No hackers!

Access & Identity Management Handbook 2021 Editor's Choice

Protecting your customers’ organisations from hackers is imperative. Threats have grown from teenage mischief-makers to sophisticated government-backed entities and, now, even advertising and analytics companies. With knowledge of what these hackers seek and the straightforward, undemanding remedies that are becoming available to thwart them, there is little reason not to incorporate basic cybersecurity into your access control solutions.

Interestingly, not reviewing vulnerabilities becomes a major blunder when installing an access control system. Ask your vendor for their cybersecurity vulnerability checklist. It should cover a range of topics that can help protect security-related systems, networks and programs from digital attacks. Sections should include handling default codes, Wiegand issues, reader implementation tips, card protection solutions, leveraging long-range readers, assuring anti-hacking compatibility throughout the system and adding security components.

Some security professionals don’t secure their own security equipment. Unsecured, they provide irresistible backdoors for hackers. For instance, if the installer does not change the default alarm code, the user might as well be giving its user code to everyone. It takes less than 30 seconds to view the master, all other user codes or even create a new one. Unfortunately, these codes can often be found online and once inside the system, the hacker can access the rest of the computer system.

And, too many installers simply disarm the default installer code. This may let the user codes be viewed, including the master code. If an unauthorised person accesses an unarmed panel and uses the installer code, they gain access to all installed hardware and can create a new user code or change a current user code. This code then trumps the master of other user codes.

Sometimes, the problem is within the software. Often, the default code is hard-coded in the app, providing a means by which the device can still be managed, even if the administrator’s custom passcode is lost. It is poor practice for developers to embed passwords, especially unencrypted, into an app’s shipped code.

The difference between physical and cyber hacks

There are three main physical ways to assault a card-based electronic access control system – skimming, eavesdropping and relay attacks. Skimming occurs when the attacker uses an unauthorised reader to access information on the unsuspecting victim’s RFID card or tag without their explicit consent. As a result, the attacker is able to read stored information or modify information by writing to the credential. From that point on, the attacker can control when and where unauthorised entries may occur.

An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. For example, the user is accessing their building. As a result, the attacker can recover and store the data of interest. From then on, the attacker can use this stored data at will.

Lastly, RFID systems are potentially vulnerable to an attack in which the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically or encrypts the data, since the relay attack cannot be prevented by application layer security.

What’s scary about all this is that the equipment used to perpetrate the above attacks can be quite inexpensive and is widely available.

Cyber-attacks can be new to many chief security officers. Internet of Things (IoT) devices are common. Mass port scanning identifies port availability by sending connection requests to a target computer and recording which ports respond and how. Determining which ports are in use lets hackers choose which applications and services the device is running. The bad news is that almost all IoT devices get port-scanned at some point. Authentication could be compromised.

Caveat emptor

Here’s an even scarier, more subtle way of using cyber tactics to get you or your customers’ personal information. Do you use a mobile access control system, one where your smartphone acts like your ID badge? There has to be a special word of caution emphasised when changing over to mobile systems.

Many legacy access control systems require the use of back-end portal accounts. For hackers, these portals can become rich, easy-to-access caches of personal end-user data containing potentially private information, such as names, addresses and emails. These older mobile systems will force the user to register themselves and their integrators for each application; door access – register, parking access – register.

Knowing this, users can employ a physical solution, credentials with features that allow them to register their handset only once and need no portal accounts, activation features or hidden fees, annual or otherwise. Instead of developing a software cyber solution, all that should be needed to activate your systems is the phone number of the smartphone. If you need to fill out several different forms or disclose private data to install your mobile system, demand this better solution.

In addition, 26-bit Wiegand is no longer inherently secure due to its original obscure nature. It also suffers from a lack of data bits. Consider a range of big-number options. Use custom Wiegand formats, ABA Track II magnetic stripe emulations or today’s serial options including Open Supervised Device Protocol (OSDP), RS-485 and TCP/IP. Make use of additional reader control lines. A simple example is the ‘card present’ line commonly available on today’s access control readers.

Options are now available that can be added to many readers. The first is MAXSecure, which provides a higher-security handshake, or code, between the proximity, smart or mobile card, tag and reader, as well as long-range transmitters and receivers to help ensure that readers will only accept information from specially coded credentials.

Valid ID is a relatively new anti-tamper feature available with contactless smartcard readers, cards and tags. Embedded, it can add an additional layer to boost authentication assurance of NXP’s MIFARE DESFire EV2 smartcard platform, operating independently in addition to the significant standard level of security that DESFire EV2 delivers. Valid ID lets a contactless smartcard reader effectively help verify that the sensitive access control data programmed to a card or tag is indeed genuine and not a cloned counterfeit.

Leading readers additionally employ sophisticated symmetric AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers may also resist skimming, eavesdropping and replay attacks.

