Securing your Security

Sept. 4, 2017
Part 1 of this new series includes some good advice on keeping your clients’ card readers from getting hacked

One of the biggest threats facing locksmiths  and their clients today is hacking. Besides possibly exposing the customer to danger and jeopardizing a relationship with a customer, there may be legal liabilities associated with faulty or ineffective security systems.

Awareness to the potential of hacking to our systems should be a high priority to the professional security provider, perhaps second only to the life safety aspects of our installations.

The word ‘hacking’ has taken on great significance in our society and in our industry, although the term’s origin was ostensibly within the IT culture .The term has taken on a sinister meaning which is to subvert technology for unauthorized purposes.

All types of security systems and equipment ‑ mechanical and electronic ‑ are potential targets for hacking.

Professional security providers are aware of hacking, since it is our worst fear that one of our installed solutions fails to complete its mission to provide security.

It is especially frustrating when a vulnerability is detected in our technologies.

Within the context of electronic access controls and mechanical locks & point of sale systems, here is a short list of potential vulnerabilities:

  • Non-pick resistant or bumpable lock cylinders
  • Non-patented keyways
  • Magstripe credentials
  • Early technology wireless garage door openers

Add to the list technology that has outlived its usefulness as the criminals have devised ways to circumvent it, and also unfortunately, products which did not deliver all the protection they promised.

We provide specific services and solutions, but how efficacy of our security solutions are limited by a variables often beyond our control.

The client may ask our advice, but not follow our advice. The client may not use the security system properly, or may ignore basic common sense things which inhibit the system’s usefulness.

Maybe cost is an issue, and they do not go all the way. In the real world, doesn’t the cost figure into every decision we make?

The client may purchase a system and then assume it will be up to date work flawlessly forever.

When a criminal gets in where they do not belong, or gets away with something that is not theirs, or when a client suffers an injury, we as professional security providers feel we have let them down.

When you think about it, there are a tremendous number of vulnerabilities associated with our security systems and modern technologies. A vulnerability is an element of the system which may at one time or another be exposed to a security threat.

Our series of articles will ask the designers and manufacturers of security solutions for their perspective on the threats and protections they suggest for the technologies they provide.

We will cover many strategies which address the threats to our security systems and to our clients including

  • Firewalls, sandboxes, intranets & extranets
  • Multiple authentication
  • Patented keyways
  • Pick-resistant locks
  • System redundancy
  • Layered system architecture
  • Threat assessment
  • Due diligence
  • System integration
  • Vandal and spyproof readers and keypads
  • Encryption

Card Reader Security

Our first expert contributor to the series is Scott Lindley, President Farpointe Data. Farpointe Data is the access control industry's OEM for RFID solutions.

The hacking of contactless card access control products can be a major problem. For instance, the research firm IPVM recently reported how a $30 copier easily spoofed a popular proximity card. The column stated that the copier "used to copy the cards works much the same way as normal card readers, with transceiver coil, power supply, IC chip, buzzer and even LEDs components shared by both. Given the principal operation of contactless card readers, the copier excites the coil and delivers power wirelessly to the card, which then momentarily stores energy and then uses it to broadcast card details back to the copier." 

Single factor authentication is often not enough. For a growing number of end-users, single factor verification does not provide the access security level they now require. Today, they want to have multi-factor verification with what they have, a card, plus what they know, a PIN. With Farpointe's new mullion keypad reader and our other proximity or smartcard plus keypad readers in a standard size, locksmiths can provide customers with flexible installation choices and the most reliable solutions for 2-factor validation. The mullion-sized proximity card reader features an eight-inch read range for increased convenience as the user enters a PIN on the keyboard. It meets CIP-006 requirements for 2-factor authentication as described by the North American Electric Reliability Corporation (NERC) and the National Institute of Standards and Technology (NIST) federal guideline.

Not changing the default code. Today’s IP-enabled contactless card readers and wireless cameras have become favorite targets of hackers. Unsecured, they provide irresistible backdoors. By simply putting the default installer code in a disarmed state, it can be used to view the user codes including the master code or to change or create a new code. So, if the installer does not change the default code, the user might as well be giving a user code to everyone. Less than 30 seconds is all it takes to view the master, all other user codes, or even create a new one.

Sometimes the problem is within the software itself. Oftentimes, the default code is embedded in the app to provide a mechanism to let the device still be managed even if the administrator's custom pass code is lost. However, it is a poor developer practice to embed passwords into an app's shipped code, especially unencrypted.

Wiegand is no longer safe. Wiegand, the industry standard over-the-air protocol commonly used to communicate credential data from a contactless access credential to an electronic access reader, is no longer inherently secure due to its original obscure and non-standard nature. For this reason, options are now available that can be added to the readers.

For both proximity and smart card systems, Farpointe's MAXSecure option provides a high-security handshake, or code, between the card, tag and reader to help prevent credential duplication and ensure that your readers will only collect data from these specially coded credentials. For those familiar with mechanical access control, it's the electronic security equivalent of a mechanical key management system, in which a specific organization is the only one that has the individual key that they use. Such keys are only available through their locksmith and their locksmith never provides another company with the same key.

