Dare our industry mention it? There was another hack of an access control technology in the last couple months. Apparently a graduate student right here from the U.S. of A., along with a pair of other computer researchers, managed to break the security for MIFARE Classic. I mentioned this on my blog over a week ago, and apparently the national media has since recognized this as well, with the Associated Press releasing a story two days agon on this same topic.
So here's what we know. There are numerous types of MIFARE technologies. Some are more secure than others. Some have basic security; some have practically no security; some have high security. In fact, NXP (the creator of MIFARE) released MIFARE Plus this week, which Henri Ardevol, general manager of automatic fare collection for NXP Semiconductors, said "offers unprecedented levels of security, privacy, compatibility and performance for entry-level smart cards, and is ideal for ticketing systems." The MIFARE Plus technology also is backwards compatible to MIFARE Classic (the type of MIFARE that was hacked) and can be used for facility access control.
There is one thing to note about this story, and I mention it in case you had not seen my blog post and might have read one of the national stories on this issue. MIFARE Classic was not used for credit cards and debit cards as was mistakenly reported in early versions of some newspaper stories. We noted that fact on our blog, but for persons without a background in security, it can be very easy to confuse the different MIFARE options available. In fact, the Smart Card Alliance responded to the Associated Press story which made that mistake (we had long-before pointed it out on the blog, and we have since added the SCA's very cogent response). The technology was, however used for tolls, transit fees and door access, with door access probably being of the greatest security concern. Even then, however, MIFARE Classic isn't the only technology used for badges and cards used with electronic door access control systems, so the concern might have been a bit overblown.
In the end, you have to get back to the unfortunate truth of security: If a man can secure it, another man can break that security. Levels of encryption that were once thought to be secure are now cracked with free programs available on the Web. Security never was meant to be static, and that's why R&D staffers work every day to keep one step ahead of the bad guys.
[On a different note: Obviously these hackers have the right to go public, and I think they do so to make a name for themselves. But wouldn't the more honorable (and profitable) response be to go directly to these companies privately with the hack?]
Research on converging risk
New data shows challenges and successes firms finding in converging security
Research on security convergence was released this week by Honeywell. The company's research division was in touch with CIOs, CSOs, and CISOs at U.S.-based global firms that had revenues from $1 billion to $100 billion. Some of what they found on convergence trends at these firms was surprising, and some seemed right on target. Our article covers the data, and Episode 24 of our podcast program brings aboard Honeywell's Peter Fehl and Novell's Ivan Hurtt (the two companies offer a converged access solution) to talk about trends in business security and risk convergence.
Covering the world of IP-based and integrated security systems
We've been busy behind the scenes recently building out a website that could serve as a repository for some of the best information about IP-connected and networked security solutions. The result is IPSecurityWatch.com. From network video to IP access control and integrated systems that communicate over standard network protocols, you'll find the information here. We recognize that there is a wealth of knowledge in our industry, and if you'd like to contribute to this site to build a comprehensive location for information on networked and converged physical security solutions, email me with your ideas.