Specifying hacking-resistant access control

May 12, 2017

[1]
Photos © BigstockPhoto

by Scott Lindley
Hacking has become a far bigger threat than most think. Indeed, the greatest risk to national security comes from not from aircraft carriers or infantry divisions, but a computer with a simple Internet connection located anywhere in the world. The U.S. federal government suffered a staggering 61,000 known cybersecurity breaches last year alone. Protecting users from professional hackers is imperative for specifiers.

Odds are most of us do not work for organizations as large as the U.S. government or as big a target as a major corporation, but that should not give specifiers rest. Many hackers are simply amateurs trying to get into any system they can—a phenomenon referred to as ‘opportunistic hacking.’ When such hackers get in, they like to change code to create mayhem. Providing anti-hack, card-based access control systems eliminates one of these hackers’ more popular opportunities.

Design/construction professionals’ reputations can be tarnished by providing systems (e.g. contactless card-based access control systems) that get hacked. Further, it is also only a matter of time before the federal government holds the industry liable for not protecting these systems when there are scores of remedies available to hinder the hacking of access control and other wireless, computer-driven systems. Specifying and incorporating such safeguards is becoming a very important aspect of any security solution for design/construction professionals.

[2]
For many hackers, the easiest gateway into the computer system is the security system.

Hacking trends
To give businesses an incentive to meet cybersecurity threats, the Federal Trade Commission (FTC) has decided it will hold the business community responsible for failing to implement good cybersecurity practices, and is now filing lawsuits against those that do not. For example, in the summer of 2015, an appeals court backed the FTC’s lawsuit against the hotel chain operator Wyndham Worldwide[3] for not protecting consumers’ information. Also, this January, the commission filed a lawsuit[4] against D-Link and its U.S. subsidiary, alleging the company used inadequate safeguards on its wireless routers and IP cameras, leaving them vulnerable to hackers.

The FTC is recognizing a problem some security practitioners do not appreciate. To get into information technology (IT) as well as critical-infrastructure operational technology (OT) systems, hackers look for the easiest path, leveraging many different physical assets—including those within the enterprise security system itself. They typically start with hardware that will give them access to specific computers, which in turn give them access to the target’s external and internal Internet.

It is important to mention both IT and OT systems, because most everyone understands what IT is, but very few are familiar with OT. IT security lives in the context of networks, servers, storage, apps, and data—it involves a system where many hosts are communicating with each other and where frequent patch cycles occur over weeks or sometimes days in response to expected and known cyber threats. Essentially, IT security protects data. An attack on the IT system can create very big problems, from transferring funds to stealing personal information such as social security numbers or protected files. However, the new trend of attacking the OT system can be even worse.

Beyond white-collar offices and data centers—often, miles away—are the industrial control systems (ICS) that run organizations’ operations. In industries as diverse as oil and gas, power generation and distribution, healthcare, transportation systems, and manufacturing, ICSs create automated solutions that increase productivity by connecting sensors, machines, and instruments. They control local operations such as:

When ICSs are hacked by sophisticated government-backed entities, havoc can run rampant. For instance, a little over a year ago, approximately 1.4 million homes in western Ukraine lost their electricity for several hours due to a very advanced attack. Once the hackers had access, they first manually opened the breakers, then employed the BlackEnergy virus to hinder efforts to locate and restore them. (The BlackEnergy virus is a sophisticated piece of malware with a modular architecture, suitable for sending spam and for online fraud. For more on this attack, click here[5].)There was also a simultaneous Distributed Denial of Service (DDOS) on the utilities’ call centers to slow down customer reports of outages.

Breaches of the operating system at a dam outside New York City were also attributed to hackers—hackers from companies performing work on the Iranian government’s behalf, according to the Justice Department. The perpetrators successfully obtained unauthorized access to the Supervisory Control and Data Acquisition (SCADA) systems of the dam, but the Federal Bureau of Investigations (FBI) found those behind the cyber intrusion[6].

