Let’s face it. There are probably thousands of opportunities to threaten the security of an existing access control system. It’s an inherent dynamic of the technology–hacker relationship. We make it, they break it. Unfortunately, when technology is compromised it often means an upgrade is in order; not only for the technology itself but for the hardware that supports it.
Certainly, we are seeing impressive efforts made by hardware manufacturers to minimize footprints, maximize interoperability, and future-proof installations. However, before you design your solution, you need to understand and prioritize the risks you are facing. This article outlines the three most imminent threats to legacy systems and proposes a general risk-mitigation solution for each. With careful product deployment and thoughtful transition strategies, these threats can be easily, efficiently, and affordably resolved.
1.Your legacy card technology can be cloned.
The majority of access control credentials in deployment today still use 125kHz low-frequency proximity technology. This read-only technology is over 25 years old and though certainly reliable and economical, it is known to be extremely vulnerable when it comes to securing your proprietary data. Prox cards can be easily cloned.
The fastest way to duplicate an LF Prox credential is to pop down to your local big-box pharmacy or hardware store. Oftentimes you’ll see a “Key Me” kiosk somewhere near the store entrance. For as low as $9.99, you can easily copy your company card, your student ID, or even your gym pass! Another popular method of duplicating your prox credential is with a handheld cloning device which can be purchased online for just a few dollars more. Within 20 seconds, a user is able to read unsecured data off the original prox card and write that same data to a blank card. Access granted!
What You Can Do About It:
Get off prox. Depending on the number of cardholders you have, the process and the price of replacing already-issued cards can be painful. However, the cost associated with a breach can be much higher. More often than not, “getting off prox” falls into the “how can we afford not to?” category. Upgrading to a new secure credential technology such as encrypted smart cards or mobile credentials is highly recommended. Your primary goal must be to secure the communication/authentication between the credential and the reader so that proprietary user data is protected.
2. Your existing wiring can be skimmed.
Even if no one copies your card, that doesn’t mean your card data is safe. Once your card is authenticated by the reader, your data still needs to be communicated to the panel for access to actually take place. Traditional wiring protocol, known as Wiegand, has been the industry standard since the 1980s. Wiegand consists of uni-directional, unencrypted wires that run between the reader and the panel. It’s these wires that can be easily compromised. By simply removing the reader cover, a hacker can slip a skimming device on the Wiegand wires. Every time a card is presented to the reader, the skimming device can capture the unencrypted data as it travels along the Wiegand wires. This is a surreptitious and incredibly effective method of capturing entire databases of cardholder information!
What You Can Do About It:
Upgrade to ODSP. Open Supervised Device Protocol (OSDP) was developed by Security Industry Association (SIA) and approved as an international standard by the International Electrotechnical Commission (IEC) in 2020. It offers more functionality, interoperability, and most importantly, higher security than Wiegand. Instead of communicating unencrypted data between the reader and the panel, OSDP supports bi-directional, encrypted communication via RS-485 thus protecting that proprietary card data traveling to the panel for access command. Essentially, upgrading to OSDP requires installing a panel converter of some sort or, more popularly, a complete panel replacement. This transition also affects your reader, as it too needs to be capable of supporting the new protocol.
Essentially, you’re asking your hardware to speak a new language. Most access control manufacturers now offer “intelligent panels” which communicate OSDP and offer a wide range of features and functionality not offered in legacy panel technology (e.g., ability to do remote firmware updates to the reader via file transfer). Reader manufacturers have varying approaches to supporting OSDP. Replacing hardware with hardware is not only infuriating, but it can also be very expensive. If you are planning to transition your legacy system to OSDP, it is important to select the right hardware that will set you up for future success.
SIA launched a certification program called OSDP Verified. Defined by SIA, this is a “comprehensive testing program that validates that a device conforms to the SIA Open Supervised Device Protocol (OSDP) standard and the related performance profiles”.
Key Features To Look For When Evaluating OSDP Reader Hardware
● OSDP Verified
● Readers can handle the transfer of structured data units required for smart card operations (File Transfer)
● Readers can automatically detect OSDP when connected to the new panel without needing new wires or field firmware updates
● Readers with a certified EAL6+ crypto engine to protect your keys
● Reader manufacturers who allow you to own and access your keys, unfettered, for true credential interoperability
● Readers are configured for maximum security, that prevents badge ID duplications, and that works well with dual-tech cards with no security compromise
3. You’re locked into proprietary technology.
Just because you’ve upgraded to a more secure credential technology doesn’t mean you’re out of the risk zone. In fact, there’s a very good chance you’ve locked yourself into a proprietary relationship with a vendor without realizing it. Most manufacturers have set up their business models to support a proprietary solution due to the method of encryption most commonly used to secure your data. In the commercial market, the most popular method of securing data on a card is called symmetric encryption.
This type of encryption uses a single, secret keyset to encrypt and decrypt your user data when it is shared between two authenticating devices (e.g., the card and the reader). This method allows for a fast, easy, and affordable secure credential solution. The problem, however, is that those encryption keys are often owned and managed by the vendor. Furthermore, vendors often utilize a “common key” or “universal keyset” so that every credential and reader/device deployed in the entire marketplace uses the same “secret key”.
The risks here are twofold:
- A vendor-owned encryption key means if you want your credential to work on any device in your ecosystem (card reader, lock, secure printing device, etc.) you are forced to purchase those products through that very same vendor. Or, at a minimum, pay a module fee in order to have that vendor manage the keys and establish compatibility with the various devices and applications in your ecosystem. Buying proprietary encrypted credentials means you’ve instantly limited your ability to freely source products at a competitive price. You’ve also limited your own ability to freely integrate your credentials to work on all of the devices in your ecosystem.
- If a vendor programs a “common key” or “universal keyset” in all of the credentials and devices they sell into the marketplace, the entire deployment is at risk should that universal keyset somehow become compromised? Even if individual customers have been assigned a unique format (Facility Code, bit format, badge ID range), if the encryption keyset that protects their data gets hacked, then every single customer using products with the same keyset becomes compromised. Owning your cards, but not your own encryption keys – is like owning a house in a gated community but the HOA uses the exact same locks and keys on every front door in your neighborhood. If someone picks your lock, they essentially pick everyone’s lock.
What You Can Do About It:
Own your keys. Believe it or not, there are solutions that allow an end-user to abolish these vendor handcuffs, and this involves taking ownership of a unique encryption keyset.
For example, LEAF is an industry initiative devised by product manufacturers who evangelize open standards for credentials. These LEAF partners have defined a credential that is highly secure, openly sourced, and totally interoperable with unlimited devices or applications which may reside in a project ecosystem. Some of these manufacturers also offer Key Management Services, which make owning your keys and provisioning them to the devices of your choice an easy process to deploy. Owning your keys means you now have the power to support any device or application in your ecosystem with just one credential. The purpose of a LEAF solution is to break the chains otherwise established by credential manufacturers with proprietary business models.
I encourage you to research your options when faced with designing your transition strategies, so as to capitalize on the most intelligent and economical solutions available in the industry today.
About the author: Sarah Bowling is the VP of Marketing and Communications at WaveLynx Technologies
