Secure Data Transmission and Storage for Access Control Management Systems (ACMS): Part 3 - Data Encryption and Security at the Access Control Panel

by Chris Vanderbles
in Blog

In part 3 of this blog series, we'll briefly discuss the data that is stored on an access control panel.  There are many different styles of panels, some of which act as both the controller and the "head-end".  This session specifically addresses controllers that report back to a central controlling software, either on-premise, or in-the-cloud.

The Importance of Data Encryption and Security at the Access Control Panel

Now that we have addressed the security issues surrounding getting the card data securely from the card to the access control panel (see our Part 1 - Card Cloning and Card Security, and Part 2 - Wiegand and OSDP articles in case you missed them), we can focus on the more sophisticated criminal that may be targeting your facility. 

The Problem:

Once a bad-actor gains physical access to an access control panel is usually game-over when it comes to bypassing security.  A knowledgeable attacker can implement several physical workarounds to bypass the panel’s decision-making process and implement their own overrides to gain access to your facility.  The often-overlooked danger here is that while an attacker may compromise one of the security panel locations, they cannot physically override the remainder of the security panels throughout your facility.  Each physical system bypass requires access to the security panel controlling each door, making a whole system compromise a much harder task.  The actual data being stored on the security panel may be the real prize in this battle.  Most access control panels store data relating to all the card holders that have access to the doors that it controls.  This may include card number, card format, access levels, and facility codes.  All panels store this information in a proprietary way specific to each panel manufacturer’s specifications, but legacy panels did not keep this data encrypted on-panel or at-rest.  This means that a determined, sophisticated attacker that gains physical access to one of these panels may be able to extract the access data from the panel and use it to create a duplicate card similar to the card cloning mentioned in previous blog entries, but never requiring access to the victims actual card, and with the added benefit of being able to determine the card with the highest access level in the panel to duplicate / clone.

The Solution - Data Encryption at Rest:

Modern security panels should have encryption available as an option, and it should be enabled in a best-practices implementation.  The terminology surrounding panel encryption can be confusing, make sure that when enabling / verifying that you are working with regards to the data being stored on the panel, and not the data in transit (our next blog entry).  The data encryption that will protect data on-panel is often referred to on-board encryption, SD card encryption, or Data at Rest encryption.  This means that the data being stored locally on the controller is encrypted and secured.  Some panels have an added security layer termed CNPI (Centre for the Protection of National Infrastructure).  A CNPI implementation sets a no-local-storage on non-volatile memory policy for the security panel, meaning that the security database and transactions are only stored in non-permanent panel memory (RAM), and are lost / destroyed when the panel is powered off.  This has the added benefit of ensuring that there is simply no data on the panel available to try and decrypt in the event of an attack.  The down-side to the CNPI implementation is that in order for a panel to regain functionality after a power loss, it must be able to successfully communicate with the server to retrieve the operational data once again.  This also means that any historical transactions that may have been stored on the panel (and not yet communicated to the server) will also be lost.  Encryption at Rest and other on-panel security protocol implementations like Trusted Execution Environment, Secure Boot, Firmware Signature Checking, etc. are a key factors to protecting the integrity of data present in the field.  These technologies should be implemented in addition to standard security breach notifications such as panel communication failures, AC power failures, and panel tamper alarm.

If you're interested in learning more, have questions, or just want a frank evaluation of your current or newly planned access control system, then please reach out to our knowledgeable sales team at This email address is being protected from spambots. You need JavaScript enabled to view it. or 346-200-3400.

Secure Data Transmission and Storage for Access Control Management Systems (ACMS): Part 2 - Wiegand and OSDP

by Chris Vanderbles
in Blog

In part 2 of this blog series, we'll take a look at the card data transmission between the reader and the access control panel.  In case you missed part 1, Secure Data Transmission and Storage for Access Control Management Systems (ACMS): Part 1 - Card Cloning and Card Security covers the vulnerabilities of current security cards, and provides a brief outline on what you should do to protect your facility.

