There Is a Hole in the Boat: Why Access Control Professionals Need to Move From Wiegand to OSDP
Many of the people reading this publication are, presumably, security professionals who take pride in leveraging their expertise to use technology to protect people and property. A large number likely focus on access control solutions to prevent unauthorized entry into controlled facilities and areas.
As unfortunate as it is to say, statistically speaking, the probability is that many readers are not doing a good enough job. It sounds harsh, but someone must tell the captain when there is a hole in the boat, and when it comes to most access control systems being installed today, the truth is there is a hole in the boat.
The problem lies in the fact that most access control systems being installed today still rely on Wiegand-style technology. John Wiegand, grandfather of access control systems, invented this technology in 1974. Needless to say, technology has come a long way since then.
By 1996, Wiegand-style access control had become the de facto standard. Since then, there have been plenty of advancements in the features and benefits of the hardware and software elements of these systems. In many ways, the buildings using these systems have become more secure and more intelligent. However, over the past 10 years, the pace of innovation has also picked up among the bad guys. Hackers have studied these systems, identified vulnerabilities, and created exploits that are simple, inexpensive and fast.
Hacking Access Control Systems
For less than $100, anyone can go online and purchase a device known as an ESP Key. Bad actors can easily take a card reader off the wall and install this postage stamp-sized device on the existing wiring to “sniff” the data that is being transmitted across it. This sensitive data and the vulnerable way it is being transmitted requires attention.
The first problem is that Wiegand-style systems transmit card reader data in one direction, from the card reader to the door controller. Without bidirectional communication, it is impossible to be sure of the status of the card reader. Building owners may not know they have a problem with a card reader until someone tries and fails to badge in. Was it tampered with? Was it vandalized? When did it stop working? These questions are too difficult to answer when there is no immediate alert, which can only be done with bidirectional communication.
The second problem is that the data being transmitted from the card reader to the door controller is sent “in the clear.” This means that the data is being sent as simple pulses that equate to unencrypted ones and zeroes. When the ESP Key sniffs these pulses, it sees and stores the credential data (raw bitstream like a PIN, facility code or user ID). Over the course of a few hours or days, the ESP Key will have collected plenty of data from the unsuspecting users who badged into the door. The hacker needs only to pull out a phone, connect wirelessly to the ESP Key, choose which badge to “replay” and, just like that, they are in the building.
Protected Access Control Systems
At this point, readers may be wondering, with such a big hole in the boat, how can it be fixed? The answer is simple, and it has been around for several years. The Security Industry Association (SIA) adopted the Open Supervised Device Protocol (OSDP) as the new access control standard in 2012. In May 2020, OSDP was approved as an international standard by the International Electrotechnical Commission (published as IEC 60839-11-5). The OSDP standard was most recently released in December 2020 as version 2.2.
What is OSDP and how does it plug this hole? First, OSDP supports bidirectional communication between the card reader and the door controller, which allows for supervision (the “S” in OSDP). Not only is the card reader continuously monitored, but the data is also sent in a secure channel with AES 128-bit encryption. This means that, even if a hacker installed an ESP Key in an OSDP-compliant card reader, any data that was captured would be unusable, because the encrypted data cannot be converted without a one-time “key” for which there are 3.4×1038 combinations.
One does not have to search for long to find stories about companies large and small that fall victim to hackers. And if a system is vulnerable to attack, it is just a matter of time before it is targeted. With attacks focusing on access control systems becoming less expensive to execute, the time is now to take the necessary steps to protect buildings and employees.
The security benefits of OSDP will certainly help make buildings more secure, but what about making them more intelligent as well? OSDP supports new features that allow for a richer user interface. Yesterday’s “high-tech” card readers boasted the ability to flash more than one LED. With OSDP, the monitor at the card reader can prompt a user to use a different entrance, or even wish them a happy birthday.
