Migrating Access Control to a Secure Future

June 17, 2019
Many EAC manufacturers have updated their devices and adopted the OSDP protocol

Being “Vendor Agnostic” seems to be an emerging obsession in the physical security industry.   The Dictionary defines “Vendor Agnostic” as “Not tied to the products of a specific manufacturer” but what does that actually mean?  Putting it in the context of technology, it means one’s ability to progress in not hampered as a result of being bound to a single manufacturer’s proprietary technology. There was a time when the two terms, “open architecture” and “security system” was an oxymoron, and proprietary software and hardware solutions yielded a perception of higher security.  However, today’s security solution’s manufacturers are leveraging common platforms, proven standards, data models and highly available technology to enhance security and operations simultaneously.

They are following the path of their counterparts in the Information Technology (IT) industry who have leveraged common protocols and standards to effectively innovate, collaborate and deliver secure, yet progressive solutions to the market.  As a result, the IT industry has enjoyed tremendous growth while achieving interoperability between devices within the security ecosystem.  Historically, proprietary technology has plagued the physical security market crippling one’s ability to effectively execute progressive strategies and quickly leverage new technology.  Today’s security practitioner is becoming keen to the pitfalls of proprietary technology and in many cases refuses to put their organization in a position to be at the mercy of any one technology provider ever again.   Hence without a good option forward, they do nothing at all and the progression of physical security technology stands still.  

One trend that is gaining momentum globally and seems to be at the forefront of every enterprise security practitioner’s mind is the painstaking reality that the low frequency, unsophisticated access control credentials and readers, predominantly deployed today, are not secure. It has been a well-known fact for several years that the existing 125KHz proximity technology has been compromised, shocking as it is, one cannot ignore it any longer because these credentials can easily be cloned using commercially available products.  To put this in perspective, several manufacturers from Asia and other foreign markets have designed hand-held tools to clone these credentials offering them for sale on major retail shopping websites such as Amazon, AliBaba.com and Ebay for as little as $9.99.  While in many cities in the United States, one can clone a proximity card at a KeyMe kiosk found in retail malls and stores such as Seven Eleven, Rite Aid and Bed Bath and Beyond.  ( https://www.key.me/kiosks/new-york/new-york/upper-west-side/cut-make-keys-upper-west-side-ny)

How is this possible?  Low frequency proximity technology has been on the market for more than 25 years, used in commercial and residential markets alike.  The transmission of data from the credential to the reader is not encrypted, but the convenience it affords the user has made it the industry standard.   It is so widely consumed, it has become a rich target for hackers and manufacturers to profit from counter-technology devices which have been designed to capture, decipher and clone the data. 

What are the Risks

The risk is tremendous and the corrective action costly and disruptive because legacy products do not offer a natural migration path to a more secure solution.  To address this risk, security professionals must plan to transition the enterprise to a more secure credential solution.  This will result in a wave of rip and replace activity, however this time security practitioners are taking the time to better understand their options and their “exit strategy”. 

The most cost-effective, practical and highly secure access credential solutions for the commercial market, employ symmetric encryption keys.  This is a highly secure method but can be proprietary in nature if end users do not avoid two common pitfalls. 

Symmetric keys have become the access control standard due to the cost and through-put issues inherent in other highly secure technologies such as biometrics and Public Key Infrastructure (PKI).   Symmetric key sets are designed so that the authentication is performed in milliseconds between the credential and the reader on premise. 

Explaining at a high level, this is how it works: The key in the credential (usually an access card, but also can be a mobile device) is authenticated with the key in the reader device (usually mounted outside a secured door) and they must be pre-encoded such that the validation of the authenticity from credential to reader happens in real time taking approximately 20 milliseconds – for all intents and purposes, they each hold one half of the total key set, so they are a “matched key set”.    

Pitfall #1: End users must own the encryption key set(s) in order to be “vendor agnostic”.

When evaluating an encrypted credential technology, own the keys!  Many manufacturers offer this option, but usually only when requested by the end user.

The other piece of information that is necessary to ensure interoperability between credential and reader devices, is the data structure on the card.  This is often an unfamiliar concept to the end users, therefore goes undiscussed.   There are very few standards available, and many manufacturers have developed their own unique data structure which they may not be willing to share.   When the data structure is kept proprietary, the solution becomes proprietary by default.  Data structure in a card is analogous to a filing cabinet containing several drawers with hundreds of folders in each drawer, with thousands of data items in each folder.  If you are looking for a specific piece of data, in this case the access control badge ID, you must know exactly where it is filed. The data structure in the credential (access card) identifies where the access control ID badge # is located, so that the reader can efficiently capture the data after the authentication between the encryption keys is completed.  Without the reader device knowing the data structure the data will not be captured.

