Protecting contactless card-based access control systems

by Katie Daniel | March 10, 2016 4:22 pm

Lady-at-Door — *All photos courtesy Farpointe Data*

by Scott Lindley
Radio frequency identification (RFID) devices are typically used as proximity or smartcard identification in tracking and access control systems. These systems operate on the assumption the token is in close proximity to the reader because of the communication channel’s physical limitations. However, current RFID devices are not suitable for secure identification. They can be subject to skimming, eavesdropping, and relay attacks. An attacker can fool the system by simply relaying the communication between the legitimate reader and token over a greater distance than intended. As these facts become better known, there has been a drive by security directors to overcome such shortcomings.

Wiegand is the industry-standard protocol commonly used to communicate credential data from a card reader to an electronic access controller. In the past, it was considered inherently secure due to its obscure and non-standard nature. No one would accept usernames and passwords being sent in the clear, and they should not accept vulnerable credential data. ID harvesting has become one of the most lucrative hacking activities. In these attacks a credential’s identifier is cloned or captured and retransmitted via a small electronic device to grant unauthorized access to an office or other facility. When selecting the doors hardware and electronic safety and security systems permitting access control in buildings, design professionals should be made aware of the larger issues.

Threats
In considering any security application, it is critical the building owner, facility manager, or tenant realistically assess the threat of a hack to the facilities. For example, if access control is merely a convenience over the alternative of a physical key there is a reduced risk the end user will be hacked. However, if the end user perceives an imminent threat to the facility due to the nature of work, product, or storage method, and the facility uses an access system as an element to the overall security system, they may be at a higher risk and should consider hacker mitigation methods.

Just as we have become aware of criminal skimmers altering ATM infrastructure, card holders should avoid presenting access control credentials to any readers that appear to have been tampered with. These same card holders should also be encouraged to quickly report any suspicions or access control system tampering—including instances involving either the access control readers or access credentials—to the facility’s security and management teams.

edit1 — A combination keypad/card reader (left) provides two-factor validation—something the person knows in addition to something the person has. Smartcard readers (right) have several different options that can help increase card security.

Skimming occurs when the attacker uses a special reader to access information on the victim’s RFID token without consent. The attacker has the ability to read stored information or to modify information by writing to the token. This means he or she can control when and where the attack is performed. In practice, the attacker’s main challenge is to increase the operational range by powering and communicating with the token over a greater distance, as the owner may become suspicious of somebody in his personal space.

An eavesdropping attack occurs when the attacker can recover the data sent during a transaction between a legitimate reader and a token. This requires the attack to be set up in the vicinity of a likely target. The attacker needs to capture the transmitted signals using suitable radio frequency equipment before recovering and storing the data of interest. The degree of success the attacker achieves depends on the resources available. An attacker with expensive, specialized RF measurement equipment will be able to eavesdrop from a further distance than one with an inexpensive, homemade system. Still, the attack is a viable threat either way.

RFID systems are also potentially vulnerable to an attacker relaying communication between the reader and a token. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing access to the associated benefits. It is irrelevant whether the reader authenticates the token cryptographically, or encrypts the data, since the relay attack cannot be prevented by application layer security.

The equipment needed to perpetrate the above attacks can be quite inexpensive and is widely available.

Card-based access control system integrity
These threats mean single-factor verification no longer provides the access security that many campus access control systems require. Today, companies want multi-factor verification with what they ‘have’ (i.e. a card) plus what they ‘know’ (i.e. a personal identification number [PIN]). With a combination reader/keypad, access control manufacturers and their integrators can provide companies with a simple, reliable solution for shoring up their system, the combination card reader/keypad.

To enter, individuals present their proximity or smartcard, get a flash and a beep, and enter their PIN on the keypad. The electronic access control system then prompts a second beep on the reader and the individual is authorized to enter.

Another novel way to protect card-based systems is to provide a high-security handshake or code between the card, tag, and reader to help prevent credential duplication. This ensures readers only collect data from these specially coded credentials. In a sense, it is the electronic security equivalent of a mechanical key management system, where the company is the side one with the key. Such keys are only available through the contractor or the integrator chosen for the job. The integrator never provides another organization with the same key. In the RFID scenario, the readers will be able to scan cards or tags and will not be able to scan other cards or tags.

Smart cards
Smart credentials go far beyond traditional identification cards. In addition to individual profile information, they can provide users with secure access to everything from offices, parking lots, and computer networks to safe methods of payment in the company cafeteria and checking out machine tools.

The variety of applications that shrewd security administrators can consider for their smart credential implementation include:

physical credential administration;
visitor management administration;
provisioning or access privileges assigned;
de-provisioning or access privileges revoked;
segregation of duties;
parking permit administration;
property pass administration;
compliance/governance reporting and auditing;
system troubleshooting and maintenance;
alarm correlation and response;
emergency communication and notification;
video analytics applications (people counting, behaviour tracking, etc.);
identification;
time and attendance;
logical access;
supplies check-out verification;
charge privileges at various locations, including, for example, the cafeteria;
document printing; and
biometric template storage.

Access control can also play a part in the building management system. If the access control systems notes someone in a specific part of the building, the air conditioning and lighting can be activated. Once that person leaves, the access control or video system could automatically inform the building management to turn those systems off. This can save money and resources and is a potential green solution that would be helpful in meeting smart building requirements.

