How To Protect Your ID Card Access Control System From Getting Hacked

What is frictionless access control?

Most security professionals are not aware of one of the leading gateways for hackers to attack their cyber systems.

It’s through their own physical security systems, especially wired cameras or contactless card access control systems.

Let’s consider the latter. When a 125kHz proximity card is powered up by getting in “proximity” of a reader, it immediately begins to transmit a fixed binary code number.

As a result, it’s also possible to use a device that will stealthily power up the card from a distance to read and record its internal data. An attacker can then easily use the card’s information to let unauthorized people in.

Adding to the problem is that Wiegand, the industry standard over-the-air protocol commonly used to communicate credential data from a card to an electronic access reader, is no longer inherently secure due to its original obscure and nonstandard nature. Hence, ID harvesting has become one of the most lucrative hacking activities.

Yet now there is an even bigger problem. To get into IT and critical infrastructure operational technology (OT) systems, hackers simply use the card/reader protocol to enter a facility via the public access computer system (PACS), thereby accessing specific computers. Those computers then act as a gateway to the target’s internal Internet, be it the IT or OT system.

Thus, using the physical access control system, hackers steal sensitive data or program a computerized controller to raise the temperature of a blast furnace to unsafe levels.

One aspect of securing the card’s information is to make the internal numbers unusable; encryption must be applied. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security:

  • Authentication — the origin of a message.
  • Integrity — contents of a message have not been changed.
  • Nonrepudiation — the message sender cannot deny sending the message.

Here is how it works. The number is encrypted using an encryption algorithm and an encryption key. This generates cipher text that can only be viewed in its original form if decrypted with the correct key.

Today’s encryption algorithms are divided into two categories: symmetric and asymmetric.

Symmetric-key ciphers use the same key, or secret, for encrypting and decrypting a message or file. The most widely used symmetric-key cipher is the Advanced Encryption Standard (AES), which is used by the government to protect classified information.

Asymmetric cryptography uses two different but mathematically linked keys — one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. The RSA algorithm was first described in 1977 by MIT’s Ron Rivest, Adi Shamir and Leonard Adleman. It is the most widely used asymmetric algorithm.

Today, 13.56MHz smart cards are used to provide increased security compared to 125kHz proximity cards. One of the first terms stakeholders will discover in learning about smart cards is Mifare, a technology from NXP Semiconductors. Mifare enables two-way communications between the card and the reader.

Mifare Classic was an original version of the Mifare standard used in contactless cards. It stores the card number on one of its sectors, then encrypts the communication between the card and reader to theoretically make it impossible or, at least, very difficult to clone a card.

Unfortunately, a security flaw was discovered in the Mifare Classic standard which meant that, with the right knowledge and hardware, a card could still be cloned or another card in the series created.

The newest of the Mifare standards, Mifare DESFire EV1, includes a cryptographic module on the card itself to add an additional layer of encryption to the card/reader transaction. This is among the highest standard of card security currently available.

About The Author
Scott Lindley,
President of Fairpointe Data, a DORMA Group Company.