301.519.9237 exdirector@nesaus.org

3.25.19 – SIW

Potential hacks into EAC systems is becoming a real threat for users and integrators and they are looking to the vendors for answers.

Understand your organization’s threat and plan accordingly

Hacking has evolved as a serious threat and protecting access control systems from hackers has become imperative. Potential bad actors comprise sophisticated government-backed entities to teenage mischief makers. Hackers look for the easiest path in, leveraging many different physical assets, including those within the enterprise-class security system itself.

They typically start with hardware, such as wireless components or system controllers, which will give them access to specific computers. Then, those computers may give them access to both the target’s external and internal Internet. Apple CEO Tim Cook warns, “The hacking community aren’t hackers anymore; they are sophisticated enterprises.”

Indeed, a well-known industry web portal recently reported how a $30 card copier easily spoofed a popular 125-kHz access card. The column stated that the copier “used to copy the cards works much the same way as normal card readers, with transceiver coil, power supply, IC chip, buzzer and even LED components shared by both. Given the principal operation of contactless card readers, the copier excites the coil and delivers power wirelessly to the card, which then momentarily stores energy and then uses it to broadcast card details back to the copier.

To give businesses an extra incentive to meet their cybersecurity threats, the Federal Trade Commission (FTC) has decided to hold the business community responsible for failing to implement good cybersecurity practices and is now filing lawsuits against those that don’t. For instance, the FTC filed a lawsuit against D-Link and its U.S. subsidiary, alleging that it used inadequate safeguards on its wireless routers and IP cameras that left them vulnerable to hackers.

Consider Threat Level When Mitigating Risk

When considering any security application, it is critical that the access control user realistically assesses the threat of a hack to a facility. For example, if access control is being used merely as a convenience to the alternative of using physical keys, chances are the end user has a reduced risk of being hacked. However, if the end user is using their electronic access system as an element to their overall security system because of a perceived or imminent threat due to the nature of what they do, produce or house at their facility, they may indeed be at higher risk. They should consider methods that mitigate the risk of a hack.

Here are the various applications that shrewd security administrators should consider for anti-hacking implementation:

  • Physical credential administration
  •  Visitor management administration
  •  Provisioning or access privileges assigned
  • De-provisioning or access privileges revoked
  • Parking permit administration
  • Property pass administration
  • Compliance/governance reporting and auditing
  • System troubleshooting and maintenance
  • Alarm correlation and response
  • Emergency communication and notification
  • Video analytics applications (people counting, behavior tracking, etc.)
  • Identification
  • Time and attendance
  • Logical access
  • Supplies check-out verification
  • Charge privileges at various locations, including the cafeteria
  • Document printing

Interestingly, some security providers don’t seem to secure their customers’ security equipment. As reported recently in Forbes, Google themselves learned that their network-enabled access panels had become a target of their own employee. Per the article, “a Google engineer discovered a vulnerability in the third-party system controlling access to doors across its campus.”(https://www.forbes.com/sites/thomasbrewster/2018/09/03/googles-doors-hacked-wide-open-by-own-employee/#7f6ef45e3c7a) It’s clear new specifications are needed for electronic access control projects.

For instance, were you aware that by simply putting the default installer code of a panel in a disarmed state, it can be used to view the user codes including the master code or to change or create a new code? Therefore, if a potential unauthorized person gains access to a panel in the unarmed state, using the installer code gives that person access to all installed hardware and will even allow the creation of a new user code or change of a current user code. This code then trumps the master/other user codes.

So, if the installer does not change the default code, the user might as well be giving a user code to everyone. Less than 30 seconds is all it takes to view the master, all other user codes, or even create a new one. Yes, you reply, but what if the installer says that they don’t have the default installer code? That’s not an acceptable reply. Unfortunately, too often, these codes can be found online by anyone that knows how to use a simple Google search. And, of course, once inside the system, the hacker can get also access to the rest of the computer system.

Sometimes the problem is within the software itself. Oftentimes, the default code is embedded in the app to provide a mechanism to let the device still be managed even if the administrator’s custom passcode is lost. However, it is a poor developer practice to embed passwords into an app’s shipped code, especially unencrypted.

Simple Things that Improve Cybersecurity

26-Bit Wiegand, the electronic access control industry’s legendary standard protocol commonly used to communicate credential data from a reader to a panel, is no longer inherently secure due to its original obscure nature. Consider a range of options. Use custom Wiegand formats, ABA Track II magnetic stripe emulations or today’s serial options including Open Supervised Device Protocol (OSDP), RS485 and TCP/IP. Make use of additional control lines, such as see the “card present” line commonly available on today’s access control readers.