[7]
Two-factor authentication hinders hacking.
Photos courtesy Farpointe Data

The accountability of security professionals
Interestingly, some security professionals do not seem to secure their own equipment. Over the past year, as noted already by the FTC in the D-Link case, users have learned IP-enabled contactless card readers and wireless cameras have become favorite targets of hackers. Unsecured, they provide irresistible back doors. Thus, new specifications are needed for electronic access control projects.

Let us begin by understanding one of the easiest problems to correct with security equipment. Simply putting the default installer code in a disarmed state allows one to view user codes—including the master code—or to change or create a new code. In other words, if an unauthorized person gains access to a panel in the unarmed state, using the installer code can give him or her access to all installed hardware. Any code they create or change then trumps the master and other user codes.

If the installer does not change the default code, he or she might as well be giving a user code to everyone. All it takes to view the master and user codes or create a new one is less than 30 seconds. However, what if the installer says they do not have the default installer code? Unfortunately, these codes can too often be found online by anyone who knows how to conduct a simple Google search. Once ‘inside,’ the hacker can gain access to the rest of the computer system.

Sometimes the problem is within the software itself. Often, the default code is embedded in the app so it can provide a mechanism to let the device be managed even if the administrator’s custom passcode is lost. However, it is poor developer practice to embed passwords into an app’s shipped code, especially unencrypted.

Adding to the problem is the fact Wiegand—the industry-standard over-the-air protocol that is commonly used to communicate contactless credential data to an electronic access reader—is no longer inherently secure. Today, no one would accept usernames and passwords being sent over an unsecured Internet portal, nor should they accept such vulnerable credential data. Anyone with a modicum of hardware hacking skills and a budget of less than $500 can obtain a copy of the master encryption key and create a portable system for reading and cloning Wiegand cards.

ID harvesting has become one of the most lucrative hacking activities. In these attacks, one or more of a credential’s identifiers are cloned or captured, then retransmitted via a small electronic device. For this reason, options can now be added to readers. Some provide a higher-security ‘handshake,’ or code, between the card, tag, and reader to help ensure the reader only accepts information from specially coded credentials. Another relatively new anti-tamper feature can, when embedded, add an additional layer of authentication insurance. Available with contactless smart card readers, cards, and tags, it effectively helps verify the sensitive access control data programmed to a card or tag is indeed genuine and not counterfeit.

Role of the specifier
When considering any security application, it is critical for the specifier to realistically assess the threat of a hack to the facility. For example, if access control is being used merely as a convenient alternative to using physical keys, chances are the end-user has a reduced risk of being hacked. However, if the access system is intended to respond to a perceived or imminent threat generated by the nature of what is done, produced, or housed at the facility, the user may indeed be at higher risk. He or she should consider methods to mitigate the risk of a hack.

The following steps may be considered in reducing the danger of hacking into a Wiegand-based system.