In addition to the multiple functions and applications, smart credentials also increase the security of information kept on the card and stored in the facility. Valid ID is a new anti-tamper feature available with contactless smartcard readers, cards, and tags. While being manufactured, readers, cards, and tags are programmed with the Valid ID algorithm, cryptographically ensuring the integrity of sensitive access control data stored on the card or tag. With Valid ID, readers scan through the credential’s access control data searching for data discrepancies, which may occur during the counterfeiting, tampering, or hacking of a contactless smartcard. Valid ID is an additional layer of protection to what is already available in smartcard authentication—operating independently, in addition to, and above the standard level of security. In use, Valid ID allows a smartcard reader to effectively verify the sensitive access control data programmed to a card or tag is not counterfeit.

With smartcards, the organization can also be provided with an added layer of protection in the form of a card validation option. In this enhancement, the cards and readers are programmed with a fraudulent data detection system. The reader will scan through the credential’s data in search of discrepancies in the encrypted data, which normally occurs during credential cloning.

If applications require multiple forms of verification, the smartcard securely stores other credential types such as biometric templates, PIN codes, and photos—utilizing the enhanced storage and encryption of smart technology. Smartcards also provide an extra level of security at the access point, protecting the information behind closed doors or on the secure network.

Equally important, smart credentials afford security administrators more avenues to ensure safe and secure environments. The cards work in concert with access control systems, video surveillance, and mass notification capabilities. With today’s convergence of technology, organizations can integrate existing systems with advanced credential reader technologies to enhance the security of their environments.

Contractors reducing hacking
Contractors can be the frontline defense for protecting a security system. They need to understand the customer’s needs, abilities, and tools, along with the hackers abilities, strike zone, and the preventative methods. There are many things that can reduce the hacking of a card-based access control using the Wiegand system.

Install only fully potted (electronics that are completely encased) readers that do not allow access to the reader’s internal electronics from the unsecured side of the building. An immediate upgrading is recommended for readers that fail to meet this standard.
Ensure the reader’s mounting screws are always hidden from normal view, making use of security screws whenever possible.
Embed contactless readers inside the wall, not simply on the outside, effectively hiding them from view. Or, if this is not possible, and physical tampering remains an issue, consider upgrading the site to readers providing both ballistic and vandal resistance.
Make use of reader cable with a continuous overall foil shield tied to a solid earth ground in a single location. This helps block signals induced on the individual conductors making up the cable as well as those signals that may be gained from the reader cable.
Deploy readers with a ‘pig tail,’ rather than a connector. Use extended length pig tails to assure connections are not made immediately behind the reader.
Run reader cabling through a conduit, securing it from the outside world.
Add a tamper feature, commonly available on many of today’s access control readers.
Use the ‘card present’ line commonly available on many of today’s access control readers. This signal line lets the access control panel know when the reader is transmitting data.
Use access control readers with an output alternative to the industry-standard Wiegand output, provided they are supported by the electronic access control system. Alternatives can include ABA Track II, OSDP, RS485, and TCP/IP.
Offer the customer cards that can be printed and used as photo badges, which are less likely to be shared.

Group-3 — A combination keypad/card reader provides two-factor validation—something the person knows in addition to something the person has.

Product options
Contractors should consider:

providing credentials other than those formatted in the open, industry standard 26-bit Wiegand (not only is the 26-bit Wiegand format available for open use, but many of the codes have also been duplicated multiple times);
offering a customized format with controls to help govern duplication;
avoiding multi-technology readers because credential duplication risks increase;
promoting a technology to limit the credentials a reader is compatible with to a very specific population (implementing a high-security handshake or code between the card or tag and reader will help prevent credential duplication and ensure the customer’s readers will only collect data from these specially coded credentials);
offering a smartcard solution that employs sophisticated cryptographic security techniques;
providing credentials that include anti-tamper technology, such as Valid ID (which indicates when it detects tampering); and
giving two-factor readers including contactless and PIN technologies (or offer a third factor—normally a biometric technology).

Another strategy invokes making available credentials with an anti-playback routine such as transmitters instead of cards. This can be accomplished by implementing long range receivers installed in the locked security closet out of harm’s way, with the electronic access control panels. With the receiver in the security closet, there would be no access readers installed at the door. Thus, no Wiegand data lines are ever exposed to the outside of the building. To enter the facility, the system user presses the appropriate button on the log range transmitter to gain access to any exterior entrance at a distance set by the user. The receiver, which is safely installed in the closet, will accept the signal and forward it to the access panel installed in the same closet, to unlock the door. Meanwhile, traditional RFID access control readers could be used inside the facility.

Additional security system components
Such systems can also play a significant role in reducing the likelihood and mitigating the impact of a hack attack. Additional security system components should be considered, including:

intrusion deterrents—if the access control system is hacked and grants entry to an incorrect individual, a burglar alarm system should be in place to detect and announce the intrusion;
video surveillance—if the access control system is hacked, and entry has been granted to an unauthorized individual, a video system should be in place to detect, record, and announce the intrusion; and
guards—if the system is hacked and intruders are let in, guards in the control room (as well as those performing a regular tour) should receive an alert notifying them that someone has physically tampered with the access control system.

Companies must always stay one step in front of the bad guys. Too many organizations believe they have made their facilities totally safe because they have added a proximity or smartcard based access control system. Almost any electronic device can be hacked, including card based systems. However, being aware of the prospects of being hacked, both end-users and their contractors can look for many ways to lower the threat. With the proper tools, any of these assaults can be defended.

Scott Lindley is a 25-year veteran of the contactless card access control provider industry. Since 2003, he
has been president of Farpointe Data, a DORMA Group company, which is involved with radio frequency identification (RFID) systems, including proximity, smart, and long-range solutions, for access control professionals around the world. Previously, he was director of RFID products at Keri Systems and sales manager, North America, for Motorola Indala.

Source URL: https://www.constructioncanada.net/protecting-contactless-card-based-access-control-systems/