Guest Post: “I’ve Upgraded My Credentials. My Facility Is Safe Now, Right?”

Upgrading to a secure credential is one of the most important security upgrades for any organization, regardless of what industry they operate in. For many building owners or facility managers, removing proximity (prox) cards or other legacy credentials from your security environment is a great place to start when working toward a more secure future. Utilizing a secure credential can provide enhanced protection against cloning, unauthorized access and other types of credential tampering. But just how secure is your newly upgraded credential?

Most employees will take their credentials home with them when they leave their facility, and once the employees are outside the secured environment, a secure credential is protected from many of the types of attacks vulnerable credentials are prone to. These protections add the ability to protect your employees’ access to your buildings while the employees are away from your facility. While many older technologies like prox or MiFare classic cards that leave a facility are open to being read by many affordable (<$50) card cloners available to the public, a secure credential can protect an end user’s credentials, even when exposed to many of these attacks.

Many components of an access control system are protected by the building itself. Some are even in the most secure parts of a building, (for example, a server and controller are often in an independent distribution frame (IDF) or main distribution frame (MDF). The most often exposed parts of an access control system are the locking mechanism and credential reader (card, biometric or mobile). The locking mechanism is generally on the secure side of the door, so to manipulate the lock you would first need to have the door open or already be inside of the facility; however, readers can be found all over a facility, including on the exterior of a building accessible to the public.

Wiegand has been the traditional communication protocol between a reader and a controller since the early 1980s. While upgrading to a secure credential is a critical step in moving towards a more secure environment, once a user presents that secure credential to a reader that is communicating to a controller via Wiegand, that secure credential is converted to 0s and 1s by alternating current across Data0 and Data1 (generally green & white) wires. This alternating current can be captured, recorded and replicated by many affordable (<$50) devices readily available to the public. Wiegand only supports communication from reader to controller and does not allow a “supervised” connection between components, meaning if the reader were to be disconnected, or a device was put in between the reader and controller to capture data or “alternating currents,” the access control system would not be notified.  

This vulnerability was addressed in late 2005 by SIA, Mercury Security and various other channel partners with the inception of the SIA Open Supervised Device Protocol (OSDP). OSDP aims to secure the connection between reader and controller while also allowing for bidirectional communication, pushing wiring limits much further than Wiegand and providing native support for many application enhancements (direct biometric support, smart card interface, authentication, FIPS compliance and interactive terminal capabilities). OSDP supports AES-128 encryption, which can protect a facility from man-in-the-middle attacks (the data read by a device would require a specific one-time “key” to read, of which there are 3.4×1038 combinations), such as adding devices between readers and controllers.

While pushing the distances further does require specific wiring, existing Wiegand wiring can often be converted to support OSDP protocol. Many manufacturers have even standardized OSDP support across all their product lines. One might ask, “What is stopping today’s facilities from standardizing OSDP on at least all exterior readers?”. Honestly, I am not sure. To me, this is the next logical step in securing your environment, especially when the necessary infrastructure is already in place. It can often be accomplished with a simple programming change in your access control system.

Whether we are manufacturers, integrators, installers, distributors or any of the other valuable pieces in the security industry that deliver access control systems to users, we must continue to educate them on the vulnerabilities of their system and explain that “secured” is a moving target. An access control system is only as strong as its weakest link, and while we must always be striving to remove vulnerabilities from our systems, we must remember there will always be people testing the links to our chain.

This blog post originally appeared in the SIA RISE community‘s RISE Together newsletter.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association.