Taking the Next Steps
Perhaps some of the best news about OSDP is that, while it offers advanced security and intelligence, it does not come with a big price tag. OSDP can be installed for roughly the same price as Wiegand-style systems and there are many great products that make transitioning from Wiegand to OSDP painless.
When installing a new access control system, there really should be only one choice – fully OSDP-compliant products from bow to stern. Some leading manufacturers of OSDP hardware are putting their commitment to the standard front and center by having their products tested in the SIA OSDP Verified program, which validates that a device conforms to the OSDP standard and related performance profiles.
If upgrading or retrofitting an existing system, there are door controllers that will allow for simultaneous connections to Wiegand and OSDP card readers. This option works for those who might choose to start with the most vulnerable or sensitive areas of the building first. In addition, leading companies in the OSDP space offer solutions to convert one door at a time.
Another area where OSDP shines is upgrading card reader software. Wiegand-style systems require users to physically connect to each device in the field. With OSDP’s bidirectional communication, though, it is possible to push an update out to all card readers at once.
In addition to the security benefits noted above, these signals are capable of being transmitted across much longer distances. Standard Wiegand-style card readers need to be located within 500 feet of the door controller. This limitation sometimes requires additional door controllers to be added to a system in order to be within range of the farthest doors. With OSDP, card reader data is transmitted via the RS-485 protocol, enabling signals to be sent 4,000 feet (some manufacturers support even longer distances.) That means the guard shack at the edge of the parking lot and the shed in the back are now within reach.
For Non-Installers
Even non-installers have a responsibility to move the industry in the right direction. It does not matter what a person’s job is on the boat – if they see a hole with water rushing in, they have to tell the captain. A manufacturer who is working on bringing new features or product lines to the market should not allow decisions to be driven by the percentage of Wiegand versus OSDP systems sold last year. Instead, they should nudge customers in the best direction and offer fewer (or no) options for Wiegand-style readers. Consultants and other influencers of security design should promote the benefits of OSDP and educate clients about the problems of unencrypted, nonsupervised transmission of sensitive data.
The security industry was slow to adopt IP video over analog. Certain companies, though, chose to take a leadership position, and by doing so, they catapulted themselves to the leaders they are today, while many of the firms that were slow to adapt are no longer as relevant now. The industry is at a similar crossroads with access control today.
Winning With Wiring
With new hardware and new protocols, some readers may be wondering if new cabling is needed, as well. The short answer is yes. The longer answer is yes, most of the time. To ensure optimal performance, card reader cabling should include two pairs (one for data and one for power) of low capacitance, shielded, 120-Ohm wires. Capacitance is measured in picofarads per foot and something in the ballpark of 12.5 pF/Ft is appropriate. (In contrast, a standard Wiegand card reader typically has a capacitance rating of 47 pF/Ft and an impedance of 39 Ohms.) These types of OSDP card reader cables are readily found at major distributors and can be included as part of a composite cable that has multiple “legs,” all under an overall jacket for door contacts, request for exit buttons, motion detectors, lock power and other accessories in an access control system.
While optimal performance is always going to come from using the appropriate cable for the application, there are going to be short cable runs where the difference is negligible. If an existing card reader cable is less than 200 feet, the risk of using it for OSDP is significantly less than when the cable runs are longer.
Another common question is, “What cable should I run today so my customer is ready tomorrow for OSDP?” If, after educating a customer about the benefits of OSDP, they are still not ready, one forward-thinking strategy is to pull an OSDP card reader cable to each door along with the Wiegand-style composite cable. This way, when the customer is ready to upgrade card readers (and perhaps door controllers), there is no need to waste time installing thousands of feet of new cables throughout the building.
While OSDP is very different from Wiegand, it is not more difficult to learn or install. In fact, the opposite is the case. With fewer wires (two pairs compared to six to 12 conductors), the reduced complexity that comes from long distance support, and the ability to centrally push upgrades to card readers, OSDP can simplify access control projects – all while fixing the hole and keeping the boat afloat.