Transcript
Cards / biometrics Cards are an important part of access control systems and for many years have been the most popular form factor for identifying a person at an entrance. Many different types of
End-to-end security – find your weakest link
cards are available from a wide variety of suppliers but to simplify we can focus on Proximity cards (circa 125kHz) and Smart cards (13.56MHz). The Proximity cards are an older technology that for the most part have low security features. Organisations that have retained this technology (especially combined with weigand reader communications – see later) may be well advised to look at newer and more secure alternatives. A few basic internet searches about how to hack the most common proximity technology shows a device for around $30 that can clone a card. This alone would introduce a vulnerability
End-to-end security is becoming a widely used term in the physical security industry, a term borrowed from IT security. End-to-end security refers to the security of communications throughout a system to ensure that at all communication stages the data is not compromised. In a physical access control system, ‘end to end’ security means that the access authorisation
to the access control system that could lead to further security exploitations. Smart cards can offer enhanced security but there must be diligence about their design. To use a card serial number combined with a weigand output reader is not offering much more protection than using older proximity technology. Amongst the wider feature-set of smart
process is assured and no component is introducing a weak-link to the overall system.
cards, the capability to create secure solutions should be adopted. Future-proofing (ability
Knowing the system is secure ‘end-to-end’ gives absolutely certainty that access is only
to adapt) and encryption key ownership are important design factors too. The type of data
grant based on genuine data and genuine devices. This can only happen if the information is not altered at any stage of the process . Therefore all components and their communications
encryption employed can differ greatly between the various smart card types. At our website www.nedapsecurity.com/test-awareness we have included an explanation of a number of common types of cards.
should be evaluated for authenticity and integrity. In this article we explain these components.
Card to Reader transmission
How aware you are of your weakest link? Do the test at www.nedapsecurity.com/test-awareness.
The transmission of information between the card and the reader provides an opportunity for hacking. This could take the form of eavesdropping or skimming, or could involve pretending to be someone else (spoofing). Encryption is an effective security technique that can be used to counter this. The most secure method is to have this encryption decoded by the controllers rather than at the reader, because they are usually located on the secure side of the building, however many readers and even systems do not support this.
End-to-end security – the weakest link
Readers / antennas The reader reads the card details and converts it into a wired signal. The reader therefore
In end-to-end security, it’s important to consider that the chain is only as strong as its
does not really have to do anything with the information that is on the card. This means that
weakest link. That is why it is essential that an access control system is always evaluated
there is no need for decoding to take place in the reader. After all, allowing decoding to take
in its entirety, to discover where the weakest link can be found.
place in the reader would only create a security risk, because the keys for decoding are also held on the reader. This is a risk that must not be underestimated, although many of the
It is not uncommon for access control systems to be installed and then used for the longest
solutions in use provide only limited options.
time possible without any attention to updating the system’s intrinsic security features. There are many systems in the field that are over 10-years old, based on technologies much older than this and with no or very low cyber security protection. This ‘weakest link’ may help such system users identify strengths or weakness of their access control system.
Reader-Controller transmission The same risks of hacking by eavesdropping, skimming or spoofing that apply in relation to
Some ‘weak-links’ might be strengthened by new encryption methods, others by good
card-reader transmission also apply here. It is therefore important to take care that you are
process and some only by partial or entire replacement. What is essential is that for those
not using a generic protocol such as the popular Wiegand protocol as this is very susceptible
considering investing in new technology, not to introduce weak-links.
to hacking. The ideal solution is to consider the security of the card and the reader and their communications and ensure these are encrypted and future-proof meaning the security can be enhanced if there is a future vulnerability.