Remedies easily available to you

If the new system leverages the Security Industry Association’s (SIA) OSDP protocol, it will also interface easily with control panels or other security management systems, fostering interoperability among security devices. OSDP may eliminate the need for custom system interfaces, a fertile hunting ground for hackers.

OSDP takes solutions beyond the limitations of Wiegand and lets security equipment such as card and biometric readers from one company interface easily with control panels and equipment from another manufacturer. This standardised two-way channel paves the way for forward-looking security applications such as the handling of advanced smartcard technology, PKI and mobile device access. Not only does it provide a concise set of commonly used commands and responses, it eliminates guesswork, since encryption and authentication is predefined.

OSPD also secures smartcards by constantly monitoring wiring to protect against attack threats. The specification for handling LEDs, text, buzzers and other feedback mechanisms provides a rich, user-centric access control environment.

Be sure you only install readers that are fully potted to limit access to the reader’s internal electronics from the unsecured side of the building. When installing, use tamper proof screws. For physical card-based solutions, offer only smart cards that employ sophisticated cryptographic security techniques. Make the internal numbers unusable through encryption, and offset the printed numbers. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security.

It will be beneficial if your system uses HTTPS (Hypertext Transfer Protocol Secure), widely used on the Internet, to provide secure communication over the computer network. In HTTPS, the communication protocol is encrypted using Transport Layer Security, or TLS, a protocol that provides authentication, privacy and data integrity between two communicating computer applications.


Scott Lindley.

Cybersecurity need not be a mystery

Products that used to comprise only mechanical and electrical parts have now transformed into complex, interconnected systems combining hardware, software, microprocessors, sensors and data storage. These so-called ‘smart’ products are the result of a series of rapid improvements in device miniaturisation, processing power and wireless connectivity. All of these things are connected to the Internet. Once the access control system becomes linked with other smart systems in the world of IoT, the cloud and big data, immense, new security challenges will confront integrators.

Since networking appliances and other objects are relatively novel, product design has often not yet incorporated security.

As inferred earlier, integrated products are often sold with outdated, open embedded operating systems and software. Furthermore, as with enterprise security system products themselves, too many integrators simply don’t change the default passwords on smart devices, segment their networks or have network access restricted.

Scott Lindley, general manager, Farpointe Data, is a 25-year veteran of the contactless card access control industry. He can be contacted at [email protected]




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Standards for fire detection
SAQCC (Fire) Editor's Choice Fire & Safety Associations
With the increased number of devastating fires reported throughout South Africa, adequate and suitable fire detection cannot be overstated. SAQCC Fire will publish a series of articles in SMART Security Solutions to provide insight into fire detection requirements and importance.

Read more...
Taking fire safety seriously
G2 Fire Editor's Choice Fire & Safety Security Services & Risk Management
To gain insights into how fire systems must be designed, installed and maintained, SMART Security Solutions asked Nichola Allan, MD of G2 Fire, for some insights into the local fire market.

Read more...
The best of local and international
Technoswitch Fire Detection & Suppression Editor's Choice
SMART Security Solutions speaks to Technoswitch’s Managing Director, Brett Birch, to learn more about the company and how it serves the fire safety market in South and sub-Saharan Africa.

Read more...
Surveillance on the perimeter
Axis Communications SA Hikvision South Africa Technews Publishing Editor's Choice Perimeter Security, Alarms & Intruder Detection
Cameras have long been a feature in perimeter security, with varying reports of success and failure, often dependent on the cameras’ planning, installation and configuration, as well as their integration with other perimeter solutions and centralised management platforms.

Read more...
Onyyx wireless alarm
Technews Publishing Editor's Choice Smart Home Automation
IDS has introduced Onyyx, a wireless alarm system engineered to provide complete system control via the Onyyx app or keyring, as well as seamless installation.

Read more...
Visual verification raises the security game
Technews Publishing Inhep Electronics Holdings Videofied SA Editor's Choice Perimeter Security, Alarms & Intruder Detection
Incorporating alarm signals with live surveillance footage, visual verification enables a human observer in a control room (onsite or offsite) to gain a clear understanding of the situation, thereby facilitating informed decision-making.

Read more...
The AX Hybrid PRO Series offers reliable wired and wireless protection
Hikvision South Africa Editor's Choice Perimeter Security, Alarms & Intruder Detection Products & Solutions
Hikvision has announced the launch of a new AX Hybrid PRO alarm system with innovative Hikvision ‘Speed-X’ transmission technology. This system offers reliable wired protection while delivering expanded flexibility with seamless wireless integration.

Read more...
A critical component of perimeter security
Nemtek Electric Fencing Products Gallagher Technews Publishing Stafix Editor's Choice Perimeter Security, Alarms & Intruder Detection Integrated Solutions
Electric fences are standard in South Africa, but today, they also need to be able to integrate with other technologies and become part of a broader perimeter security solution.

Read more...
SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...