Convergence Q&A: The Facility Code Vulnerability

Be sure to close this potential loophole in your access control


Many long-time physical security practitioners understand the two purposes of “Facility Codes” in a card access control system; however, the user manuals and help files of systems that support this feature rarely highlight the risks that can be involved in enabling this feature.

 

Q: I just discovered that card access to our data center is being granted to anyone holding a company access card, even though only four people have been assigned access to it. In troubleshooting I discovered that the reader is “offline.” Why is anyone being granted access at all if the card reader is not even communicating to its controller?

 

A: The card reader has “Facility Code mode” enabled, which is a feature whereby the reader will grant access to any card containing a Facility Code that’s listed in the reader.

 

“Facility Code mode” is an optional card reader mode that engages when a reader goes offline. One purpose of this mode is to prevent having to prop doors open and revert to manual inspection of access cards to screen entering personnel if a card reader loses its connection to a controller. Facility Codes are programmed into readers at the factory or by the customer’s access control system. They allow an offline reader to read and validate the Facility Code portion of a card’s encoded data to identify a valid card and grant access, even though the reader cannot validate all of the card’s data. For example, during peak access hours, an offline reader at an entrance can grant access to any valid company card, even though it cannot validate individual cards against assigned access privileges.

The question above turned out to be a case where Facility Code mode was enabled for the facility’s data center, to ensure that emergency access to the room could be obtained even if the card reader went offline. However, at some point in time, the IT department stopped monitoring access on a real-time basis, and began reviewing access history quarterly. Thus the “offline-reader” alarm message was not seen for more than two months, during which time access to the room was available to any cardholder!

 

What is a Facility Code?

A Facility Code is a number encoded on access cards that is intended to represent a specific protected facility or building. Not all card formats support a Facility Code, but the most common card data format in use today does support it — the industry’s original open (i.e. non-proprietary) 26-bit format. The 26-bit format has two data fields: a Facility Code (8 bits) and a Card Number (16 bits), plus two parity bits; thus, the Facility Code number can be a number be between 0 and 255, and the Card Number can be between 0 and 65,535.

With only 65,535 card numbers available across the cards of all customers using the 26-bit card data format, duplicate card numbers are inevitable; therefore, the first purpose of the Facility Code was to enable customers in close proximity to each other to differentiate their set of cards from another customer’s cards. Ideally, each manufacturer would try to manage the facility numbers it issued to various customers in a specific area to minimize the occurrence of duplicates. A card with a Facility Code not matching those used by that specific customer would be denied access, typically generating “Access Denied – Wrong Facility Code” messages.

 

Closing the Vulnerability

One reason that many organizations have switched to smart cards, or to cards with a much larger card data format, is to reduce or eliminate the likelihood of outsiders having duplicate cards. Enabling Facility Code mode for selected readers constitutes a security vulnerability, so it is important to monitor reader online status in real time, with offline status notifications going to appropriate personnel. If a reader’s Facility Code mode is enabled for a door where logged card access control is mandated by regulatory requirements, card readers that can buffer offline transactions are required so access granted by an offline reader can be logged.

This content continues onto the next page...