  1. Install only readers that are fully potted. (‘Potting’ is a hard epoxy seal that does not allow access to the reader’s internal electronics from the unsecured side of the building.) An immediate upgrade is recommended for readers failing to meet this standard.
  2. Make certain the reader’s mounting screws are always hidden from normal view. It is best to use security screws whenever possible.
  3. Embed contactless readers inside the wall, not simply on the outside, to effectively hide them from view. If that is not possible and physical tampering remains an issue, consider upgrading the site to incorporate readers providing both ballistic and vandal resistance.
  4. Use reader cable with a continuous overall foil shield tied to a solid-earth ground in a single location. This helps block signals from being induced onto the individual conductors making up the cable, as well as signals that may be gained from the reader cable.
  5. Deploy readers with a pigtail (i.e. a cable that has an appropriate connector on one end and loose wires on
    the other, designed to patch into an existing line or to terminate the ends of a long run) rather than a connector. Use extended-length pigtails to ensure connections are not made immediately behind the reader.
  6. Run reader cabling through a metal conduit to secure it from the outside world, making certain the conduit is tied to an earth ground.
  7. Add a tamper feature such as Valid ID.
  8. Use the ‘card present’ line available on many access control readers. This signal line lets the access control panel know when the reader is transmitting data.
  9. Provide credentials other than those formatted in the open, industry-standard 26-bit Wiegand. Not only is the 26-bit Wiegand format available for open use, but many of the codes have been duplicated multiple times. Alternatives can include American Banders Association (ABA) Track II, Open Supervised Device Protocol (OSDP), RS-485, and Transmission Control Protocol/Internet Protocol (TCP/IP).
  10. Offer the customer cards that can be printed and used as photo badges, which are much less likely to be shared.
  11. Employ a custom format with controls in place to
    govern duplication.
  12. Offer a smart card solution employing sophisticated cryptographic security techniques, such as Advanced Encryption Standard (AES) 128-bit.
  13. Make nontraditional credentials with an anti-playback routine available (e.g. transmitters instead of standard cards and tags). Long-range transmitters offer the additional benefit of not requiring a reader to be installed on the unsecured side of the door. Instead, they can be installed in a secure location such as the security closet—perhaps up to 61 m (200 ft) away.
  14. Provide two-factor readers including contactless and PIN technologies. It is suggested users change PINs on a regular basis. If required, it is best to offer a third factor—normally, a biometric technology (e.g. face, fingerprint, voice, vein, or hand).

Professionals should ensure additional security system components are available. Such systems can play a significant role in reducing the likelihood of an attack, as well as mitigating the impact of a hack attack should it occur. For example, should the access control system be hacked and grant entry to an unauthorized individual, a burglar alarm or video system can detect, record, and annunciate the intrusion. It is also helpful to ensure any guards in the control room—as well as those performing a regular tour—receive an alert notifying them someone has physically tampered with the access control system. With the proper tools, any of these assaults can be defended against.

[8]
Encryption can help identify or prevent use of clone access control cards.

Adding encryption to an access control system
One aspect of securing a card’s information is to make the internal numbers unusable; in other words, they must be encrypted. To read them, the system needs access to a secret ‘key’ or password providing decryption. Modern encryption algorithms play a vital role in ensuring data security via:

The number is encrypted using an encryption algorithm and an encryption key. This generates cipher text that can only be viewed in its original form if decrypted with the correct key. Encryption algorithms are divided into two categories: symmetric and asymmetric.

Symmetric-key ciphers use the same key for encrypting and decrypting a message or file. The most widely used symmetric-key cipher is AES, employed by the government to protect classified information. Another common symmetric cipher, noted for its high speed of transaction, is the TEA (tiny encryption algorithm). It was originally designed at the Cambridge Computer Laboratory.

Asymmetric cryptography uses two different, but mathematically linked, keys—one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. RSA (named after its inventors, Rivest, Shamir, and Adleman) is the most widely used asymmetric algorithm.

Today, 13.56 MHz smart cards are used to provide increased security compared to 125 KHz proximity cards. One technology, used to enable two-way communications between card and reader, stores the card number on one of its sectors, then encrypts the communication between the card and reader to theoretically make it impossible or, at least, very difficult to clone. Unfortunately, a security flaw was discovered in this version that meant with the right knowledge and hardware, a card could still be cloned or another card in the series created.

Additional encryption on a card, transaction counters, and other methods known in cryptography can be employed to make cloned cards useless or enable the back office to detect a fraudulent card and put it on a blacklist. Systems that work with online readers only (i.e. readers with a permanent link to the back office) are easier to protect than systems that have offline readers, since real-time checks are not possible and blacklists cannot be updated as frequently with offline systems.

[9]
Whether proximity-, smart-card-, or long-read-based, many anti-hacking features can be deployed.

Ensuring anti-hacking compatibility throughout the system
The Open Supervised Device Protocol (OSDP)is a communication standard adopted by the Security Industry Association (SIA), which lets security equipment such as card and biometric readers from one company interface easily with control panels and equipment from another. In other words, OSDP fosters interoperability among security devices. It also adds sophistication and security benefits through features including bidirectional communication and read/write capabilities.

