No hackers!

Access & Identity Management Handbook 2021 Editor's Choice

Protecting your customers’ organisations from hackers is imperative. Threats have grown from teenage mischief-makers to sophisticated government-backed entities and, now, even advertising and analytics companies. With knowledge of what these hackers seek and the straightforward, undemanding remedies that are becoming available to thwart them, there is little reason not to incorporate basic cybersecurity into your access control solutions.

Interestingly, not reviewing vulnerabilities becomes a major blunder when installing an access control system. Ask your vendor for their cybersecurity vulnerability checklist. It should cover a range of topics that can help protect security-related systems, networks and programs from digital attacks. Sections should include handling default codes, Wiegand issues, reader implementation tips, card protection solutions, leveraging long-range readers, assuring anti-hacking compatibility throughout the system and adding security components.

Some security professionals don’t secure their own security equipment. Unsecured, they provide irresistible backdoors for hackers. For instance, if the installer does not change the default alarm code, the user might as well be giving its user code to everyone. It takes less than 30 seconds to view the master, all other user codes or even create a new one. Unfortunately, these codes can often be found online and once inside the system, the hacker can access the rest of the computer system.

And, too many installers simply disarm the default installer code. This may let the user codes be viewed, including the master code. If an unauthorised person accesses an unarmed panel and uses the installer code, they gain access to all installed hardware and can create a new user code or change a current user code. This code then trumps the master of other user codes.

Sometimes, the problem is within the software. Often, the default code is hard-coded in the app, providing a means by which the device can still be managed, even if the administrator’s custom passcode is lost. It is poor practice for developers to embed passwords, especially unencrypted, into an app’s shipped code.

The difference between physical and cyber hacks

There are three main physical ways to assault a card-based electronic access control system – skimming, eavesdropping and relay attacks. Skimming occurs when the attacker uses an unauthorised reader to access information on the unsuspecting victim’s RFID card or tag without their explicit consent. As a result, the attacker is able to read stored information or modify information by writing to the credential. From that point on, the attacker can control when and where unauthorised entries may occur.

An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. For example, the user is accessing their building. As a result, the attacker can recover and store the data of interest. From then on, the attacker can use this stored data at will.

Lastly, RFID systems are potentially vulnerable to an attack in which the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically or encrypts the data, since the relay attack cannot be prevented by application layer security.

What’s scary about all this is that the equipment used to perpetrate the above attacks can be quite inexpensive and is widely available.

Cyber-attacks can be new to many chief security officers. Internet of Things (IoT) devices are common. Mass port scanning identifies port availability by sending connection requests to a target computer and recording which ports respond and how. Determining which ports are in use lets hackers choose which applications and services the device is running. The bad news is that almost all IoT devices get port-scanned at some point. Authentication could be compromised.

Caveat emptor

Here’s an even scarier, more subtle way of using cyber tactics to get you or your customers’ personal information. Do you use a mobile access control system, one where your smartphone acts like your ID badge? There has to be a special word of caution emphasised when changing over to mobile systems.

Many legacy access control systems require the use of back-end portal accounts. For hackers, these portals can become rich, easy-to-access caches of personal end-user data containing potentially private information, such as names, addresses and emails. These older mobile systems will force the user to register themselves and their integrators for each application; door access – register, parking access – register.

Knowing this, users can employ a physical solution, credentials with features that allow them to register their handset only once and need no portal accounts, activation features or hidden fees, annual or otherwise. Instead of developing a software cyber solution, all that should be needed to activate your systems is the phone number of the smartphone. If you need to fill out several different forms or disclose private data to install your mobile system, demand this better solution.

In addition, 26-bit Wiegand is no longer inherently secure due to its original obscure nature. It also suffers from a lack of data bits. Consider a range of big-number options. Use custom Wiegand formats, ABA Track II magnetic stripe emulations or today’s serial options including Open Supervised Device Protocol (OSDP), RS-485 and TCP/IP. Make use of additional reader control lines. A simple example is the ‘card present’ line commonly available on today’s access control readers.

Options are now available that can be added to many readers. The first is MAXSecure, which provides a higher-security handshake, or code, between the proximity, smart or mobile card, tag and reader, as well as long-range transmitters and receivers to help ensure that readers will only accept information from specially coded credentials.

Valid ID is a relatively new anti-tamper feature available with contactless smartcard readers, cards and tags. Embedded, it can add an additional layer to boost authentication assurance of NXP’s MIFARE DESFire EV2 smartcard platform, operating independently in addition to the significant standard level of security that DESFire EV2 delivers. Valid ID lets a contactless smartcard reader effectively help verify that the sensitive access control data programmed to a card or tag is indeed genuine and not a cloned counterfeit.

Leading readers additionally employ sophisticated symmetric AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers may also resist skimming, eavesdropping and replay attacks.

