Cyber Vulnerability in Access Control

Sept. 11, 2020
Tips and tricks to keep your customers’ credential-based systems secure
This article originally appeared in the September 2020 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag on Twitter and Security Business magazine on LinkedIn.

Products that used to comprise only mechanical and electrical parts have now transformed into complex, interconnected systems combining hardware, software, microprocessors, sensors and data storage. These so-called “smart” products are the result of a series of rapid improvements in device miniaturization, processing power and wireless connectivity. All of these things are connected to the Internet; hence, the name “Internet of Things.”

Once the access control system becomes linked with, the Cloud and Big Data, immense, new security challenges will confront integrators.

As access control credential and reader systems become increasingly attached to networks and other smart systems in the world of IoT, cybersecurity becomes a major concern. Those integrators and end-users who fail to secure this security equipment provide often irresistible backdoors for hackers.

Access Control Vulnerabilities

To begin to assess a customer’s access control vulnerabilities, a Cybersecurity Vulnerability Checklist can be very helpful. It covers a range of topics that can help protect security-related systems, networks and programs from digital attacks – including default codes, Wiegand issues, reader implementation tips, card protection solutions, long-range readers, anti-hacking compatibility and adding security components.

Since networking appliances and other objects are relatively novel, product design has often not yet incorporated security. Some integrated products can be sold with old, open embedded operating systems and software. Furthermore, as with enterprise security system products themselves, too many integrators do not change the default passwords on smart devices, segment their networks or have network access restricted.

If the installer does not change the default alarm code, for example, the user might as well be giving its user code to everyone. It takes less than 30 seconds to view the master, all other user codes or even create a new one. Unfortunately, these codes can often be found online and, once inside the system, the hacker can access the rest of the computer system.

Many installers simply disarm the default installer code, which may allow the user codes to be viewed, including the master code. If an unauthorized person accesses an unarmed panel and uses the installer code, they gain access to all installed hardware and can create a new user code or change a current user code. This code then trumps the master of other user codes.

Sometimes, the problem is within the software. Often, the default code is hard-coded in the app, providing a means by which the device can still be managed even if the administrator's custom pass code is lost. It is a poor practice for developers to embed passwords, especially unencrypted, into an app's shipped code.

Additionally, 26-Bit Wiegand – the electronic access control industry’s legendary protocol commonly used to communicate credential data from a reader to a panel – is no longer inherently secure due to its original obscure nature.

If Wiegand is a requirement, consider custom formats using more bits. Employ an Elite Key or MAXSecure Code. Make use of the "card present" line, commonly available on newer access control readers, or take advantage of today’s serial options including the Security Industry Association’s Open Supervised Device Protocol (OSDP).

From the computer side of the solution, it will be beneficial if the system uses Hypertext Transfer Protocol Secure (HTTPS) to provide secure communication over the computer network.

Cybersecurity Advantages of OSDP

If the new system leverages OSDP, it also will interface easily with control panels or other security management systems, fostering interoperability among security devices. OSDP may eliminate the need for custom system interfaces, a fertile hunting ground for hackers.

OSDP takes solutions beyond the limitations of Wiegand and enables security equipment, such as card and biometric readers from one company, to interface easily with control panels and equipment from another manufacturer.

A two-way channel paves the way for forward-looking security applications such as the handling of advanced smartcard technology, PKI and mobile device access. Not only does it provide a concise set of commonly used commands and responses, it eliminates guesswork, since encryption and authentication as required in federal applications is predefined.

OSPD also secures smart cards by constantly monitoring wiring to protect against attack threats. The specification for handling LEDs, text, buzzers and other feedback mechanisms provides a rich, user-centric access control environment.

Cybersecurity and Mobile Access

A smartphone features built-in security – starting with biometrics and PINs – that can be vital to a cyber-secure mobile access control system. Once a biometric, PIN or password is entered to access the phone, the user should set up a two-factor access control verification. A user will not be able to access a phone-based credential without having secure access to the phone itself. The credential operates just like any other app on the phone, meaning the phone must be “on and unlocked.”

These two factors – availability and built-in multi-factor security verification – are major reasons why organizations are increasingly asking their integrators for mobile credentialing capabilities in new electronic access control implementations.

Additionally, once a mobile credential is installed on a smartphone, it cannot be reinstalled on another smartphone. If a smartphone is lost, damaged or stolen, the process should be the same as for a card. It should be immediately deactivated in the access control management software, with a new digital credential issued as a replacement.

On the reader side of the mobile access equation, most smartphone readers use AES encryption when transferring data. This helps readers resist skimming, eavesdropping and replay attacks.

Legacy systems, however, require caution when transitioning to mobile – due to the use of back-end portal accounts. For hackers, these portals can become rich, easy-to-access caches of personal end-user data. These older mobile systems force the user to register themselves and their integrators for every application, including door access, parking access and data access – with each registration requiring the disclosure of sensitive end-user information. In this situation, an integrator should look for credentials with features that allow the user to register their handset only once and need no portal accounts, activation features or hidden fees, annual or otherwise.

Long-Range Readers

Another often overlooked trend in readers is the accelerating use of long-range readers for access control applications. Instead of using a card, which could activate more than one device or door at a time, a transmitter selects exactly the mechanism to be immediately triggered.

Transmitter-based long-range reading takes advantage of a secure digital anti-playback routine, is based on a custom enhanced rolling code variant of the Tiny Encryption Algorithm (TEA). The anti-playback feature virtually eliminates the risk of code sniffing and unauthorized duplication. Every time a button is pressed the encrypted rolling code changes, preventing a sniffed code from being successfully re-transmitted.

Scott Lindley ([email protected]) is General Manager of Farpointe Data. Request more info about the company at