Buyer Beware: The Vulnerabilities of Traditional Access Control Systems that Compromise Security
We meet customers every day who are unaware of some very real security concerns that come with traditional access control systems. Perhaps you are unaware of them, too. We hope that the following information is helpful to you in fulfilling your responsibility to keep properties, buildings and the people who use them safe.
To interact with a user interface device (UID), such as a card-reader or keypad, traditional access control systems require the UID to be mounted on the unsecure side of the door. This is a serious security flaw, because a UID mounted on the unsecure side of the door that directly controls a door strike or mag lock can be easily opened and hot-wired to unlock the door. For details, I suggest you check out Hot-Wiring Keypads.
In addition, If the UID is a Wiegand output device, the card data is transmitted in a well-known and unencrypted format that can be recorded by simply monitoring the data lines. You can learn more by reading the article Hacking Wiegand.
VIZpin controllers have built-in Bluetooth readers that work up to 30’ (10M) away, so controllers can be mounted on the secure side of the door you are trying to protect. This prevents hackers from physically accessing the device, eliminating “hotwiring,” skimming and Wiegand replay attacks.
If the UID is an IP device and connected to your network (for example Power-over-Ethernet or POE), the UID can be removed from the wall, giving a hacker direct access to your network. If the UID is Wi-Fi enabled, a hacker can also access the network using that access point. In either case, the hacker can now see all unencrypted Wiegand IDs being sent across the network, and can later use a replay attack or inexpensive card programmer to program a new card with the same Wiegand ID.
VIZpin controllers have no hardwired, PoE or Wi-Fi network connection, which prevents hackers from accessing your network through our device. Additionally, our controllers require no network connection (they operate using only Bluetooth and the user’s phone), meaning VIZpin doesn’t create any new holes in your network infrastructure or require you to run a parallel network to isolate any potential security risks. This also removes any costs associated with secure network access for the UIDs, because our controllers require none.
Many locations cannot afford full-time staff to monitor end user activity, so they rely on compliance to ensure security, safety and accountability. Stated policies like “keep your card on you at all times” and “don’t share your keypad PIN number with anyone” are well-intended, but difficult to enforce.
Users frequently choose convenience over security compliance and share cards and PIN numbers. When a guest at a meeting needs to step outside, he or she is simply loaned a card or given a keypad code rather than being escorted, and there is no record of who they are and where they went.
In addition, with a traditional card reader system, cards or fobs that are left unattended can be picked up easily and scanned in seconds without the owner even knowing their security identity has been compromised. It is also easy form to slip a card or fob into a pocket to be used later.
People are much more careful with their Smartphones than their cards and fobs, and very unlikely to loan them to others. Many businesses also mandate that smartphones with corporate access have passcodes or utilize smartphone biometrics such as fingerprint recognition to unlock the phone. The VIZpin SMART app can be configured to require the user to log in in to access their Smartphone keys, adding an additional security layer.
Many Bluetooth devices transmit unencrypted data in to simplify the pairing process, which raises legitimate concerns in a security application. Bluetooth is a long-range technology (30’/10M) with a published protocol and unencrypted data can be read easily by hackers using a man-in-the-middle attack (MITM).
VIZpin Smart Keys incorporate double encryption including AES128 bit plus a proprietary, patented VIZpin algorithm. Every time a VIZpin Smartphone key is used to connect to a controller it uses unique data that prevents replay and MITM attacks.