Protecting the Wiegand protocol from attack

November 2015 Access Control & Identity Management, Cyber Security

As Tony Diodato, founder and CTO of Cypress Computer Systems so succinctly states, “Gone are the days when Wiegand was considered inherently secure due to its obscure and non-standard nature. No one would accept usernames and passwords being sent in the clear, nor should they accept vulnerable credential data. ID harvesting has become one of the most lucrative hacking activities.”

Scott Lindley, president, Farpointe Data.
Scott Lindley, president, Farpointe Data.

Wiegand is the industry standard protocol commonly used to communicate credential data from a card reader to an electronic access controller. In these attacks, a credential’s identifier is cloned, or captured, and is then retransmitted via a small electronic device to grant unauthorised access to an office or other facility. For those that consider this a problem – and many should – the good news is that there are a series of remedies.

First of all, when considering any security application, it is critical that the end user realistically assess the threat of a hack to their facilities. For example, if access control is being used merely as a convenience to the alternative of using physical keys, chances are the end user has a reduced risk of being hacked. However, if the end user is using their access system as an element to their overall security system because of a perceived or imminent threat due to the nature of what they do, produce or house at their facility, they may indeed be at higher risk and they should consider methods to mitigate the risk of a hack. Here are a few steps that may be considered in reducing that danger.

How end users can help reduce hacking

Just as we’ve become aware of criminal skimmers causing mischief with the ATM infrastructure, card holders should avoid presenting access control credentials to any access readers that appear to have been tampered with. Secondly, these same card holders should be encouraged to quickly report to the facility’s security and management teams any suspicions or access control system tampering, including instances involving either the access control readers or access credentials.

How integrators can reduce hacking

The integrator is the frontline defence for protecting a security system. Integrators need to understand what the customer’s needs are, what the customer can do, what the customer has to work with, what hackers can do, where the hacker is most likely attack and what can be done to thwart the hacker. In other words, the integrator needs to figure out how to apply the cliché: ‘a good offence is the best defence’. There are many things that can be done to reduce hacking of a Wiegand system.

• Install only readers that are fully potted and that do not allow access to the reader’s internal electronics from the unsecured side of the building. An immediate upgrading is recommended for readers that fail to meet this standard.

• Make certain the reader’s mounting screws are always hidden from normal view and make use of security screws whenever possible.

• Embed contactless readers inside the wall, not simply on the outside, effectively hiding them from view. Or, if that is not possible and physical tampering remains an issue, consider upgrading the site to readers that provide both ballistic and vandal resistance.

• Make use of reader cable with a continuous overall foil shield tied to a solid earth ground in a single location. This helps block signals from being induced onto the individual conductors making up the cable as well as those signals that may be gained from the reader cable.

• Deploy readers with a pig tail, not a connector. Use extended length pig tails to assure that connections are not made immediately behind the reader.

• Run reader cabling through a conduit, securing it from the outside world.

• Add a tamper feature, commonly available on many of today’s access control readers.

• Use the ‘card present’ line commonly available on many of today’s access control readers. This signal line lets the access control panel know when the reader is transmitting data.

• Use access control readers with an output alternative to the industry-standard Wiegand output, provided they are supported by the electronic access control system. Alternatives can include ABA Track II, OSDP, RS-485 and TCP/IP.

• Offer the customer cards that can be printed and used as photo badges, which are much less likely to be shared.

How electronic access control system manufacturers can reduce hacking

Here are some items that manufacturers could offer their integrators and ultimately end-users.

• Provide credentials other than those formatted in the open, industry standard 26-bit Wiegand. Not only is the 26-bit Wiegand format available for open use, but many of the codes have been duplicated multiple times.

• Offer a custom format with controls in-place to govern duplication.

• Avoid multi-technology readers as credential duplication risks increase.

• Promote a technology to limit the credentials a reader can read to a very specific population. Consider implementing a high-security handshake, or code, between the card or tag and reader to help prevent credential duplication and ensure that the customers’ readers will only collect data from these specially coded credentials.

• Offer a smart card solution that employs sophisticated cryptographic security techniques. An example is MIFARE DESFire EV1 cards making use of AES 128-bit encryption.

• Provide credentials that include anti-tamper technology, such as Valid ID, that indicate to the system when it detects tampering.

• Make available credentials with an anti-playback routine, such as transmitters instead of cards. Long range transmitters offer the additional benefit of not requiring a reader be installed on the unsecure side of the door. Instead they can be installed in a secure location, such as the security closet, perhaps up to 61 m away.

• Offer a highly proprietary contactless smartcard technology such as Legic.

• Provide 2-factor readers including contactless and PIN technologies. Alternatively, also offer a third factor, normally a biometric technology.

Assure additional security system components are available

Such systems can also play a significant role in reducing the likelihood of an attack as well as mitigating the impact of a hack attack should it occur.

• Intrusion: Should the access control system be hacked and grant entry to a wrong individual, have a burglar alarm system in place to detect and annunciate the intrusion.

• Video: If the access control system is hacked, granting entry to an unauthorised individual, have a video system in place to detect, record and annunciate the intrusion.

• Guards: If the system is hacked and intruders are let in, make sure that guards in the control room as well as those performing a regular tour receive an alert notifying them that someone has physically tampered with the access control system.

We must always stay one step in front of the bad guys. There are several ways to obviate card system security, whether via the card itself or, as we’ve covered here, via the Wiegand communication protocol. With the proper tools, any of these assaults can be defended.

For more information go to

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Patient critical – healthcare’s cybersecurity pulse
August 2019, Wolfpack Information Risk , News, Cyber Security, Healthcare (Industry)
The healthcare industry has become one of the leading cybersecurity attack vectors worldwide for several reasons.

HID addresses identification challenges at ID4Africa
August 2019 , News, Access Control & Identity Management, Government and Parastatal (Industry)
Being able to verify people’s identities is critical for a nation’s growth and prosperity and yet HID says nearly half of all African citizens can’t prove who they are to vote, travel freely and receive government benefits and services.

Came acquires Turkish company Özak
August 2019, CAME BPT South Africa , News, Access Control & Identity Management
Came broadens its market horizons and signals growth and consolidation in the Middle East.

The benefits of electronic visitor management
August 2019, Powell Tronics , Access Control & Identity Management, Residential Estate (Industry)
Access control is a critical aspect of estate security as it represents the controls put in place to restrict entry (and possibly exit) along the outer boundary of the location.

Addressing risks by means of access control layout and design
August 2019 , Access Control & Identity Management, Security Services & Risk Management
In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy.

Secure hands-free access
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
Suprema’s facial biometric terminals bring no-touch access into secure residential estates, high-rise apartments and luxury homes providing fast, easy and intuitive user authentication with the added benefit of hygiene.

MorphoAccess Sigma Extreme
August 2019, IDEMIA , Products, Access Control & Identity Management
MorphoAccess Sigma Extreme from IDEMIA is a touchscreen device with multiple recognition device interfaces (NFC chip reader, PIN and BioPIN codes, contactless card readers).

Outdoor access terminals
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry), Products
Rugged, dust- and weather-proof access control solutions that provide exceptional durability in extreme conditions is a strong requirement for many residential estates.

MorphoWave Compact
August 2019, IDEMIA , Products, Access Control & Identity Management
The MorphoWave Compact captures and matches four fingerprints on either the right or left hand in any direction. It is robust to environmental factors such as extreme light or dust.

MorphoAccess Sigma Lite
August 2019, IDEMIA , Products, Access Control & Identity Management
IDEMIA’s MorphoAccess Sigma Lite and Lite + are fingerprint access control terminals, offering time and attendance in and out function keys.