printer friendly version

Secured access control

Living in an interconnected world leaves us vulnerable and exposed to cybercrime, and with the advances over the years in physical security products, these too have become open to cyber threats resulting in monetary and safety risks to the extent that many countries are now enforcing personal data protection laws.

Five major security points can be identified, namely: credentials, data in edge devices, communication between device and server, data in the server, and the communication between the server and the client.

The biggest threat in credential security is RF card cloning and fake biometrics. Among the major two types of RF cards, 125 kHz cards are easily cloned, and depending on the 13.56 MHz cards and their usage, these can be cloned as well.

No protection is applied in 125 kHz RF cards, which only support Wiegand formats, and it is possible to duplicate the card including format data. Mifare cards (13.56 MHz) have IC chips and support encrypted data but, when it comes to CSN and Mifare Classic, they are vulnerable to card cloning.

First of all, it’s necessary to choose the right cards that support strong encryption methods. Unsafe cards include: 125 kHz EM, 125 kHz Prox, and 13.56 MHz Mifare Classic. Safe cards include; 13.56 MHz Mifare Plus, 13.56 MHz Mifare Desfire, 13.56 MHz Mifare DesfireEV1, 13.56 MHz iClass SE, and 13.56 MHz iClass SEOS.

After choosing the right type of card, it is necessary to use a data area on the card that is protected by the encryption method. BioStar 2 supports smart cards that feature secure credential and access on card. Only a device with a matched key can access the data on the card.

Protect the edge

The second major security point to consider is data protection in the edge device and here we focus on two questions. How safe is the personal data in the device and what if a hacker removes a device from a wall to gain access to the data on the device?

To address these threats, Suprema encrypts all personal data on the device including the name, PIN, finger and face biometrics. User ID and card ID are categorised as system data and are therefore not encrypted. If a device is removed off of a wall, all user data and logs can be deleted at such a tamper event, however it must be stated that this is an optional setting available in device settings on devices loaded with compliant firmware versions and is supported from BioStar version 2.6 onwards.

The new CoreStation intelligent controller offers further security, with no need to store user credentials on edge devices. The CoreStation is based on a centralised topology, where the intelligence, including fingerprint matching, is done on the controller, all data storage and RS-485 communication to edge devices is encrypted according to the latest international standards, with no need to have a network access point available to hackers outside of your building.

Then there are the concerns surrounding communication between the device and the server/controller and here one needs to consider device hijacking or data snipping/snooping for both network and serial communication. In TCP/IP connections, Suprema offers the highest level of communication protection via optional TLS 1.2, which is widely used in the financial industry. Secure communication for RS-485 is through OSDP v2 Key. Keep in mind that Wiegand can be hacked because of its low-end protocol method which is without key change encryption, and therefore controllers only supporting Wiegand pose security threats.

Data on the server

When addressing the protection of personal data in the server in the event of server data leakage or hacking, BioStar 2 server efficiently encrypts all personal data including email, login password, PIN and fingerprint template. User ID and card ID are regarded as system, not personal data, and are therefore not encrypted. It’s recommended not to use ‘user name’ when adhering to personal data protection regulations.

Suprema also supports encryption key value for your own key value management in BioStar versions 2.6 onwards. Right to be forgotten functionality is provided and allows log data to be automatically deleted after a designated period.

The final risk point raises the question of the possibility of communication between the server and the client being hacked. BioStar 2 versions 2.5 onwards supports HTTPS as a default, plus TLS version 1.0 and higher to secure communication from poodle/man-in-the-middle attacks.

There are also additional personal data management methods to consider. Suprema’s BioStar caters for AoC (Access on Card) for both physical cards and mobile cards, taking away the need to store credentials and personal data on the device, controller or BioStar 2 server. From version 2.6 upwards, optional functionality is available to automatically delete credential and personal data upon issuing AoC cards for both physical RF and mobile cards.

In summary, Suprema’s BioStar 2 cyber-security protection features and data management options that help prevent cybercrime and comply with data protection regulations include enhanced security through encrypted communication, HTTPS encryption between the server and the client and 256-bit AES encryption of communication between the server and devices. Improved security is also offered through centralised, secure storage of biometric and access group data. There is no Ethernet connection to edge devices and no data is stored on edge devices. Communication is secured via TLS 1.2 and AES-256 encryption.

Share this article:

Further reading: