Secured access control

March 2018 Information Security, Access Control & Identity Management

Living in an interconnected world leaves us vulnerable and exposed to cybercrime, and with the advances over the years in physical security products, these too have become open to cyber threats resulting in monetary and safety risks to the extent that many countries are now enforcing personal data protection laws.

Five major security points can be identified, namely: credentials, data in edge devices, communication between device and server, data in the server, and the communication between the server and the client.

The biggest threat in credential security is RF card cloning and fake biometrics. Among the major two types of RF cards, 125 kHz cards are easily cloned, and depending on the 13.56 MHz cards and their usage, these can be cloned as well.

No protection is applied in 125 kHz RF cards, which only support Wiegand formats, and it is possible to duplicate the card including format data. Mifare cards (13.56 MHz) have IC chips and support encrypted data but, when it comes to CSN and Mifare Classic, they are vulnerable to card cloning.

First of all, it’s necessary to choose the right cards that support strong encryption methods. Unsafe cards include: 125 kHz EM, 125 kHz Prox, and 13.56 MHz Mifare Classic. Safe cards include; 13.56 MHz Mifare Plus, 13.56 MHz Mifare Desfire, 13.56 MHz Mifare DesfireEV1, 13.56 MHz iClass SE, and 13.56 MHz iClass SEOS.

After choosing the right type of card, it is necessary to use a data area on the card that is protected by the encryption method. BioStar 2 supports smart cards that feature secure credential and access on card. Only a device with a matched key can access the data on the card.

Protect the edge

The second major security point to consider is data protection in the edge device and here we focus on two questions. How safe is the personal data in the device and what if a hacker removes a device from a wall to gain access to the data on the device?

To address these threats, Suprema encrypts all personal data on the device including the name, PIN, finger and face biometrics. User ID and card ID are categorised as system data and are therefore not encrypted. If a device is removed off of a wall, all user data and logs can be deleted at such a tamper event, however it must be stated that this is an optional setting available in device settings on devices loaded with compliant firmware versions and is supported from BioStar version 2.6 onwards.

The new CoreStation intelligent controller offers further security, with no need to store user credentials on edge devices. The CoreStation is based on a centralised topology, where the intelligence, including fingerprint matching, is done on the controller, all data storage and RS-485 communication to edge devices is encrypted according to the latest international standards, with no need to have a network access point available to hackers outside of your building.

Then there are the concerns surrounding communication between the device and the server/controller and here one needs to consider device hijacking or data snipping/snooping for both network and serial communication. In TCP/IP connections, Suprema offers the highest level of communication protection via optional TLS 1.2, which is widely used in the financial industry. Secure communication for RS-485 is through OSDP v2 Key. Keep in mind that Wiegand can be hacked because of its low-end protocol method which is without key change encryption, and therefore controllers only supporting Wiegand pose security threats.

Data on the server

When addressing the protection of personal data in the server in the event of server data leakage or hacking, BioStar 2 server efficiently encrypts all personal data including email, login password, PIN and fingerprint template. User ID and card ID are regarded as system, not personal data, and are therefore not encrypted. It’s recommended not to use ‘user name’ when adhering to personal data protection regulations.

Suprema also supports encryption key value for your own key value management in BioStar versions 2.6 onwards. Right to be forgotten functionality is provided and allows log data to be automatically deleted after a designated period.

The final risk point raises the question of the possibility of communication between the server and the client being hacked. BioStar 2 versions 2.5 onwards supports HTTPS as a default, plus TLS version 1.0 and higher to secure communication from poodle/man-in-the-middle attacks.

There are also additional personal data management methods to consider. Suprema’s BioStar caters for AoC (Access on Card) for both physical cards and mobile cards, taking away the need to store credentials and personal data on the device, controller or BioStar 2 server. From version 2.6 upwards, optional functionality is available to automatically delete credential and personal data upon issuing AoC cards for both physical RF and mobile cards.

In summary, Suprema’s BioStar 2 cyber-security protection features and data management options that help prevent cybercrime and comply with data protection regulations include enhanced security through encrypted communication, HTTPS encryption between the server and the client and 256-bit AES encryption of communication between the server and devices. Improved security is also offered through centralised, secure storage of biometric and access group data. There is no Ethernet connection to edge devices and no data is stored on edge devices. Communication is secured via TLS 1.2 and AES-256 encryption.



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Upgrade your PCs to improve security
Information Security Infrastructure
Truly secure technology today must be designed to detect and address unusual activity as it happens, wherever it happens, right down to the BIOS and silicon levels.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
Biometric security key for phishing-resistant MFA
Products & Solutions Access Control & Identity Management
New FIDO-compliant USB, Bluetooth, and NFC BioKeys with biometric login and centralised management for phishing-resistant, passwordless multifactor authentication (MFA) for enterprise users.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Survey highlights cost of cyberdamage to industrial companies
Kaspersky Information Security News & Events
The majority of industrial organisations estimate their financial losses caused by cyberattacks to be over $1 million, while almost one in four report losses exceeding $5 million, and for some, it surpasses $10 million.

Read more...
Digital economy needs an agile approach to cybersecurity
Information Security News & Events
South Africa is the most targeted country in Africa when it comes to infostealer and ransomware attacks. Being at the forefront of the continent’s digital transformation puts South Africa in the crosshairs for sophisticated cyberattacks

Read more...
SIEM rule threat coverage validation
Information Security News & Events
New AI-detection engineering assistant from Cymulate automates SIEM rule validation for SecOps and blue teams by streamlining threat detection engineering with automated testing, control integrations and enhanced detections.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.