Research from Bishop Fox identifies possible OSDP implementation vulnerabilities and provides insightful recommendations to better secure OSDP devices in the field
In early 2023, Bishop Fox disclosed to SIA several weaknesses in an OSDP implementation. Members of the OSDP Technical Subcommittee met with senior security engineer Dan Petro to review in depth the vulnerabilities along with his recommendations. These recommendations were then presented before the subcommittee and will be identified for revision in the next version of OSDP v2.3. We’d like to thank Bishop Fox for taking this approach and highly recommend a read of their blog post which summarizes the presentation along with providing some great recommendations. Their findings were presented this week to the security researcher community at the Black Hat conference in Las Vegas.
In addition to Bishop Fox’s recommendations, SIA members concluded the findings are rooted in two main issues: 1) the proper design of OSDP reader and controllers and 2) the installation and management of devices onsite.
- Product Development
The OSDP standard specifies the data format of the commands and replies to engage in secure channel and the encryption workflow in Annex D of the OSDP v2.2, however developers must build these requirements into their products. Products may claim OSDP encryption support, however unless those products are independently reviewed then those claims cannot be validated. The industry understands the concern with this market confusion and SIA addresses this issue through OSDP Verified, a program by which devices are thoroughly verified through a list of test cases by a third-party laboratory to ensure the commands, replies and workflows operates as expected. This program is even highlighted within Bishop Fox’s blog with a recommendation to select devices which have gone through the OSDP Verified program.
- Installation and Configuration
Purchasing OSDP Verified products is just the initial step to ensure devices are secured. The installation and configuration of those devices are just as vital. Weaknesses will exist if the devices are not installed to manufacturer procedures and administrated correctly. The OSDP Technical Subcommittee has collected a list of such security concerns identified from field installations and will work to draft a guide to highlight the best practices for configuring and operating the access controls equipment. Additionally, integrators will want to consider training their team through the OSDP Boot Camp program to ensure all systems and configurations are installed in accordance with the manufacturer’s procedures and OSDP v2.2. The next course occurs August 23 in Silver Spring, MD. OSDP Boot Camp is offered regularly at major industry events like ISC West, ISC East and PSA TEC, and will continue to be offered in a virtual format in addition to these in-person training camps.
As always, SIA and the OSDP Technical Subcommittee remain committed to improving the security posture of all security industry solutions by updating OSDP to meet the gaps and needs of the industry. We look forward to more opportunities to engage security researchers and penetration testing communities.