Remedies easily available to you

If the new system leverages the Security Industry Association’s (SIA) OSDP protocol, it will also interface easily with control panels or other security management systems, fostering interoperability among security devices. OSDP may eliminate the need for custom system interfaces, a fertile hunting ground for hackers.

OSDP takes solutions beyond the limitations of Wiegand and lets security equipment such as card and biometric readers from one company interface easily with control panels and equipment from another manufacturer. This standardised two-way channel paves the way for forward-looking security applications such as the handling of advanced smartcard technology, PKI and mobile device access. Not only does it provide a concise set of commonly used commands and responses, it eliminates guesswork, since encryption and authentication is predefined.

OSPD also secures smartcards by constantly monitoring wiring to protect against attack threats. The specification for handling LEDs, text, buzzers and other feedback mechanisms provides a rich, user-centric access control environment.

Be sure you only install readers that are fully potted to limit access to the reader’s internal electronics from the unsecured side of the building. When installing, use tamper proof screws. For physical card-based solutions, offer only smart cards that employ sophisticated cryptographic security techniques. Make the internal numbers unusable through encryption, and offset the printed numbers. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security.

It will be beneficial if your system uses HTTPS (Hypertext Transfer Protocol Secure), widely used on the Internet, to provide secure communication over the computer network. In HTTPS, the communication protocol is encrypted using Transport Layer Security, or TLS, a protocol that provides authentication, privacy and data integrity between two communicating computer applications.

Scott Lindley.

Cybersecurity need not be a mystery

Products that used to comprise only mechanical and electrical parts have now transformed into complex, interconnected systems combining hardware, software, microprocessors, sensors and data storage. These so-called ‘smart’ products are the result of a series of rapid improvements in device miniaturisation, processing power and wireless connectivity. All of these things are connected to the Internet. Once the access control system becomes linked with other smart systems in the world of IoT, the cloud and big data, immense, new security challenges will confront integrators.

Since networking appliances and other objects are relatively novel, product design has often not yet incorporated security.

As inferred earlier, integrated products are often sold with outdated, open embedded operating systems and software. Furthermore, as with enterprise security system products themselves, too many integrators simply don’t change the default passwords on smart devices, segment their networks or have network access restricted.

Scott Lindley, general manager, Farpointe Data, is a 25-year veteran of the contactless card access control industry. He can be contacted at

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Robots: a security opportunity or a threat?
Editor's Choice News Conferences & Events
Professor Martin Gill, Director of Perpetuity Research & Consultancy International and the School of Criminal Justice at the University of South Africa (UNISA), will be holding a Global Thought Leadership Security webinar on 22 June 2023 to discuss the contentious issue of robots operating in the security industry.

UNISA sponsors Securex seminars
Editor's Choice News Conferences & Events
As part of UNISA’s 150-year birthday celebrations, UNISA has sponsored the Securex Theatre Seminar Programme, which will include a number of prominent industry specialists, academics and security practitioners focusing on a number of themes.

Accenture Technology Vision 2023
Editor's Choice News
New report states that generative AI is expected to usher in a ‘bold new future’ for business, merging physical and digital worlds, transforming the way people work and live.

Economists divided on global economic recovery
Editor's Choice News
Growth outlook has strengthened in all regions, but chief economists are divided on the likelihood of a global recession in 2023; experts are concerned about trade-off between managing inflation and maintaining financial stability, with 76% anticipating central banks to struggle to bring down inflation.

Success in business process best practices
Technews Publishing Kleyn Change Management Editor's Choice Integrated Solutions Security Services & Risk Management
This month we commandeer time with the woman who is spearheading our national conversation on Women in Security, Lesley-Anne Kleyn, to get to know the lady herself a little better.

SAFPS to launch a platform to combat fraud
Editor's Choice News Security Services & Risk Management
In response to the growing need for a proactive approach to fraud prevention, the SAFPS is developing a product called Yima, which will be a one-stop-shop for South Africans to report scams, secure their identity, and scan any website for vulnerabilities.

Relaxed home cybersecurity could render consumers accidental ‘inside actors’
Editor's Choice Cyber Security Smart Home Automation
Cisco security experts warn of snowball impact of relaxed approach to cybersecurity on personal devices, noting 60% of users primarily use their personal phone for work tasks and 76% have used unsecured public networks for work tasks.

The importance of the operator’s frame of reference
Leaderware Editor's Choice CCTV, Surveillance & Remote Monitoring Security Services & Risk Management Mining (Industry)
The better the operator’s frame of reference and situational awareness, and the more informed they are in dealing with CCTV surveillance in the mining industry, the more successful they are likely to be in surveillance.

The art of drive and focus
Technews Publishing Editor's Choice Mining (Industry)
Riette Smeda did not find security, security found her. In doing so, she found an environment where grit and determination make all the difference in a country where crime pays.

AI, risk management, and frameworks
Blacklight Group Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
A risk management framework is a basic necessity to meet the always-evolving criminal war against mines, perpetrated by ruthless organised crime gangs that often are better informed and resourced than their targets.