Hacking the Wiegand Card Reader

Defcon exhibitor illustrates weaknesses in common access control card reader design


The Wiegand effect is a Wikipedia kind of thing: Here's the entry for Wiegand effect. In a Wiegand card, as Franken described it, special alloy wire is processed in such a way as to create two distinct magnetic regions in the same piece of wire when it is passed over a magnetic field. Wire is embedded in the card in a distinct order to create an individual code, and each Wiegand pulse is translated to a digital 0 or 1 depending on wire location.

Referring to an array of biometric and proximity card systems he demonstrated during his talk, Franken said that "Every reader we saw today, from the super secure biometric retina scanner to as 'crappy as it sounds' concealed barcode, uses the Wiegand electrical and data protocols to communicate to the access control system."

The problem with Wiegand is that the protocol a) is plain text. That means there's no authentication occurring between reader and ACS; b) is easily intercepted; c) is easily replayed and easy prey for man-in-the-middle attacks; d) includes outputs from biometric readers (meaning an attacker can steal whatever sensitive user data is stored on a card) and e) includes output even from strong crypto contactless smart card readers.

At this point, Wiegand is a standard. If you have a swipe reader, a card reader or some type of biometric device like a fingerprint scanner, you hook it to an ACS using the Wiegand protocol.

So, whose to blame, and how can this be fixed? Franken asked people taking photos of his setup (see ours in the accompanying slideshow) to refrain from identifying the reader manufacturer. Don't blame the reader manufacturer, he said--it's the protocol that's outdated.

But blaming ACS manufacturers is another thing. "All access control manufacturers implement the protocol," he said. "It's no secret it's not secured here. It's one of these things, these guys sell you secure systems, and if they take a long, hard look at themselves ..."

The first solution is tamper-proof readers, which would help "a lot," Franken said. But they're not particularly sophisticated things, he said, and if you know where they are, you can defeat them. They're easy to surpass if you know what you're looking for, Franken said. But still, they're better than nothing.

Having lots of cameras trained on access points is also better than nothing, but how long do enterprises keep all that video, and who looks at it? Besides, take a look at office buildings. Check the back alleys. You'll find there are many doors that lack cameras, Franken said.

The proper solution for the problem is for a proximity card to do a cryptographic handshake with the reader, he said.

And the proper thing for physical security technology customers to do: If you're buying any type of biometric or proximity card reader system in order to limit access to parts of your organization, grill the vendor on Wiegand. Ignore what they say about proprietary protocols in the cards--what you want to know about is the protocol linking the reader to the access control system. Tell them you know about Wiegand, and ask them what, if any, cryptographic resolution is happening between reader and ACS.

They've gotten away with implementing a Swiss cheese protocol up to now. We've got to make them stop before somebody gets hurt.

eWEEK Senior Security Editor Lisa Vaas has written about technology since 1997.