Why are we spending thousands of dollars per card reader door while allowing simple, well-publicized, and inexpensive hacks to compromise our security?
The roots of this intransigence are many.
- Lack of appreciating the problems
- The challenge of understanding the solutions
- Fear of high cost
- Fear of disruption of the user community
- Inability to convince management that there is a security problem
Root Cause: Lack of appreciating the problems
The Internet is replete with information on how to “hack” Wiegand communication and many types of access cards. One Security By Design, Inc. client had a 10-year-old clone their residence entry PROX card using instructions from the Internet. KEY ME kiosks, now in stores near you, will duplicate any 125KHz PROX card for a very reasonable price.
From the access control panel out to the end user, there are two basic problems. First, almost every card reader is connected to an access control panel by a 40-year old Wiegand communication protocol that is not secure. The second problem is the card-to-card reader RF communication architecture. Both issues need to be addressed.
Given the need to utilize every dollar wisely, why invest in an access control system at the cost of thousands of dollars per door while leaving these two security vulnerabilities? The security marketplace today offers price-equivalent solutions to both the “Wiegand Problem” using OSDP and the “Card-to-Reader Problem” with secure card technologies. Yet, one major manufacturer estimated that 51 percent of all cards sold had no security and another 20 percent had older security that has now been compromised. How do you answer to management and shareholders, if you are responsible for systems with these extreme vulnerabilities?
Root Cause: The Challenge of Understanding the Solutions
Wiegand communication is one of the access control system’s weakest links, with many web hits on most search engines showing how to hack access control systems. Wiegand has been around for years as a ubiquitous interoperable card reader-to-panel communication format. OSDP (Open Supervised Device Protocol) is only now being embraced by the industry. The Security Industry Association (SIA) has become the primary body that supports OSDP. It has been used for years, but the latest version, 2.1.7, now supports 128-bit AES encryption. With this bi-directional protocol, it is now reasonable to encrypt each point where there is data-in-motion within an access control system. This was the last piece of the puzzle. Many systems embrace the use of OSDP now and it is expected to become the new industry standard.
The number of data wires that are required for Wiegand is the same as those for OSDP. But with Wiegand, if you want to also control the LEDs and the sounder, or use a reader tamper, then additional wires and controller hardware are required. With OSDP, all the control and signaling is accomplished over the bi-directional pair of data wires. The electrical form factor is based on IEEE RS485 half duplex, which is more immune to electrical noise than Wiegand.
Many card readers today support OSDP with encryption. This is a huge step forward for the security architecture. It solves the “Wiegand Problem.”
The next goal for OSDP is the ability to fully support firmware upgrades over OSDP but this is currently not widely available in the marketplace. Some readers that can be purchased today will be able to have their firmware upgraded using a manual process at the reader enabling them to support remote firmware upgrades for subsequent upgrades.
The Card-to-Reader technology primarily utilizes symmetric keys which means that the same key is used in all the cards and all the readers. Every attempt to secure symmetric key technology has been put under pressure from the hacker community. NXP’s EV2 and HID’s SEOS are two easily available symmetric key platforms that presently do not have published compromises. These two made up about eight percent of last year’s card market.
The theoretical vulnerability for any symmetric key system is that a compromise of the key in one card or reader compromises every reader and card that has that symmetric key.
WaveLynx has implemented a structured system around EV2 that is called LEAF, which offers an approach to interoperability to many card readers. INID offers a wide range of readers that support both symmetric and asymmetric keys and supports boot-loader firmware upgrades over OSDP.
A step above the relative good security of the best symmetric key solutions is the asymmetric Public Key Infrastructure (PKI) environment. This is most commonly seen as TWIC, CAC, PIV, PIV-I, and CIV. The Transportation Worker Identification Credential, or TWIC card, is used by the ports. The Common Access Card (CAC) is used by the U.S. military. PIV stands for Personal Identity Verification and is mandated for U.S. government cards. PIV-I are cards used for U.S. Government contractors. PKI cards made up approximately eight percent of last year’s card volume.
Commercial Identity Verification (CIV) can be used by any organization. CIV is not mandated. But, if there is a reason that an organization would like to utilize the most secure approach to access credentials, then the CIV approach is the best choice riding on the experience and technologies that have been created for the U.S. government. If one PKI card were to be compromised, then it would be the single element that would have that problem and would have no effect of the rest of the card or reader population.
Only recently could an organization order a system that meets this level of security at a price that makes it a reasonable commercial choice. The technology is not ubiquitous, but certainly, it is now available. Any of these three PKI technologies will take some special expertise during the definition and set-up.
