Sacrificing Security for Convenience

Oct. 27, 2008
When it comes to card and reader technology, the easy way may open the door to extreme vulnerability

The last time you made a recommendation or a purchase decision about card and reader technology, was security a part of the decision process? If so, you are one of a very few. In our industry, when it comes to technology, it's all about convenience.

When you look at it from an end-user point of view, security is always trumped by convenience. Think not? What percentage of your end-user population stops to badge-in if the door is being held open in front of them? If you did not monitor door held alarms, what percentage of the doors in the building would get propped open with a trash can? How many computer monitors in your building have a post-it note on the side with the user's password? I rest my case. It turns out that inconvenient security is no security at all; end-users will always find a way around it.

As an industry, we have made a wholesale move from swipe cards to proximity over the last decade. Was that because prox is more secure? Well it might be marginally so, and it certainly allows for less vandalism. But let's face it; the real reason was it was more convenient for our users. Significantly less than 5 percent of all prox readers sold in this country have a built-in keypad for use with a user PIN number. More secure? Yes. Convenient? Not so much.

The bottom line is that convenience is an important part of the security equation. That said , there is a real danger that we are forgetting why we invest in security systems in the first place.

The four steps of technology acceptance

As we learn about a technology, our ability to see it for what it is goes through four steps: unaware, afraid of the magic, comfortable with the magic and knowledgeable. Only in the last step of knowledge do we really understand how something works and its pluses and minuses.

The problem we have is that card technology is still magic to many of the people in the physical security industry. For the most part, we are comfortable with it, but it is still magic. Wave a badge, the door opens. While it is OK to go through life not understanding how your TIVO works or exactly what makes the food in a microwave get hot, we have a duty to make sure that the security technology we recommend at work is appropriate to the task at hand. If I've ever heard a good rationale for convergence, that's it. In the physical security world, we need the IT folks to help us understand the magic.

There is a curious side effect to the stage where we are comfortable with a technology, but really don't understand it. We tend to ignore the potential flaws and dismiss them as low-risk issues that we can not justify worrying about. Not too many years ago, we had companies buying analog phone systems, with their miles of proprietary wiring and high costs. They were often purchased by departments like “Facilities” that didn't understand the magic. A few years later, we are ripping those systems out and installing digital, network-based systems administered by IT. Using common network technology made the systems cheaper, more reliable and dramatically lowered maintenance.

My point? When a manager forgets the big picture and does the same convenient thing year after year, he or she often gets replaced. When an industry does that, it is ripe for disruption.

It's time to pay attention to security. We need to tip the scales back a little. Cards have to be convenient, but it is more important that they are secure. Let's review three examples of where this industry doesn't understand card technology and has or will find itself in an indefensible position.

Wiegand badge formats

Most physical security people have heard of wiegand badge formats. The most popular being 26-bit wiegand , a format available every security distributor's shelf. While it is convenient to acquire and use, 26-bit wiegand does not pass the security test — 26 bits are not very many, and severely limit the number of possible combinations. In fact the limits are 264 facility codes and 64,000 unique IDs. On the surface, 64,000 seems like it exceeds the needs of most facilities; however, the issue is that the number of facility codes is way too small. In any given neighborhood, the odds are good that there is another business using the same one as you. So the worst-case odds that someone in your block carries the exact same badge as one of your employees approach 1 in 264. Even the best case odds look bad.

I can hear the groans now. That's not a real risk. Normal people don't go around trying their badges at every door they run across. Perhaps — but our job is security, and we don't often deal with “normal people.” We don't install two-foot-high fences or leave a key under the mat. We need to understand the technology and compensate for (not ignore) its limitations.

Wiegand communications

What are we thinking? We put a high-tech, biometric two-factor authentication device on the wall, and then we connect it to our field controller with a 20-year-old technology that has no security. The wiegand communications between the reader and panel is a one-way conversation with little error checking, no supervision, no encryption and no verification that the message even came from a valid reader. We don't understand what goes down those wires and only a hand full of people in the industry do, so no risk!

The fallacy of this approach was vividly brought home by a presentation this year at the DefCon conference. DefCon is an annual hacker's conference that was held in Las Vegas with an attendance of more than 7,000. One presenter spoke on how to attack access control systems, and he has developed a small device that fits behind a normal reader and captures any badge number on the wiegand communications connection that also lights the reader LED to indicate a valid badge. Presenting a special badge will replay one of the valid numbers and open the door. The device is built with common parts, installs in three minutes or less, and is undetectable in a normal installation. What happens in Vegas does not always stay in Vegas — as there are now YouTube videos on the subject.

By and large, the physical security industry reaction has been stony silence. Of the ones that have commented, the words “layers of security” always seems to come up. I didn't realize the idea was to come up with multiple layers of inferior, insecure technology. The IT community dropped better protocols than this two decades ago; why does our industry believe wiegand communications is good enough?

Card Serial Number

There are two methods of using smart cards for access control. One involves writing a number to a sector on the card and then using all of the encryption and authentication features of modern smart cards to protect it from being read by just any reader. The other method involves reading a unique serial number that the manufacturer places in every smart card. What's the difference? It's simple; serial number readers have no security. Anyone can read the number. International standards are published in all the world's languages on how the technology works and the readers and card simulators are widely available. It is not even a minor challenge for a hacker.

Sector readers are a genuine step forward from proximity technology and provide some real security. The serial number on the card, on the other hand, was never intended to be used for physical access or identity verification. It is there to allow the reader to reader multiple cards in the RF field at once. The industry is offering serial number readers because not having to deal with the details of card security is a lot more convenient. Clearly, this one will show up at a hacker's convention at some point in the future.

Best Practices

So in the short term, what do we do?

* Never use 26-bit cards. There is no way they could be considered secure in today's world. If you have them now, it is highly likely you can upgrade by just replacing the cards.

* If you have readers with wiegand communications, check to see if they are tamper-protected. Not being able to remove them from the wall without creating an alarm makes a hacker's attack much less likely.

* Protect the reader wiring by pulling a supervised alarm loop out to each reader. Again, unsupervised wiring makes it simple to get around the system.

* Protect exterior or high-risk readers with an obvious camera. Ensure your monitoring personnel understand the consequences of reader tampering.

* Check to see if your access vendor offers readers with a supervised communication protocol. If so, an upgrade may be a possibility.

* If you use smart cards, check with your vendor to see if your system uses authentication between the card and reader. If not, it may be a configuration option.

* If you are thinking about moving to smart cards (a good move), talk to your vendor about sector readers.

Conclusion

So, how did we get into this mess? Well it would be easy to blame the panel and reader manufacturers, but that would be really unfair. They have been providing what they were asked to provide. The truth is this is an industry problem. If the end-users and their consultants wanted more secure technology, the manufacturers would have filled the need. We didn't understand our own systems well enough to see the shortcomings. The long term solution lies not in trying to better understand the technology. Instead, it is all about using technology that doesn't just belong to this industry. We need to build on platforms that have been poked at and investigated by the world's technical community and received their blessing. In short, we need convergence. As a good friend of mine is want to say, let the singers sing and the dancers dance.

Rich Anderson is the president of Phare Consulting, a firm providing technology and growth strategies for the security industry. A 25-year veteran of high tech electronics, Mr. Anderson previously served as the VP of Marketing for GE Security and the VP of Engineering for CASI-RUSCO. He can be reached at [email protected].