Access Control Vulnerability & Interoperability:
Improving the Reader-to-Panel Connection
Tony Diodato, CTO
Cypress Integration Solutions
1
Babak Javadi, Director of Research
The CORE Group
Access Control Vulnerability & Interoperability
Got vulnerabilities?
Prevalent Assumptions – Agree or Disagree?
•
•
•
•
•
•
•
2
Wiegand is inherently secure
... so is RS-485
If you have a guy hunkered down in your electrical room with
alligator clips on the 485 runs, then you have bigger problems.
There’s not enough power in a prox card to be skimmed beyond a
few inches.
The Cloud is your friend.
The IT department has it under control.
Wired connections are more secure than wireless.
Access Control Vulnerability & Interoperability
Got vulnerabilities?
Where are the vulnerabilities?
•
•
•
•
•
•
3
The card?
Between card and reader?
Panel to console?
Console to Cloud?
The last few inches of wire?
Between reader and panel?
Access Control Vulnerability & Interoperability
Got vulnerabilities?
How tough is it
to hack a Wiegand connection?
4
Access Control Vulnerability & Interoperability
Got vulnerabilities?
So what's vulnerable?
•
•
•
•
•
•
The card?
Between card and reader?
The last few inches of wire?
Between reader and panel?
Panel to console?
Console to Cloud?
All of the above!
5
Access Control Vulnerability & Interoperability
Securing Vulnerabilities with OSDP
Vulnerable point 1: Card and reader
•
•
•
•
•
•
6
125KHz
Marconi
One-way conversation
13.56 MHz HID iClass, MIFARE, DESFire, etc.
2-way conversation (key to securing)
Can employ encryption and authentication
Access Control Vulnerability & Interoperability
Securing Vulnerabilities with OSDP
Vulnerable Point 2: Reader and panel
•
•
•
•
•
•
•
•
7
Fuel pump skimmers in the news
Gecko
Attack side / secure side
2-way conversation
Can employ Secure Channel
Authentication and encryption
Standardization
SIA standard (on track for ANSI)
Access Control Vulnerability & Interoperability
Securing Vulnerabilities with OSDP
Vulnerability 3: Panel to console
•
•
•
•
•
8
RS-232
RS-485
Ethernet
Wi-Fi
USB
Access Control Vulnerability & Interoperability
Securing Vulnerabilities with OSDP
Forecast: Cloudy with a chance of extinction
•
•
•
9
Substitute the phrase “Other peoples’ computers” for “The Cloud”
Panel-to-console
Console-to-Cloud
Access Control Vulnerability & Interoperability
Installation Comparisons: Current Practices v. OSDP
Current installation method overview:
Reader to Panel
•
•
•
10
Wiegand
Strobed
Serial
Access Control Vulnerability & Interoperability
Installation Comparisons: Current Practices v. OSDP
Current installation method overview:
Panel to door
•
•
•
11
Door strike
REX
Door monitor
Access Control Vulnerability & Interoperability
Installation Comparisons: Current Practices v. OSDP
Current installation method overview:
Wiring
•
•
•
•
12
11 wires
500 ft. limit
Mixture of 22 to 12 AWG
Most are unsupervised
Access Control Vulnerability & Interoperability
Installation Comparisons: Current Practices v. OSDP
Background on 2-wire protocols and OSDP
“Back in my day...”
•
•
•
•
•
•
13
2-wire protocol (not new)
Very proprietary
Fairly low speed
No intent to be interoperable
No progress until 2005, when Mercury Security Corporation and
channel partners started work on an open protocol
In 2012, Mercury, HID Global (and more recently Codebench, Inc.),
assigned OSDP specification to SIA
Access Control Vulnerability & Interoperability
Installation Comparisons: Current Practices v. OSDP
Background on 2-wire protocols and OSDP
•
•
•
14
Can’t we all just get along? (Standardization) / 30th anniversary of “sun
setting on Wiegand”
OSDP leadership elicited stakeholder buy-in:
• Joe/SIA
• Frank/Mercury
Criteria for standard from working group:
• Low cost of implementation for manufacturer
• Minimal packet structure
• Expandable as needed
• Well-defined security feature
Access Control Vulnerability & Interoperability
Installation Comparisons: Current Practices v. OSDP
OSDP overview
•
•
•
•
•
•
15
SIA Standard: Open Supervised Device Protocol
Current version 2.1.6
On ANSI track
Open Source Tools
Interoperability
Currently working on Ethernet version using TLS (ONVIF)
• Low-cost
• Minimal feature set
Access Control Vulnerability & Interoperability
Installation Comparisons: Current Practices v. OSDP
OSDP overview
•
•
•
•
•
•
•
•
16
2-Way Conversation
4 wires (sometimes 2)
Fully supervised
Authenticated
Encrypted
Expanded I/O
Point-to-point
Multi-drop
Access Control Vulnerability & Interoperability
Installation Comparisons: Current Practices v. OSDP
OSDP installation
•
•
17
Control Panel (CP)
• Master unit
• Command (poll)
Peripheral Device (PD)
• Slave unit
• Response
• Addressable (126 devices)
• Multiple device types
Access Control Vulnerability & Interoperability
Installation Comparisons: Current Practices v. OSDP
OSDP installation demo
• Legacy panel, OSDP reader
• Wiegand reader port
• REX, door monitor, tamper
• Supervision
• Secure Channel
• OSDP panel, Wiegand reader/door
• Signal wires reduced to single pair
• Supervision
• Secure Channel
• New install
• Panel
• Reader
• Door control
18
Access Control Vulnerability & Interoperability
Installation Comparisons: Current Practices v. OSDP
How hackable is OSDP?
19
Access Control Vulnerability & Interoperability
Summary: OSDP v. Wiegand
•
•
20
Review previous assumptions/assessments
Thoughts, comments, questions
Access Control Vulnerability & Interoperability