Secure Reader Communications

Once the issues of card cloning and card security have been addressed (part 1 of our series), you need to consider what happens to the data from the card reader once the card is read.  The standard protocol that has been in place since the 80’s is the Wiegand protocol (named after the Wiegand effect, in turn named after John R. Wiegand the discoverer of the Wiegand effect).  Wiegand communication from readers consists of two data wires (Data 1 and Data 0) used in conjunction with a ground reference.  Data is pulsed (0 or 1) by drawing the Data 0 or Data 1 line to ground.  The binary pulsing of the signal is generated by the reader and is a direct copy / representation of the data that the reader processed from the card (i.e. the card number).  Regardless of the security and encryption of the card and its data, the binary card data is sent in raw, unencrypted form to the access control panel.  This can prove problematic with the advent of Wiegand card skimmers.  These are devices that can be installed behind a company’s card reader and acts similar to a credit-card skimmer.  The device will read the data flowing down the wire to the access control panel and log it.  Modern variants of these devices have integrated BLE and Wifi allowing the attacker to play back the last skimmed card it just recorded, or wirelessly download the entire activity log.  This type of device can make it possible to achieve prolonged, undetected access to a facility, and only requires 10 minutes or less to install and is readily available for under $100 online. 

Solving the reader communication problem:

In 2008, HID and Mercury Security developed the OSDP standard (Open Supervised Device Protocol).  This standard was the first step in solving the secure reader communication problem.  OSDP v1 utilizes a more widely adopted standard for communication (RS-485) than the proprietary Wiegand protocol.  The introduction of RS-485 added several key features, including better distance (4000’ vs 500’), better noise immunity, multi-drop capability, and most importantly, bi-directional communication.  While the OSDP v1 standard was a step in the right direction, it could still fall prey to data sniffing attacks.  In 2012, the SIA (Security Industry Association) took over the development of the standard and released OSDP v2.  OSDP v2 contains all the features that the original protocol contained, but added new features such as busy-reply, smart card communication, and most importantly, secure channel encryption.  Secure channel encryption negotiates a secure communication channel between the security panel and the reader.  This process is done at the time of installation and locks the reader to that panel / system.  This process ensures that a reader cannot be replaced with an otherwise compromised one without causing the reader communication interface to fail.  Re-enabling communication to a new reader requires that the reader be configured to install mode, and the access control software be set to allow for a new secure channel connection.  Communication between the authorized reader and the security panel is now encrypted, preventing any in-line devices from being able to intercept and / or replay the data being presented.  The bi-directional nature of the communication also allows for properly configured access systems to monitor the readers for communication failure, and additionally allows for the integrated reader tamper switch to report (if supplied and supported on the reader itself).  OSDP v2 is still in the process of being widely adopted by security panel manufacturers and their software developers.  In the long term, support for this standard will be necessary to adequately protect hard-wired access control reader communications.  Both the access control panel, and the reader must support the technology, which is why it is important to carefully select the products being installed in your facility.  If your current system does not support this technology, you may be at-risk for undetectable security breaches.

If you're interested in learning more, have questions, or just want a frank evaluation of your current or newly planned access control system, then please reach out to our knowledgeable sales team at This email address is being protected from spambots. You need JavaScript enabled to view it. or 346-200-3400.

Secure Data Transmission and Storage for Access Control Management Systems (ACMS): Part 1 - Card Cloning and Card Security

by Chris Vanderbles
in Blog

 

In this blog series, we'll delve into what it takes to have true data security when it comes to your access control system.  We'll begin with the card (physical credential), and work our way up to the server/database level, but first, lets identify the root problem.

The Problem:

Traditional access control systems have historically relied on technical obfuscation, AKA “security through obscurity”, and the high level of skill that would be necessary to undermine the system as key factors in keeping the customer’s facility secure.  Due to several technical advancements, access to inexpensive manufacturing, and the general advancement of the sophistication of attackers, this model is now vulnerable to several “fast and easy” hacks that allow the everyday criminal to expand their horizons.