A two-way channel paves the way for forward-looking security applications such as advanced smart card technology, transparent operations, public key infrastructure (PKI), and mobile device access. Not only does it provide a concise set of commonly used commands and responses, but it also eliminates guesswork, since encryption and authentication is predefined. How will that impact security equipment manufacturers, integrators, and users?

As mentioned, Wiegand has traditionally been the industry standard, but is no longer inherently secure. The multiple definitions associated with the Wiegand name have also created confusion over the years, but OSDP moves the industry forward.

The protocol helps ensure that numerous manufacturers’ products will work with each other—interoperability can be achieved regardless of system architecture. For instance, the specification can handle smart cards by constantly monitoring wiring to protect against attack threats, and serves as a solution for high-end encryption, as is required in federal applications. The specification for handling light-emitting diodes (LEDs), text, buzzers, and other feedback mechanisms provides a rich, user-centric access control environment.

Significantly, the SIA Access Control and Identity Subcommittee is in the process of making OSDP 2.1.6 an American National Standards Institute (ANSI) standard. Many manufacturers have already implemented it, and many other companies have OSDP devices in development. In response, the SIA has released tools that will ensure these numbers continue to grow.

The SIA Open OSDP Test Tool is open-source software that lets manufacturers of OSDP-compatible equipment test their products against the specification. The test tool emulates an OSDP peripheral device or control panel or acts as a ‘message sniffer’ between two ‘real’ OSDP devices. It runs on several widely available, low- to no-cost platforms and hardware and reduces physical barriers to achieving interoperability, such as shipping prototypes to numerous vendors for testing. The underlying source code is another aspect of the tool that can generally be leveraged by device manufacturers in developing their OSDP interoperable products.

The fact OSDP is backed by the SIA means professionals can be confident it is going to become very visible. It is recommended those dealing with smart security in any format start incorporating the OSDP standard in their equipment and systems.

Conclusion
Protecting organizations from hackers is imperative. Hacking threats have grown to include anything from government entities to teenage mischief-makers, and in either case, both IT and OT systems are being targeted—often imperiling national security. With knowledge of what hackers seek and the remedies available to thwart them, anti-hacking specifications are now mandatory.

Scott Lindley is a 25-year veteran of the contactless card access control provider industry. Since 2003, he has been the president of Farpointe Data, which works with radio-frequency identification (RFID) systems, including proximity, smart, and long-range solutions, for many access control professionals around the world. He can be reached via e-mail at scottl@farpointedata.com[10].

Endnotes:
  1. [Image]: https://www.constructionspecifier.com/wp-content/uploads/2017/05/bigstock-148761953-e1494599540494.jpg
  2. [Image]: https://www.constructionspecifier.com/wp-content/uploads/2017/05/bigstock-security-guard-officer-watchin-112769015.jpg
  3. Wyndham Worldwide: http://epic.org/amicus/ftc/wyndham/default.html
  4. lawsuit: http://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate
  5. here: http://www.reuters.com/article/us-ukraine-cybersecurity-usa-idUSKCN0UQ24020160112
  6. cyber intrusion: http://www.cnet.com/news/iranians-indicted-for-hacking-us-banks-new-york-dam
  7. [Image]: https://www.constructionspecifier.com/wp-content/uploads/2017/05/Farpointe-Mullion-Keypad-Reader-on-door-e1494600686467.jpg
  8. [Image]: https://www.constructionspecifier.com/wp-content/uploads/2017/05/MIFARE-DESFire-EV1.jpg
  9. [Image]: https://www.constructionspecifier.com/wp-content/uploads/2017/05/Group-Pic_all-lines.jpg
  10. scottl@farpointedata.com: mailto:scottl@farpointedata.com

Source URL: https://www.constructionspecifier.com/specifying-hacking-resistant-access-control/