Protecting the Wiegand protocol from attack

Access & Identity Management Handbook 2015 Access Control & Identity Management, Information Security

As Tony Diodato, founder and CTO of Cypress Computer Systems so succinctly states, “Gone are the days when Wiegand was considered inherently secure due to its obscure and non-standard nature. No one would accept usernames and passwords being sent in the clear, nor should they accept vulnerable credential data. ID harvesting has become one of the most lucrative hacking activities.”

Scott Lindley, president, Farpointe Data.
Scott Lindley, president, Farpointe Data.

Wiegand is the industry standard protocol commonly used to communicate credential data from a card reader to an electronic access controller. In these attacks, a credential’s identifier is cloned, or captured, and is then retransmitted via a small electronic device to grant unauthorised access to an office or other facility. For those that consider this a problem – and many should – the good news is that there are a series of remedies.

First of all, when considering any security application, it is critical that the end user realistically assess the threat of a hack to their facilities. For example, if access control is being used merely as a convenience to the alternative of using physical keys, chances are the end user has a reduced risk of being hacked. However, if the end user is using their access system as an element to their overall security system because of a perceived or imminent threat due to the nature of what they do, produce or house at their facility, they may indeed be at higher risk and they should consider methods to mitigate the risk of a hack. Here are a few steps that may be considered in reducing that danger.

How end users can help reduce hacking

Just as we’ve become aware of criminal skimmers causing mischief with the ATM infrastructure, card holders should avoid presenting access control credentials to any access readers that appear to have been tampered with. Secondly, these same card holders should be encouraged to quickly report to the facility’s security and management teams any suspicions or access control system tampering, including instances involving either the access control readers or access credentials.

How integrators can reduce hacking

The integrator is the frontline defence for protecting a security system. Integrators need to understand what the customer’s needs are, what the customer can do, what the customer has to work with, what hackers can do, where the hacker is most likely attack and what can be done to thwart the hacker. In other words, the integrator needs to figure out how to apply the cliché: ‘a good offence is the best defence’. There are many things that can be done to reduce hacking of a Wiegand system.

• Install only readers that are fully potted and that do not allow access to the reader’s internal electronics from the unsecured side of the building. An immediate upgrading is recommended for readers that fail to meet this standard.

• Make certain the reader’s mounting screws are always hidden from normal view and make use of security screws whenever possible.

• Embed contactless readers inside the wall, not simply on the outside, effectively hiding them from view. Or, if that is not possible and physical tampering remains an issue, consider upgrading the site to readers that provide both ballistic and vandal resistance.

• Make use of reader cable with a continuous overall foil shield tied to a solid earth ground in a single location. This helps block signals from being induced onto the individual conductors making up the cable as well as those signals that may be gained from the reader cable.

• Deploy readers with a pig tail, not a connector. Use extended length pig tails to assure that connections are not made immediately behind the reader.

• Run reader cabling through a conduit, securing it from the outside world.

• Add a tamper feature, commonly available on many of today’s access control readers.

• Use the ‘card present’ line commonly available on many of today’s access control readers. This signal line lets the access control panel know when the reader is transmitting data.

• Use access control readers with an output alternative to the industry-standard Wiegand output, provided they are supported by the electronic access control system. Alternatives can include ABA Track II, OSDP, RS-485 and TCP/IP.

• Offer the customer cards that can be printed and used as photo badges, which are much less likely to be shared.

How electronic access control system manufacturers can reduce hacking

Here are some items that manufacturers could offer their integrators and ultimately end-users.

• Provide credentials other than those formatted in the open, industry standard 26-bit Wiegand. Not only is the 26-bit Wiegand format available for open use, but many of the codes have been duplicated multiple times.

• Offer a custom format with controls in-place to govern duplication.

• Avoid multi-technology readers as credential duplication risks increase.

• Promote a technology to limit the credentials a reader can read to a very specific population. Consider implementing a high-security handshake, or code, between the card or tag and reader to help prevent credential duplication and ensure that the customers’ readers will only collect data from these specially coded credentials.

• Offer a smart card solution that employs sophisticated cryptographic security techniques. An example is MIFARE DESFire EV1 cards making use of AES 128-bit encryption.

• Provide credentials that include anti-tamper technology, such as Valid ID, that indicate to the system when it detects tampering.

• Make available credentials with an anti-playback routine, such as transmitters instead of cards. Long range transmitters offer the additional benefit of not requiring a reader be installed on the unsecure side of the door. Instead they can be installed in a secure location, such as the security closet, perhaps up to 61 m away.

• Offer a highly proprietary contactless smartcard technology such as Legic.

• Provide 2-factor readers including contactless and PIN technologies. Alternatively, also offer a third factor, normally a biometric technology.

Assure additional security system components are available

Such systems can also play a significant role in reducing the likelihood of an attack as well as mitigating the impact of a hack attack should it occur.

• Intrusion: Should the access control system be hacked and grant entry to a wrong individual, have a burglar alarm system in place to detect and annunciate the intrusion.

• Video: If the access control system is hacked, granting entry to an unauthorised individual, have a video system in place to detect, record and annunciate the intrusion.

• Guards: If the system is hacked and intruders are let in, make sure that guards in the control room as well as those performing a regular tour receive an alert notifying them that someone has physically tampered with the access control system.

We must always stay one step in front of the bad guys. There are several ways to obviate card system security, whether via the card itself or, as we’ve covered here, via the Wiegand communication protocol. With the proper tools, any of these assaults can be defended.

For more information go to www.farpointedata.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Data security and privacy in global mobility
Risk Management & Resilience Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
AI augmentation in security software and the resistance to IT
Security Services & Risk Management Information Security
The integration of AI technology into security software has been met with resistance. In this, the first in a series of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...
Milestone Systems joins CVE programme
Milestone Systems News & Events Information Security
Milestone Systems has partnered with the Common Vulnerability and Exposures (CVE) Programme as a CVE Numbering Authority (CNA), to assist the programme to find, describe, and catalogue known cybersecurity issues.

Read more...
Defending against SIM swap fraud
Access Control & Identity Management
Mobile networks must not be complacent about SIM swap fraud, and they need to prioritise the protection of customers, according to Gur Geva, Founder and CEO of iiDENTIFii.

Read more...
Access Selection Guide 2024
Access Control & Identity Management
The Access Selection Guide 2024 includes a range of devices geared specifically for the access control and identity management market.

Read more...
Biometrics Selection Guide 2024
Access Control & Identity Management
The Biometrics Selection Guide 2024 incorporates a number of hardware and software biometric identification systems aimed at the access and identity management market of today.

Read more...
Smart intercoms for Sky House Projects
Nology Access Control & Identity Management Residential Estate (Industry)
DNAKE’s easy and smart intercom solution has everything in place for modern residential buildings. Hence, the developer selected DNAKE video intercoms to round out upmarket apartment complexes, supported by the mobile app.

Read more...
Authentic identity
HID Global Access Control & Identity Management
As the world has become global and digital, traditional means for confirming authentic identity, and understanding what is real and what is fake have become impractical.

Read more...