Options are now available that can be added to the readers. The first is MAXSecure, which provides a higher-security handshake, or code, between the proximity, smart or mobile card, tag and reader, as well as long-range transmitters and receivers, to help ensure that readers will only accept information from specially coded credentials. The second is Valid ID, a relatively new anti-tamper feature available with contactless smart card readers, cards and tags. Embedded, it can add an additional layer to boost authentication assurance of NXP’s MIFARE DESFire EV2 smart card platform, operating independently, in addition to, and above the significant standard level of security that DESFire EV2 delivers. Valid ID lets a contactless smart card reader effectively help verify that the sensitive access control data programmed to a card or tag is indeed genuine and not counterfeit.

Leading readers additionally employ sophisticated symmetric AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers resist skimming, eavesdropping and replay attacks.

If the new system leverages the Security Industry Association’s (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering interoperability among security devices. OSDP may eliminate the need for system interfaces, a fertile hunting ground for hackers.

Assure additional security system components are available. Such systems can also play a significant role in reducing the likelihood of an attack as well as mitigating the impact of a hack attack should it occur.

  • Intrusion:  Should the access control system be hacked and grant entry to a wrong individual, have a burglar alarm system in place to detect and annunciate the intrusion.
  • Video:  If the access control system is hacked, granting entry to an unauthorized individual, have a video system in place to detect, record and annunciate the intrusion.
  • Guards:  If the system is hacked and intruders are let in, make sure that guards in the control room, as well as those performing a regular tour, receive an alert notifying them that someone has physically tampered with the access control system.

What About Mobile Security Equipment?

Now, as companies are learning how to protect card-based systems, along comes mobile access credentials and their readers which use smartphones instead of cards as the vehicle for carrying identification information. Many companies perceive that they are safer with a card but, if done correctly, the mobile can be a far more secure option with many more features to be leveraged. Handsets deliver biometric capture and comparison as well as an array of communication capabilities from cellular and Wi-Fi to Bluetooth LE and NFC.

As far as security goes, the soft credential, by definition, is already a multi-factor solution. Access control authenticates you by following three things:

  • Recognizes something you have (RFID tag/card/key),
  • Recognizes something you know (PIN) or
  • Recognizes something you are (biometrics).

Your smartphone has all three authentication parameters. This mobile credential, by definition, is already a multi-factor solution. Your mobile credentials remain protected behind a smart phone’s security parameters, such as biometrics and PINs. Once a biometric, PIN or password is entered to access the phone, the user automatically has set up 2-factor access control verification – what you know and what you have or what you have and a second form of what you have.

To emphasize, one cannot have access to the mobile credential without having access to the phone. If the phone doesn’t work, the credential doesn’t work. The credential operates just like any other app on the phone. The phone must be “on and unlocked.” These two factors – availability and built-in multi-factor verification – are why organizations want to use smartphones in their upcoming access control implementations.

Plus, once a mobile credential is installed on a smartphone, it cannot be re-installed on another smartphone. You can think of a soft credential as being securely linked to a specific smartphone. Like a card, if a smartphone is lost, damaged or stolen, the process should be the same as with a traditional physical access credential. It should be immediately deactivated in the access control management software – with a new credential issued as a replacement.

Caveat Emptor!

Some older mobile systems force the user to register themselves and their integrators for every application. Door access – register. Parking access – register again. Data access – register again, with each registration requiring the disclosure of sensitive personal information.

Newer solutions provide an easier way to distribute credentials with features that allow the user to register their handset only once and need no other portal accounts, activation features or hidden fees. Users don’t need to fill out several different forms.

By removing these and additional intrusive information disclosures, they have also eliminated privacy concerns that have been slowing down adoption of this technology. All that is needed to activate the credential is simply the phone number of the smartphone. When mobile credentials are sold from OEM to integrator to end user, it avoids setting up multiple accounts and eliminates sensitive personal information from being available for hacking.

Ask Your Manufacturer for Help

To check your system’s cybersecurity vulnerability, ask your manufacturer to provide their RFID cybersecurity checklist. Sections should include specifics regarding default codes, Wiegand issues, reader implementation tips, card protection solutions, leveraging long-range readers, assuring anti-hacking compatibility throughout the system and leveraging additional security components.

About the authorScott Lindley is General Manager of Farpointe Data, which is the leading manufacturer of private label OEM RFID cards, readers and mobile apps for electronic access control companies around the world.