In end-to-end security, it’s important to consider that the security chain is only as strong as its weakest link. That is why it is essential that an access control system is always evaluated in its entirety, to discover where the weakest link can be found.
It is not uncommon for access control systems to be installed and then used for the longest time possible without any attention to updating the system’s intrinsic security features. There are many systems in the field that are over 10-years old, based on technologies much older than this and with no or very low cyber security protection.
Some ‘weak-links’ might be strengthened by new encryption methods, others by good process and some only by partial or entire replacement. What is essential is that for those considering investing in new technology, not to introduce weak-links.
Cards / biometrics
Cards are an important part of access control systems and for many years have been the most popular form factor for identifying a person at an entrance. Many different types of cards are available from a wide variety of suppliers but to simplify we can focus on Proximity cards (circa 125kHz) and Smart cards (13.56MHz).
Proximity cards are an older technology that for the most part have low security features. Organisations that have retained this technology (especially combined with weigand reader communications – see later) may be well advised to look at newer and more secure alternatives. A few basic internet searches about how to hack the most common proximity technology shows a device for around £30 that can clone a card. This alone would introduce a vulnerability to the access control system that could lead to further security exploitations.
Smart cards can offer enhanced security but there must be diligence about their design. To use a card serial number combined with a weigand output reader is not offering much more protection than using older proximity technology. Amongst the wider feature-set of smart cards, the capability to create secure solutions should be adopted. Future-proofing (ability to adapt) and encryption key ownership are important design factors too. The type of data encryption employed can differ greatly between the various smart card types.
Card to Reader transmission
The transmission of information between the card and the reader provides an opportunity for hacking. This could take the form of eavesdropping or skimming, or could involve pretending to be someone else (spoofing). Encryption is an effective security technique that can be used to counter this.
The most secure method is to have this encryption decoded by the controllers rather than at the reader, because they are usually located on the secure side of the building, however many readers and even systems do not support this.
Readers / antennas
The reader reads the card details and converts it into a wired signal. The reader therefore does not really have to do anything with the information that is on the card. This means that there is no need for decoding to take place in the reader. After all, allowing decoding to take place in the reader would only create a security risk, because the keys for decoding are also held on the reader. This is a risk that must not be underestimated, although many of the solutions in use provide only limited options.
The same risks of hacking by eavesdropping, skimming or spoofing that apply in relation to card-reader transmission also apply here. It is therefore important to take care that you are not using a generic protocol such as the popular Wiegand protocol as this is very susceptible to hacking. The ideal solution is to consider the security of the card and the reader and their communications and ensure these are encrypted and future-proof meaning the security can be enhanced if there is a future vulnerability.