Cybersecurity has become a major issue facing security players these days as devices become more and more connected and networkable. Against this backdrop, Farpointe Data has posted an RFID Cybersecurity Vulnerability Checklist for access control players.
Cybersecurity has become a major issue facing security players these days as devices become more and more connected and networkable. While intrusions into video surveillance systems have raised industry awareness, access control systems are equally vulnerable if not properly protected. Against this backdrop, Farpointe Data has posted an RFID Cybersecurity Vulnerability Checklist for access control manufacturers, distributors, integrators and end users.
"Seemingly daily, end users are being reminded of how their access control systems are no longer secure,” said Scott Lindley, President of Farpointe Data. “Knowing what to do is especially important now that government agencies, such as the United States Federal Trade Commission, have begun filing lawsuits against businesses that do not provide good cybersecurity practices.”
Farpointe cited recent reports and incidents to demonstrate how easily communications between cards and readers can be compromised, for example an IPVM report that a US$30 copier easily spoofed a popular proximity card, and an on-site demonstration at the ShmooCon hacker conference that it takes two or three minutes for intruders to break into an RFID card reader wall plate, attach an ESPKey and reinstall the wall plate to capture the ID codes of everyone in the workplace.
“Increasing news stories of hacking throughout the world and the fact government agencies are now reviewing such cybersecurity lapses should make channel partners providing access control products and systems take notice and implement anti-hacking solutions to their customers,” said Lindley.
The following are some of the points covered in the checklist.
When it comes to default codes, the guide advises against leaving the default installer code in an unarmed state as it can be used to view the user codes including the master code or change or create a new code.
As for Wiegand, the checklist said it is no longer inherently secure due to its original obscure and non-standard nature. The guide urges the provision of credentials other than those formatted in the open, industry standard 26-bit Wiegand, which is available for open use and may have been duplicated multiple times.
During installation, the guide urges installing readers that are fully potted, as potting is a hard epoxy seal that does not allow access to the reader’s sensitive internal electronics from the unsecured side of the building.
Also, for 13.56-MHz contactless smart cards that are used to provide increased security compared to 125-KHz proximity cards, the guide advises offering a contactless smart card solution that employs sophisticated cryptographic security techniques, such as AES 128-bit encryption.