwn2Own hacking contest to include industrial control systems
October 2019 , Cyber Security
As IT and OT converge under Industry 4.0 and digital transformation initiatives, security gaps are emerging in a range of popular industrial control systems.

Stolen credentials on the Dark Web
October 2019 , Cyber Security, Security Services & Risk Management
Over 21 million credentials belonging to Fortune 500 companies, 16 million of which were compromised during the last 12 months, are up for sale.

Stolen credentials on the Dark Web
October 2019 , Cyber Security, Security Services & Risk Management
Over 21 million credentials belonging to Fortune 500 companies, 16 million of which were compromised during the last 12 months, are up for sale.

The importance of XDR for cyber protection
October 2019 , Cyber Security, Products
35% of South African organisations are expecting an imminent cyberattack and a further 31% are bracing for it to happen within a year, according to local research conducted by Trend Micro.

Enterprise security must change
October 2019 , Cyber Security, Security Services & Risk Management
The recent wave of cyberattacks against local banks has highlighted the importance of protecting data against malicious users.

Kaspersky uncovers zero-day in Chrome
October 2019, Kaspersky , News, Cyber Security
Kaspersky’s automated technologies have detected a new exploited vulnerability in the Google Chrome web browser.

Cybersecurity for video surveillance systems
September 2019, Mobotix , Cyber Security, CCTV, Surveillance & Remote Monitoring
Video surveillance systems are increasingly accessible over any IP network, which has led to the rise of potential cyberattack.

Looking ahead with mobile access technologies
Access & Identity Management Handbook 2020, Technews Publishing, HID Global, dormakaba South Africa, Salto Systems Africa, Suprema, Gallagher , Access Control & Identity Management, Integrated Solutions
Given the broad use of smartphones around the world and the numerous technologies packed into these devices, it was only a matter of time before the access control industry developed technology that would ...

The security of biometrics
Access & Identity Management Handbook 2020, ViRDI Distribution SA, IDEMIA , Technews Publishing, Suprema , Access Control & Identity Management
Hi-Tech Security Solutions asks whether your personal biometric data is safe from prying eyes.