Part 1 - Card Cloning and Card Security:

Let’s talk access cards for a moment.  One of the most widely recognized access cards is the nearly ubiquitous “Proxy” card.  This card tends to be a legacy 125KHz Proximity card made by HID (www.hidglobal.com).  These cards have long been the workhorse of the corporate world.  Released in the 1980’s, they brought about a revolution in access control.  The cards were pre-programmed by the manufacturer with certain card numbers and facility codes.  The RFID (Radio Frequency IDentifcation) proximity technology in the cards allowed users to simply place the card near the reader and get the doors to unlock (if they had access).  This card technology is still widely in-use today, though we’ll see why that’s a security risk these days.  The biggest down-side to this style of card, is that the data encoded on the card is 100% unencrypted.  This means that the data can be read by anything that can get in range of the card and knows how to process the signal.  One of the most widely known (but more expensive) options to achieve this is the ProxMark device, originally developed by Jonathan Westhues and released under the General Public License (GNU) back in 2007.  Originally, the product had to be kitted together, and hand assembled, soldered, programmed, etc., all of which required a technically skilled individual.  Fast forward more than a decade, and the current incarnation is available for purchase online for $300-$400, and includes the ability to read and clone 125 KHZ proximity cards, as well as the newer 13.56 MHz Mifare cards as well (more on those later).  The good news is that this tool was ultimately designed for penetration testers and is still probably out of league for your common criminal.  Now for the bad news: there are at least a couple more less expensive, easier ways to copy a legacy prox card.

1. Key copying kiosks are commonplace these days, what is newer is that there are kiosks that additionally can copy / clone your access card.  The company KeyMe does just that, enabling anyone with a card to submit it for copying.  The good news (if you can call it that), is that you actually have to have the card in your possession at the kiosk in order to copy it, so a criminal would need to physically have your card in order to copy it (just as copying a key).

2. Cheap card-cloners are now also available directly online for as little as $30.  These devices can copy / clone HID 125 KHz proximity cards, are battery powered, and have a grand total of 3 buttons on them (on/off, read, write).  Any criminal can now copy your card if they get close enough to it (typically 1-2 inches) for about 1 second.  These devices usually make a beep noise when they copy a card, but it is trivial to damage the speaker to make them silent.

In addition to the legacy prox card being cloneable, the encryption present on several 1st generation contactless smart-cards (13.56 MHZ) has also been cracked / broken.  Card technologies that have been hacked / broken include:

Most 125 KHz Proximity (HID, Indala, etc.)
HID iClass
Mifare (also known as Mifare Classic)

Card technologies that are not currently compromised

HID iClass SE
HID iClass SEOS
Mifare DESFire Family (EV1 and EV2)
Mifare Plus

When selecting a card and reader technology for your facility, don't just opt for the cheapest technology available, as that can prove to be a disastrous, and costly, decision in the long run.  Make sure you select a card and reader technology that is secure so that you can avoid a major security breach (at worst), or have to pay to replace the cards are readers at a later date.  While replacing the readers and cards themselves can be costly, many do not consider the amount of administrative time and effort it takes to completely re-issue a new set of credentials to an entire employee operation.  Not only does replacing the credentials take additional administrative time, but there are inevitably disruptions to the facility's operations when people are switching between cards, which can directly affect the productivity of your employees.  Choosing a secure technology at the beginning of the project may slightly increase the costs of the readers and credentials (10%-50% typically), but the overall cost of these components are typically small in comparison to that of the entire system.

If you're interested in learning more, have questions, or just want a frank evaluation of your current or newly planned access control system, then please reach out to our knowledgeable sales team at This email address is being protected from spambots. You need JavaScript enabled to view it. or 346-200-3400.