No hackers!

Access & Identity Management Handbook 2021 Editor's Choice

Protecting your customers’ organisations from hackers is imperative. Threats have grown from teenage mischief-makers to sophisticated government-backed entities and, now, even advertising and analytics companies. With knowledge of what these hackers seek and the straightforward, undemanding remedies that are becoming available to thwart them, there is little reason not to incorporate basic cybersecurity into your access control solutions.

Interestingly, not reviewing vulnerabilities becomes a major blunder when installing an access control system. Ask your vendor for their cybersecurity vulnerability checklist. It should cover a range of topics that can help protect security-related systems, networks and programs from digital attacks. Sections should include handling default codes, Wiegand issues, reader implementation tips, card protection solutions, leveraging long-range readers, assuring anti-hacking compatibility throughout the system and adding security components.

Some security professionals don’t secure their own security equipment. Unsecured, they provide irresistible backdoors for hackers. For instance, if the installer does not change the default alarm code, the user might as well be giving its user code to everyone. It takes less than 30 seconds to view the master, all other user codes or even create a new one. Unfortunately, these codes can often be found online and once inside the system, the hacker can access the rest of the computer system.

And, too many installers simply disarm the default installer code. This may let the user codes be viewed, including the master code. If an unauthorised person accesses an unarmed panel and uses the installer code, they gain access to all installed hardware and can create a new user code or change a current user code. This code then trumps the master of other user codes.

Sometimes, the problem is within the software. Often, the default code is hard-coded in the app, providing a means by which the device can still be managed, even if the administrator’s custom passcode is lost. It is poor practice for developers to embed passwords, especially unencrypted, into an app’s shipped code.

The difference between physical and cyber hacks

There are three main physical ways to assault a card-based electronic access control system – skimming, eavesdropping and relay attacks. Skimming occurs when the attacker uses an unauthorised reader to access information on the unsuspecting victim’s RFID card or tag without their explicit consent. As a result, the attacker is able to read stored information or modify information by writing to the credential. From that point on, the attacker can control when and where unauthorised entries may occur.

An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. For example, the user is accessing their building. As a result, the attacker can recover and store the data of interest. From then on, the attacker can use this stored data at will.

Lastly, RFID systems are potentially vulnerable to an attack in which the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically or encrypts the data, since the relay attack cannot be prevented by application layer security.

What’s scary about all this is that the equipment used to perpetrate the above attacks can be quite inexpensive and is widely available.

Cyber-attacks can be new to many chief security officers. Internet of Things (IoT) devices are common. Mass port scanning identifies port availability by sending connection requests to a target computer and recording which ports respond and how. Determining which ports are in use lets hackers choose which applications and services the device is running. The bad news is that almost all IoT devices get port-scanned at some point. Authentication could be compromised.

Caveat emptor

Here’s an even scarier, more subtle way of using cyber tactics to get you or your customers’ personal information. Do you use a mobile access control system, one where your smartphone acts like your ID badge? There has to be a special word of caution emphasised when changing over to mobile systems.

Many legacy access control systems require the use of back-end portal accounts. For hackers, these portals can become rich, easy-to-access caches of personal end-user data containing potentially private information, such as names, addresses and emails. These older mobile systems will force the user to register themselves and their integrators for each application; door access – register, parking access – register.

Knowing this, users can employ a physical solution, credentials with features that allow them to register their handset only once and need no portal accounts, activation features or hidden fees, annual or otherwise. Instead of developing a software cyber solution, all that should be needed to activate your systems is the phone number of the smartphone. If you need to fill out several different forms or disclose private data to install your mobile system, demand this better solution.

In addition, 26-bit Wiegand is no longer inherently secure due to its original obscure nature. It also suffers from a lack of data bits. Consider a range of big-number options. Use custom Wiegand formats, ABA Track II magnetic stripe emulations or today’s serial options including Open Supervised Device Protocol (OSDP), RS-485 and TCP/IP. Make use of additional reader control lines. A simple example is the ‘card present’ line commonly available on today’s access control readers.

Options are now available that can be added to many readers. The first is MAXSecure, which provides a higher-security handshake, or code, between the proximity, smart or mobile card, tag and reader, as well as long-range transmitters and receivers to help ensure that readers will only accept information from specially coded credentials.

Valid ID is a relatively new anti-tamper feature available with contactless smartcard readers, cards and tags. Embedded, it can add an additional layer to boost authentication assurance of NXP’s MIFARE DESFire EV2 smartcard platform, operating independently in addition to the significant standard level of security that DESFire EV2 delivers. Valid ID lets a contactless smartcard reader effectively help verify that the sensitive access control data programmed to a card or tag is indeed genuine and not a cloned counterfeit.

Leading readers additionally employ sophisticated symmetric AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers may also resist skimming, eavesdropping and replay attacks.

