Lean Security: Secure Access by Cellular Phone

Every year I am asked, “What were some of the new technologies you saw at ISC West that are worth checking out?” In response, I like to highlight at least one new security technology that solves in an affordable way problems previously unsolvable. This year I’m writing about the New Product Showcase winner for “Best in Access Control” — ECKey.

ECKey technology can turn a Bluetooth-enabled phone into a secure “key” that can work with existing access control systems or stand alone in a manner similar to a proximity card or smart card. The ECKey products that I examined at the show were:

• The EK4-Enterprise Relay — a standalone access control system that authenticates and authorizes up 1,000 Bluetooth cell phones with time-of-day access;

• The EK6-Prox Reader — that reads Bluetooth cell phones and other devices and creates a standard 26-bit or 48-bit Wiegand message; and

• The EK8-Secure Token — that operates as a smart card reader of Bluetooth cell phones (not yet commercially released).

There is plenty of information available at www.ECKey.com, so I will focus on my initial reactions to the technology and what I learned in digging deeper.

Convenience and Security

Often there is a tradeoff between security and convenience. Both the convenience and security factors are high with ECKey’s technology. After your cell phone is registered and you are assigned access privileges, your phone works like a prox card or smart card. That’s convenient. Simply walk by the reader to be granted access, or be required to also enter a PIN for access if that is how the particular door is set up. Or drive up to an ECKey-enabled gate and be granted access without having to roll down a window. That’s great in inclement weather. It is also a personal safety issue if there are unknown persons nearby the gate — which makes PIN entry via phone (i.e. from inside a locked car) very significant.

I was initially skeptical about the technology’s security when I learned that it was Bluetooth-based. I recalled stories about celebrities losing phone books via Bluetooth. I also wondered if the transmission that unlocks the door could be recorded by someone and then played back later to gain unauthorized access (the answer is “no”).

Demonstrations with several different brands of cell phones showed that the technology worked well. The next day, I dragged two CSO friends over to the booth, to have one of them tell me how valuable the technology would have been to him during his tenure as vice president and CSO of a global manufacturing company.

Solving a Remote Access Problem

The problem he had faced was providing access to contract service personnel during off-hours at remote sites. He had to dispatch a security officer or facilities maintenance person to drive to the site to let service technicians in, and to lock up after the work was done. The remote locations had no connection to the corporate network or access control system — there was no way to enable temporary access on a moment’s notice using codes or cards. So no matter what, each service and routine maintenance call required a trip out by company personnel. The total cost was significant, and the process was often inconvenient.

Today, each service technicians’ phone could be registered to ECKey readers at the remote sites, but with no access privileges initially assigned. To enable instant but temporary access would involve sending a text message to the technician’s cell phone, to enable it with the desired access privilege. The secret information transmitted is encrypted using information only known to the ECKey reader and with the MAC address of the specific cell phone is it intended for, so the approach is very secure. Dr. Nick Willis, founder and CEO of ECKey, and I went into great detail about how this works securely using high encryption. A white paper on the technology’s security is available to download from the FAQ page on the company’s Website.

Broad Application

The technology is a good fit for many applications, including residential communities, membership organizations including fitness clubs and homeowner’s associations (for clubhouse and pool access), and on-campus and near-campus businesses offering self-service options to students (whose phones are their lifelines). I’d be very surprised to find an integrator or consultant who can’t think of a customer for whom this technology would provide good benefits.

New Question:

What new technologies have you seen that address problems you couldn’t solve before?

If you have experience that relates to this question, or have other convergence experience you want to share, e-mail your answer to me at ConvergenceQA@go-rbcs.com or call me at 949-831-6788. If you have a question you would like answered, I’d like to see it. We don’t need to reveal your name or company name in the column. I look forward to hearing from you!

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services. Mr. Bernard has provided strategic and technical advice in the security and building automation industries for more than 18 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS, go to www.go-rbcs.com or call 949-831-6788.