Root Cause: Fear of high cost
With EV2 and SEOS, as the two leading symmetric key cards that comprise approximately seven percent of the card market, and PKI cards making up an additional eight percent that means that only 15 percent of cards sold are presently secure with technologies that have not been compromised. Is the perception that these technologies cost a large premium?
Both HID and NXP have incentives to keep their prices down. They would like to get out from under the liability of compromised technologies. Presently they are functioning under the “caveat emptor” approach, selling what the market is buying. But at some point, in some court or boardroom, the “knew or should have known” phrase will likely lead to material costs. Secondly, they are both looking for market share. Once a site makes a choice, the large volume of follow-on business will be a built-in revenue stream.
HID is a reader manufacturer as well as a card manufacturer. NXP is a card manufacturer, among other things, but is not in the reader manufacturing business. INID and WaveLynx are two more high-end reader manufacturers. With many manufacturers in the market, card reader costs remain commodity priced. Great card readers are available from many sources today, and the premium for a reader that can use either SEOS or EV2 is certainly a very small element of the installed access-controlled door cost. In a 200-door new installation, the delta for the best symmetric cards and readers versus using any of the compromised technologies would work out to less than three percent of the total system cost.
Root Cause: Fear of disruption of the user community
There are a lot of Greenfield systems installed each year where the technology choices are open. But there are also many organizations with large legacy infrastructures.
The card manufacturers offer the potential for multiple technologies on the same card. An organization can re-badge the entire population with these multiple technology cards and then proceed to change out card readers at a reasonable pace without disruption to the cardholders. Once all the readers are changed, none of the old technology that is on the cards will accomplish anything and the system will be upgraded to a more secure state.
An additional benefit of the multiple-technology card approach can accrue if the organization has multi-tenant field sites. These can be problematic when the people in these smaller sites are asked to carry two cards, one that ties to the building system and one for the actual office space. Having an older technology on the card may be a benefit. The old technology may be able to be used for the building. This would allow the employees to only carry their regular card.
The reader manufacturers offer the potential for reading multiple-card technologies at the same time. An organization can change out all the card readers and then take a reasonable time to re-badge the population. Once everyone has a new badge, then the old technology can be turned off in the access control system and the entire access system will be upgraded.
A caution here is that it gets more complicated if both multi-technology cards and multi-technology readers are applied at the same time. This is generally not recommended.
Root Cause: Inability to convince management that there is a security problem
Some of these concepts may help to support the presentation to the C-Suite.
- All technology becomes obsolete. Make planned obsolescence a cornerstone of the security program. The world is changing very rapidly and utilizing 40-year old insecure technology is not the basis of a viable security posture.
- A three percent premium should not be the basis for intransigence when purchasing access control for the next project. By utilizing either dual card technology or dual reader technology, it is possible to initiate the transition.
- It is highly likely that you will be unaware of a compromise. There is no way to know that a card was cloned unless, by happenstance, someone notices an anomaly where both cards are used at generally the same time in disparate areas, or if someone notices an unknown person in an area and confronts that person, discovering the cloned card. A Wiegand hack will allow a person to enter the property and the access control record will look like a valid employee transaction.
- Given last year’s card sales statistics, 70 percent have web-published security flaws, seven percent are uncompromised symmetric cards, nine percent are mobile credentials, eight percent are asymmetric high security, while six percent are unknown. The industry continues to sell compromised solutions. Buyer beware.
- How to hack an access control system is well documented. You don’t need to go to the dark web to find many ways to compromise these systems. Almost every compromise that you can find will be either the Wiegand communication or a card-to-reader security issue.
- Using known compromised technologies contributes to liability. Card-to-reader and/or reader-to-panel communication will be a key claim of liability if there is a compromise that is related to a shooter on site that gained access through any of these methods, or a trade secret case is lost because the access control technology can no longer be shown to provide the area control that forms the basis for the protected information claim.
About the author: As Chairman of Security By Design, Inc., Edmonds Chandler has been actively consulting in the security industry since 1974. He has planned and implemented two types of security standards. Architectural security standards help multi-site clients optimize their design and construction processes. Security system standards help these same multi-site clients procure, install, and effectively service worldwide security infrastructures.
His forté is applying logical security solutions to business applications. He has been a speaker at seminars for various industries and has served as an expert witness for both owners and legal advisors regarding litigation of projects. Well known as a futurist for the security industry, he has advised many of the manufacturers of large security infrastructure systems and constantly pushes the industry to grow and innovate.