Remedies easily available to you

If the new system leverages the Security Industry Association’s (SIA) OSDP protocol, it will also interface easily with control panels or other security management systems, fostering interoperability among security devices. OSDP may eliminate the need for custom system interfaces, a fertile hunting ground for hackers.

OSDP takes solutions beyond the limitations of Wiegand and lets security equipment such as card and biometric readers from one company interface easily with control panels and equipment from another manufacturer. This standardised two-way channel paves the way for forward-looking security applications such as the handling of advanced smartcard technology, PKI and mobile device access. Not only does it provide a concise set of commonly used commands and responses, it eliminates guesswork, since encryption and authentication is predefined.

OSPD also secures smartcards by constantly monitoring wiring to protect against attack threats. The specification for handling LEDs, text, buzzers and other feedback mechanisms provides a rich, user-centric access control environment.

Be sure you only install readers that are fully potted to limit access to the reader’s internal electronics from the unsecured side of the building. When installing, use tamper proof screws. For physical card-based solutions, offer only smart cards that employ sophisticated cryptographic security techniques. Make the internal numbers unusable through encryption, and offset the printed numbers. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security.

It will be beneficial if your system uses HTTPS (Hypertext Transfer Protocol Secure), widely used on the Internet, to provide secure communication over the computer network. In HTTPS, the communication protocol is encrypted using Transport Layer Security, or TLS, a protocol that provides authentication, privacy and data integrity between two communicating computer applications.

Scott Lindley.

Cybersecurity need not be a mystery

Products that used to comprise only mechanical and electrical parts have now transformed into complex, interconnected systems combining hardware, software, microprocessors, sensors and data storage. These so-called ‘smart’ products are the result of a series of rapid improvements in device miniaturisation, processing power and wireless connectivity. All of these things are connected to the Internet. Once the access control system becomes linked with other smart systems in the world of IoT, the cloud and big data, immense, new security challenges will confront integrators.

Since networking appliances and other objects are relatively novel, product design has often not yet incorporated security.

As inferred earlier, integrated products are often sold with outdated, open embedded operating systems and software. Furthermore, as with enterprise security system products themselves, too many integrators simply don’t change the default passwords on smart devices, segment their networks or have network access restricted.

Scott Lindley, general manager, Farpointe Data, is a 25-year veteran of the contactless card access control industry. He can be contacted at

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Access & identity expectations for 2024
Technews Publishing IDEMIA ZKTeco Gallagher Salto Systems Africa Regal Distributors SA Reditron Editor's Choice Access Control & Identity Management Information Security AI & Data Analytics
What does 2024 have in store for the access and identity industry? SMART Security Solutions asked several industry players for their brief thoughts on what they expect this year.

AI-driven identity verification for access control
C3 Shared Services Editor's Choice
Facial authentication solutions combine advanced AI and 3D sensing technologies with ease of use to create a frictionless, touchless experience. The deployment of this technology in an access control system keeps users and administration moving.

Access and identity in 2024
Technews Publishing Gallagher HID Global IDEMIA Ideco Biometrics Enkulu Technologies neaMetrics Editor's Choice Access Control & Identity Management Integrated Solutions
SMART Security Solutions hosted a round table discussion with various players in the access and identity market, to find out what they experienced in the last year, as well as their expectations for 2024.

The promise of mobile credentials
Technews Publishing Suprema neaMetrics HID Global Editor's Choice Access Control & Identity Management IoT & Automation
SMART Security Solutions examines the advantages and disadvantages of mobile credentials in a market dominated by cards and fobs, in which biometrics is viewed as a secure alternative.

PQC, AI & sustainability: five cybersecurity trends for 2024
Editor's Choice
In this article, Nils Gerhardt looks at some of the most important developments that Utimaco experts see coming in 2024, both in technology and the wider world it intersects with.

Protecting your business in the digital economy
Editor's Choice
Conducting business in the digital age has never been more challenging. In the Zero Trust cyber security model, nothing is more important than proactively safeguarding enterprise data.

The human factor side of video management systems
Leaderware Editor's Choice Surveillance Risk Management & Resilience
A video management system (VMS) is central to, and the most vital element to any control room operation using CCTV as part of its service delivery, however, all too often, it is seen as a technical solution rather than an operational solution.

Get the basics right to win more business
ServCraft Editor's Choice Risk Management & Resilience
The barriers to entry in security are not high. More people are adding CCTV and fencing to their repertoire every year. Cowboys will not last long in a space where customers trust you with their safety.

All aspects of data protection
Technews Publishing Editor's Choice Information Security Infrastructure AI & Data Analytics
SMART Security Solutions spoke to Kate Mollett, Senior Director, Commvault Africa, about the company and its evolution from a backup specialist to a full data protection specialist, as well as the latest announcements from the company.

Global strength, local craft
Impro Technologies Editor's Choice
Impro Technologies is a resounding success story. Started in South Africa, the company remains true to its roots and still designs and manufactures its access control systems and solutions in the country.