Secured access control

March 2018 Cyber Security, Access Control & Identity Management

Living in an interconnected world leaves us vulnerable and exposed to cybercrime, and with the advances over the years in physical security products, these too have become open to cyber threats resulting in monetary and safety risks to the extent that many countries are now enforcing personal data protection laws.

Five major security points can be identified, namely: credentials, data in edge devices, communication between device and server, data in the server, and the communication between the server and the client.

The biggest threat in credential security is RF card cloning and fake biometrics. Among the major two types of RF cards, 125 kHz cards are easily cloned, and depending on the 13.56 MHz cards and their usage, these can be cloned as well.

No protection is applied in 125 kHz RF cards, which only support Wiegand formats, and it is possible to duplicate the card including format data. Mifare cards (13.56 MHz) have IC chips and support encrypted data but, when it comes to CSN and Mifare Classic, they are vulnerable to card cloning.

First of all, it’s necessary to choose the right cards that support strong encryption methods. Unsafe cards include: 125 kHz EM, 125 kHz Prox, and 13.56 MHz Mifare Classic. Safe cards include; 13.56 MHz Mifare Plus, 13.56 MHz Mifare Desfire, 13.56 MHz Mifare DesfireEV1, 13.56 MHz iClass SE, and 13.56 MHz iClass SEOS.

After choosing the right type of card, it is necessary to use a data area on the card that is protected by the encryption method. BioStar 2 supports smart cards that feature secure credential and access on card. Only a device with a matched key can access the data on the card.

Protect the edge

The second major security point to consider is data protection in the edge device and here we focus on two questions. How safe is the personal data in the device and what if a hacker removes a device from a wall to gain access to the data on the device?

To address these threats, Suprema encrypts all personal data on the device including the name, PIN, finger and face biometrics. User ID and card ID are categorised as system data and are therefore not encrypted. If a device is removed off of a wall, all user data and logs can be deleted at such a tamper event, however it must be stated that this is an optional setting available in device settings on devices loaded with compliant firmware versions and is supported from BioStar version 2.6 onwards.

The new CoreStation intelligent controller offers further security, with no need to store user credentials on edge devices. The CoreStation is based on a centralised topology, where the intelligence, including fingerprint matching, is done on the controller, all data storage and RS-485 communication to edge devices is encrypted according to the latest international standards, with no need to have a network access point available to hackers outside of your building.

Then there are the concerns surrounding communication between the device and the server/controller and here one needs to consider device hijacking or data snipping/snooping for both network and serial communication. In TCP/IP connections, Suprema offers the highest level of communication protection via optional TLS 1.2, which is widely used in the financial industry. Secure communication for RS-485 is through OSDP v2 Key. Keep in mind that Wiegand can be hacked because of its low-end protocol method which is without key change encryption, and therefore controllers only supporting Wiegand pose security threats.

Data on the server

When addressing the protection of personal data in the server in the event of server data leakage or hacking, BioStar 2 server efficiently encrypts all personal data including email, login password, PIN and fingerprint template. User ID and card ID are regarded as system, not personal data, and are therefore not encrypted. It’s recommended not to use ‘user name’ when adhering to personal data protection regulations.

Suprema also supports encryption key value for your own key value management in BioStar versions 2.6 onwards. Right to be forgotten functionality is provided and allows log data to be automatically deleted after a designated period.

The final risk point raises the question of the possibility of communication between the server and the client being hacked. BioStar 2 versions 2.5 onwards supports HTTPS as a default, plus TLS version 1.0 and higher to secure communication from poodle/man-in-the-middle attacks.

There are also additional personal data management methods to consider. Suprema’s BioStar caters for AoC (Access on Card) for both physical cards and mobile cards, taking away the need to store credentials and personal data on the device, controller or BioStar 2 server. From version 2.6 upwards, optional functionality is available to automatically delete credential and personal data upon issuing AoC cards for both physical RF and mobile cards.

In summary, Suprema’s BioStar 2 cyber-security protection features and data management options that help prevent cybercrime and comply with data protection regulations include enhanced security through encrypted communication, HTTPS encryption between the server and the client and 256-bit AES encryption of communication between the server and devices. Improved security is also offered through centralised, secure storage of biometric and access group data. There is no Ethernet connection to edge devices and no data is stored on edge devices. Communication is secured via TLS 1.2 and AES-256 encryption.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Managing staff effectively
September 2019, dormakaba South Africa, iPulse Systems , Integrated Solutions, Access Control & Identity Management
Workforce management solutions allow organisations to track the relationship between productivity and the cost of employment, incorporating issues such as health and safety, T&A, rostering and more.

Hennie Lategan joins Centurion as head of exports
September 2019, Centurion Systems , News, Access Control & Identity Management
Centurion Systems has announced the appointment of Hennie Lategan as the head of the company’s exports department.

Check Point appoints new regional director for Africa
September 2019 , News, Cyber Security
Check Point Software Technologies has appointed Pankaj Bhula as regional director for Africa.

ISO standard for protecting personal data
September 2019 , News, Cyber Security
Tackling privacy information management head on: first ISO standard for protecting personal data has been published.

The hunt for the Carbanak group
September 2019 , Editor's Choice, Cyber Security, News
Tomorrow Unlocked has released a free four-part documentary that tells the story of the notorious Carbanak APT group and its $1 billion bank heist.

Preventing data breaches in small and medium businesses
September 2019 , Cyber Security
To minimise the likelihood of a data breach, companies should hire dedicated cybersecurity specialists, make sure their data is well encrypted and segmented, and only provide limited access to it.

Building automation vulnerable to hacks
September 2019 , News, Cyber Security
New vulnerability revealed in Internet-connected building automation devices at the DEF CON IoT Village that could impact critical building systems.

Threats spread to IM, collaboration tools
September 2019 , Cyber Security, Residential Estate (Industry)
The average office worker now spends up to 80% of their time using collaboration tools, but many lack adequate security.

Biometrics control airport railroad
September 2019, Suprema , Access Control & Identity Management
63 km railroad to Incheon Airport is centrally controlled and secured by Suprema biometric hardware and software.

Becoming more cyber-savvy within the OT environment
September 2019 , Cyber Security, Industrial (Industry)
Organisations running operational technology (OT) have increasingly come under cyberattack, with malware sending shockwaves through these sectors.