For smart card systems, at manufacture, readers, cards and tags can be programmed with Farpointe Data's Valid ID algorithm, cryptographically ensuring the integrity of the sensitive access control data stored on the card or tag. With Valid ID, readers scan through the credential's access control data searching for data discrepancies, which may occur during the counterfeiting, tampering or hacking of a contactless smartcard. Valid ID is an additional layer of protection to Mifare authentication, operating independently, in addition to, and above this standard level of security. In use, Valid ID allows a smartcard reader to effectively verify that the sensitive access control data programmed to a card or tag is not counterfeit.

You must encrypt. Farpointe Data recently alerted its partners about the potential impact on their businesses of the settlement of  Edenborough v. ADT LLC, Case No. 3:16-cv-02233, in the U.S. District Court for the Northern District of California. Referred to as the ADT Hacking Vulnerability Class Action Lawsuit, ADT will pay $16 million to settle five hacking vulnerability class actions because of claims that ADT’s wireless security systems were vulnerable to hacking because ADT failed to include any encryption within them.

All modern contactless smart card credentials support cryptography but legacy credential technology may not. Look for terms such as 3DES, AES (which the government uses to protect classified information), TEA and RSA.

Also, security professionals should always consider more secure 13.56 MHz smart credentials over 125 KHz proximity cards. "Mifare," a technology from NXP Semiconductors, is a leading brand of contactless smart IC. The newest Mifare standard, DESFire EV1, includes a cryptographic module on the card, adding an additional layer of encryption to the card/reader transaction.

Farpointe Data migrated to MIFARE DESFire EV1 in its line of Delta smart cards well over a year ago. As a result, locksmiths will be able to tout greater security over MIFARE Classic smart cards because MIFARE DESFire EV1 uses 128 AES encryption, the same as used by the U.S. federal government. MIFARE DESFire EV1 is based on open global standards for both air interface and cryptographic methods. It is compliant to all 4 levels of ISO/IEC 14443A and uses optional ISO/IEC 7816-4 commands.

Many installation techniques are simply common sense. For instance, install only readers that are fully potted. Potting is a hard epoxy seal that does not allow access to the reader’s sensitive internal electronics from the unsecured side of the building. An immediate upgrading is recommended for readers that fail to meet this standard. Also, embed contactless readers inside the wall, not simply on the outside, effectively hiding them from view. Or, if that is not possible and physical tampering remains an issue, consider upgrading the site to readers that provide both ballistic and vandal resistance. 

Make certain the reader's mounting screws are always hidden from normal view.  Make use of security screws whenever possible. Use of reader cable with a continuous overall foil shield tied to a solid earth ground in a single location. This helps block signals from being induced onto the individual conductors making up the cable as well as those signals that may be gained from the reader cable. Deploy readers with a pig tail, not a connector. Use extended length pig tails to assure that connections are not made immediately behind the reader. Lastly, run reader cabling through a metal conduit, securing it from the outside world.  Make certain the metal conduit is tied to an earth ground.

Leverage Long Range Reading systems. In an interesting application of Farpointe long-range reading, locksmiths can use non-traditional credentials with an anti-playback routine, such as transmitters, instead of standard cards and tags. Long range transmitters offer the additional benefit of not requiring a reader be installed on the unsecured side of the door. Instead they can be installed in a secure location, such as the security closet, up to 200 feet away.

Available in either a two- or four-button configuration and equipped standard with a weather-resistant potted proximity or contactless smart card module, the transmitter can be used as a presentation-style access credential. For example, a button may be presented to access a long range application, such as a gated parking structure, and then be presented to an access control reader to allow entry into the building.

Using standard 26-bit Wiegand protocol and featuring standard mounting holes, the WRR-22 and WRR-44 can be used as "add-on" or "wire-in" receivers. Using custom Wiegand 32- or 36-bit protocol, the long range system can be made even more secure. This prevents credential duplication and ensures that the readers will only collect data from this single system's coded credentials. The lithium cell battery is tested to exceed 250,000 presses.

Assure anti-hacking compatibility throughout the system. Today, locksmiths can add the option of having the Open Supervised Device Protocol (OSDP™), a communication standard adopted by the Security Industry Association (SIA), to their Farpointe smart card readers. OSDP lets Farpointe smart card readers interface easily with control panels or other security management systems, fostering interoperability among security devices. OSDP is IP-extensible for next generation security applications and has already been embraced by important segments of the industry. It is a standard that brings consistency, as well as heightened security and interoperability, between different manufacturers' devices

OSDP helps ensure that numerous manufacturers’ products will work with each other. Importantly, interoperability can be achieved regardless of system architecture. The specification handles smartcards, constantly monitoring wiring to protect against attack threats and can serve as a solution for high-end encryption such as required in federal applications. The specification for handling LEDs, text, buzzers and other feedback mechanisms provides a rich, user-centric access control environment. 

About the Author

Tim O'Leary

Tim O'Leary is a security consultant, trainer and technician who has also been writing articles on all areas of locksmithing & physical security for many years.