Access Control Systems are being targeted as entry points for hackers looking to steal sensitive data and security professionals need to recognize and respond to this emerging threat.
Card based access control systems were developed to protect and monitor visitors from unauthorized access to secure buildings. While now ubiquitous, card based access systems were once the end-all be-all of building security, and most companies adopting this technology assumed as long as they took care to control their inventory or active cards they were safe. Unfortunately, as is the case with most technology, it was only a matter of time before bad actors targeted these systems. The three most used ways to compromise card based access systems are skimming, eavesdropping, and relay attacks.
Card based systems normally use embedded RFID chips as the means to authenticate access. RFID, or radio-frequency identification, is the use of radio waves to activate and transmit information between a chip and a receiver. In most instances, the actual RFID chip passively waits to come into proximity with a reader, in this case the access control reader. When the chip comes into close proximity of the reader, the energy being emitted by the reader activates the RFID chip and the chip then transmits its data to the reader.
Skimming occurs when the attacker uses a portable reader to surreptitiously access the information on the victim’s RFID card or fob. Skimming can be accomplished from a distance of several feet, and the target of the attack remains unaware of the data compromise. The distance between the skimmer and reader is dependent on the power output of the specific skimming equipment in use. This method then allows the skimmer to replicate the card and use it to obtain unauthorized access.
Another often used exploit is an eavesdropping attack. Unlike a skimming attack, where the skimmer activates the target RFID chip, this method of RFID compromise is totally passive. Eavesdropping attacks are exactly what they sound like, in that the equipment used is merely a receiver and it just waits for the detection of an RFID chip passing authentication information to a reader and then snoops on the data transfer. Again, the attacker can then replicate the card.
The most recent and perhaps the most alarming type of attack is a relay attack. In a relay attack, the attacker uses a combination of advanced hardware and software to activate an otherwise legitimate RFID chip from distances of up to several kilometers away using what is called a proxy and mole to steal the chip’s information.
Unfortunately, many manufacturers and installers do not seem to secure their own security equipment. Wireless cameras and access card readers are favorite targets for hackers and by leaving them unsecured, they become irresistible entries to systems. Adding to the problem is that the industry standard over-the-air protocol commonly used to communicate credential data from a token to an electronic access reader is no longer secure.
While most companies actively monitor and respond to emerging threats from the internet, the technology of the physical security part of the equation is sometimes all but ignored (other than it being installed and operational). The risk of data being compromised due a physical security breach is every bit as real and potentially damaging as a web attack, and IT administrators would be wise to include protection of physical card access systems in their overall security plans.
How to Protect the Card System from Hacking
- Provide higher security between the card/keyfob and reader to ensure that readers will only accept information from specially coded credentials.
- Do not leave default installer codes in system once the installation is complete. It is easy to find default codes online which gives smart intruders, hackers, etc. easy access to entry to site. Give everyone their own unique access number so if they no longer work at the company, their information can be removed from the computer easily.
- Do not use the passwords embedded into shipped software especially if it is not encrypted. Change them as soon as the system is set up.
- Do not provide credentials formatted in the industry standard 26-bit Wiegand. There are other options that are not as easy to hack.
- An anti-tamper feature is available with smartcard readers, cards and keyfobs because it adds another layer authentication assurance.
- Deploy smart credential using Valid ID. This lets the smart card reader verify that information presented by the card is genuine and not a duplicated card.
- Keep all applications updated. Attackers take advantage of outdated software as a staging point for collecting information and plotting attacks.
- Strong password management is necessary because basic passwords can be utilized for extended time periods by malicious users.
- Deactivate all unused accounts.
- Two factor authentication provides an extra layer of security that requires a separate means of identification. A user name and password with a piece of information that only the user knows makes it harder for potential intruders to gain access and steal that user’s information.
- Use security screws when installing to keep the reader mounting screws hidden from normal view. This will not allow someone to tamper with the reader.
- Use 13.56 MHz contactless smart cards instead of 125 KHz proximity cards