Is Your Building Secure? Time to Discuss Access Controls
As owners and property managers look for ways to raise their buildings’ value (and subsequently charge higher rents), security and access control improvements are frequently deployed to achieve these higher property values.
It’s always important for building owners to take stock of their security and look for sensible ways to improve it. Authenticating and authorizing tenants is a concern for both the physical space and the software in it.
Typical building systems typically have a terminal device, usually some sort of badge reader, whether for a barcode, magnetic strip, proxcard, Bluetooth, or NFC, or another factor input like a PIN pad or a biometric sensor (mostly fingerprint, maybe the occasional retinal).
These terminals are connected to an access controller which holds a list of accepted credentials that correspond to tenants, maintenance staff, and the like. This controller accepts inputs from the terminals, enables a door lock/turnstile/elevator call, and monitors the state.
Governing these controllers is control software, which is used to update the list of valid credentials, aggregate events and alarms from all of the access controllers, and distributes the badge identifiers. Control software can also integrate with surveillance and patrol systems.
For buildings using magnetic stripes or legacy proxcards as their primary means of authentication, concerns start to rise around the badge interaction. Terminals are typically deployed in conjunction with plain text ID badges that use fixed numbers that rarely change.
These plain text identifiers are particularly easy to intercept, no matter the medium of transmission, and the lack of dynamism requires new badges be manually issued in the event of a breach.
Additionally, these modes of security are particularly vulnerable to intrusion, via copying a badge directly or a “man-in-the-middle” attack, wherein the intruders interfere with the access terminals in some way to mine the badges’ identifying information and duplicate it onto a new badge.
On top of that, these systems are usually unsophisticated and susceptible to basic replay attacks – these systems often lack a means to lock out access after a suspicious amount of failures.
The market leader in access control solutions is the Austin-based HID Global, a subsidiary of Swedish door-opening company Assa Abloy.
One of its most popular offerings, the iClass Smart Card, tries to address the issues laid out above, but falls short of delivering end-to-end security. These ID cards do send over encrypted data to the access terminal, which is then fed to the controllers over a wire, using a common key known to all terminals on that control network.
This process prevents feasible decryption of the access key, but this is actually unnecessary. All one needs to do to gain access is to clone the exact encrypted signal and broadcast it to the terminal, yielding them vulnerable to the same replay and copying attacks as the older access cards.
In fact, copying the iClass card requires a small bit of technical know-how and a $10 machine. That’s all it takes to hack one of the flagship products from the US market leader in secure identity solutions.
The typical keycard access system looks something like this:
It all runs on the Wiegand protocol, a common language that, once learned, enables communication with the whole system. The Wiegand protocol dates back to the 80s and has a laundry list of known vulnerabilities, meaning many systems are wildly out of touch with modern times.
Office card readers that look like this (which I’ve seen everywhere) are particularly vulnerable and the system needs upgraded immediately:
Further, many more modern systems like biometric scanners still rely on Wiegand, so don’t be fooled when outfitting your building. Do your homework and make sure you’re investing in the right security systems.
A Change in Perspective
Shifting from the practical to the more philosophical, it’s important to examine HID’s overall approach to security. At present, it uses a standard unknown to the public security community, unvetted and unverified by anyone impartial.
Typically, the best security practices rely on an open standard, one that impartial, outside parties have tested, reviewed, and approved as a viable practice. Instead, HID relies on validity by obscurity, such that no HID customer has a strong sense of their vulnerabilities until it’s too late. Even then, that doesn’t become widely known because companies are loathe to admit to lapses in security. Take a look at the scandals that have plagued Yahoo, Equifax, and Facebook.
If there’s an improper level of access, there’s little incentive to publicly admit to it.
Truly smart buildings use layered systems for access control, keeping out the intruders and swiftly enabling tenants to enter and exit as they please.