Secure Data Transmission and Storage for Access Control Management Systems (ACMS): Part 2 - Wiegand and OSDP

In part 2 of this blog series, we'll take a look at the card data transmission between the reader and the access control panel.  In case you missed part 1, Secure Data Transmission and Storage for Access Control Management Systems (ACMS): Part 1 - Card Cloning and Card Security covers the vulnerabilities of current security cards, and provides a brief outline on what you should do to protect your facility.

Secure Reader Communications

Once the issues of card cloning and card security have been addressed (part 1 of our series), you need to consider what happens to the data from the card reader once the card is read.  The standard protocol that has been in place since the 80’s is the Wiegand protocol (named after the Wiegand effect, in turn named after John R. Wiegand the discoverer of the Wiegand effect).  Wiegand communication from readers consists of two data wires (Data 1 and Data 0) used in conjunction with a ground reference.  Data is pulsed (0 or 1) by drawing the Data 0 or Data 1 line to ground.  The binary pulsing of the signal is generated by the reader and is a direct copy / representation of the data that the reader processed from the card (i.e. the card number).  Regardless of the security and encryption of the card and its data, the binary card data is sent in raw, unencrypted form to the access control panel.  This can prove problematic with the advent of Wiegand card skimmers.  These are devices that can be installed behind a company’s card reader and acts similar to a credit-card skimmer.  The device will read the data flowing down the wire to the access control panel and log it.  Modern variants of these devices have integrated BLE and Wifi allowing the attacker to play back the last skimmed card it just recorded, or wirelessly download the entire activity log.  This type of device can make it possible to achieve prolonged, undetected access to a facility, and only requires 10 minutes or less to install and is readily available for under $100 online. 

Solving the reader communication problem:

In 2008, HID and Mercury Security developed the OSDP standard (Open Supervised Device Protocol).  This standard was the first step in solving the secure reader communication problem.  OSDP v1 utilizes a more widely adopted standard for communication (RS-485) than the proprietary Wiegand protocol.  The introduction of RS-485 added several key features, including better distance (4000’ vs 500’), better noise immunity, multi-drop capability, and most importantly, bi-directional communication.  While the OSDP v1 standard was a step in the right direction, it could still fall prey to data sniffing attacks.  In 2012, the SIA (Security Industry Association) took over the development of the standard and released OSDP v2.  OSDP v2 contains all the features that the original protocol contained, but added new features such as busy-reply, smart card communication, and most importantly, secure channel encryption.  Secure channel encryption negotiates a secure communication channel between the security panel and the reader.  This process is done at the time of installation and locks the reader to that panel / system.  This process ensures that a reader cannot be replaced with an otherwise compromised one without causing the reader communication interface to fail.  Re-enabling communication to a new reader requires that the reader be configured to install mode, and the access control software be set to allow for a new secure channel connection.  Communication between the authorized reader and the security panel is now encrypted, preventing any in-line devices from being able to intercept and / or replay the data being presented.  The bi-directional nature of the communication also allows for properly configured access systems to monitor the readers for communication failure, and additionally allows for the integrated reader tamper switch to report (if supplied and supported on the reader itself).  OSDP v2 is still in the process of being widely adopted by security panel manufacturers and their software developers.  In the long term, support for this standard will be necessary to adequately protect hard-wired access control reader communications.  Both the access control panel, and the reader must support the technology, which is why it is important to carefully select the products being installed in your facility.  If your current system does not support this technology, you may be at-risk for undetectable security breaches.

If you're interested in learning more, have questions, or just want a frank evaluation of your current or newly planned access control system, then please reach out to our knowledgeable sales team at This email address is being protected from spambots. You need JavaScript enabled to view it. or 346-200-3400.