Pitfall #2: Only use products that are designed to utilize a published, readily available data structure model in order to remain “vendor agnostic”.

LEAF data structure, designed for Mifare DESFire EV1 and/or EV2is becoming a well-known, desirable option.  It is openly available and may be used by any manufacturer who wishes to include it in their reader designs.  It is highly flexible and market proven. When specified, this will ensure future interoperability. One simply has to ask for LEAF compatible credentials and devices.

Another inherent risk that is growing in awareness is the communication between the reader devices and the intelligent controllers.  In the 1980’s the standard communication protocol adopted in the physical security industry was Wiegand.   This protocol, when adopted by a manufacturer, ensured that devices would be compatible, primarily readers connected to intelligent controllers.  It has been used to connect the majority of access control reader devices for the past 30 years and continues to expand in use. However, more than 20 years ago, the industry migrated the connectivity of the security application software to intelligent controllers and Closed-Circuit Television (CCTV) cameras to Internet Protocol (IP).  It took several years before they believed the IT industry had sufficiently secured IP infrastructure, but this migration swiftly advanced the functionality of an access control system and aligned physical security with IT security standards, resulting in tremendous efficiencies and benefits. However, the industry has long since ignored the end points. The end points referred to are the access control readers which are connected to the other end of those intelligent controllers.  This connection continues to be accomplished via Wiegand protocol. 

The idiom which says, “a chain is only as strong as its weakest link” is powerful in helping to understand why this protocol must be changed.  Wiegand, much like the legacy low frequency proximity transmission discussed earlier in this article, is not encrypted.  The unencrypted access data can easily be deciphered by tapping into two of the six conductor wires.    Open Supervised Device Protocol (OSDP) was adopted by the Security Industry Association in 2011 with the intention of addressing this weakness.  The first release of the OSDP specification provides guidelines for device manufacturers to address this weakness by using a standard encryption method between two “OSDP compliant” devices to ensure the communication is secure. 

OSDP Compliant Devices Gain Momentum

Many manufacturers have updated their devices and adopted this protocol and offer generally available OSDP compliant products. Most devices on the market today offer this protocol as an option, however it is a slow migration largely due to the lack of awareness regarding the severity of the weaknesses the Wiegand protocol poses. The Wiegand standard remains prevalent and continues to propagate, but for those savvy security practitioners who recognize the risk, it is being addressed as the products become available to the market. The momentum for OSDP is growing and manufacturers are adopting it as part of their product roadmaps, mainly because the functionality it offers continues to evolve.  

Additionally, the latest OSDP specification offers tremendous efficiencies which can be captured in Return on Investment (RoI) scenarios.  For example, version 2.1.7 of the OSDP specification provides the development guidelines required to enable the intelligent controllers to transmit new updates to the readers remotely. These updates modify the behavior of the device or flash the firmware version in the readers for updates which may be bug fixes, newly available functionality or refreshing the encryption keys.  Without this OSDP functionality providing “device to device communication” the operational effort required to change a reader behavior or flash firmware is extremely manual and therefore costly.   Without OSDP the time required to achieve change at the end point is approximately 20 minutes per device, so in a global enterprise this effort can lead to tens of thousands of dollars.  The savings offered by using OSDP devices becomes an obvious benefit seen at the bottom line.

The technology in the physical security industry historically evolves at a very slow pace relative to the IT security industry.  The rate of change is directly correlated to the End User’s ability to migrate and adopt new technology without disruption.  One may call it “vendor agnostic” but the real goal is to have the ability to be progressive.  I believe the industry has finally reached a point of inflection, in which proprietary solutions no longer drive higher security, but rather the use of open standards and common interfaces drive innovation, which in turn yields more highly secure solutions. 

Common data models and standards must be adopted and leveraged not only to enable interoperability, and progression, but to encourage manufacturers to use innovation to drive market growth, rather than counting on the proliferation of a captive customer base.   The two specifications mentioned in this article, OSDP and LEAF, have been offered to the industry to promote interoperability, progressive strategies and innovation – they are “vendor agnostic” and they will enhance progress when adopted.

References

https://www.securityindustry.org/industry-standards/open-supervised-device-protocol/

http://leafip.co

About the author:  Laurie Aaron is the Executive Vice President, WaveLynx Technologies Corporation. Aaron is a veteran security professional having worked with Quantum Secure, Tyco Security Products and HID Global in various executive leadership and sales roles.