Attack of the Clones
Around 90 per cent of all access control cards in use today are easily copied and cloned, with devices that are able to carry out this activity easily available on the internet. Andrew Fulton, Vanderbilt’s access control product manager, examines the scale of the problem and suggests some of the measures that can be taken to ensure that a building is as secure as possible.
Often considered the first line of defence against those with malicious intent, there is a growing realisation that many contactless access control systems currently in-situ are vulnerable to those wishing to interfere with information and operational technology (IT/OT) systems. Most organisations are simply not aware of just how easy they can have their sensitive data – and the hardware it is stored on – hacked, or that the tools to do it can be purchased online for as little as £20.
Theory of evolution
As access control technology has developed over the last 25 years, so too have the protocols used to make it work. In the earliest days of contactless systems, radio frequency identification (RFID) was the de-facto choice for most manufacturers and many systems with this technology are still in use. In fact, the broader popularity of RFID for use in tags, readers, labels, cards, fobs and all other items shows no sign of waning, with IDTechEx reporting that in 2017 the total market will be worth $11.2bn, up from $10.52bn in 2016.
Although it took hackers many years to work out how to infiltrate RFID systems, a cursory search on YouTube throws up numerous videos of individuals cloning readers with apparent ease. When it comes to RFID, the problem is that Wiegand, the industry standard over the air protocol commonly used to communicate credential data from a card to an electronic access reader, is no longer inherently secure.
Once the problem surrounding RFID was recognised, access control manufacturers began to use the MIFARE protocol from NXP Semiconductors. With 260 million readers and compliance with ISO/IEC 14443, MIFARE is used in more than 80 per cent of all contactless smart cards today. However, in order to stay one step ahead of the hackers, the company developed MIFARE DESFire EV1 in 2006 and in 2016 augmented its offering with MIFARE DESFire EV2, both of which, at the time of writing, cannot be hacked.
Although some leading access control manufacturers now use MIFARE DESFire EV1, over the next year there will be a move towards MIFARE DESFire EV2, due to it having features that easier key rotation, easier support for other applications on the card and extended read range.
Ticking time bomb
The good news is that companies such as NXP Semiconductors are developing technology to help thwart the hackers, but there are still many organisations with access control systems that feature outdated protocols. It should also remembered that even when biometric devices are used there are hacking tools out there that make these systems equally at risk of attack, unless proper actions are taken.
The internal threat regarding access control should also be considered. For instance, organisations can no longer rely on the transactions on an audit report being acceptable as proof of someone’s activities, as an individual can simply claim it was not them and that their card must have been copied. In addition, many corporate compliance rules can easily be broken by employees modifying their passes to perform actions such as breaking the banking rules on compulsory holidays, engaging in secure document printing and logging on to unauthorised computer and other IT equipment.
The possible consequences of not taking this issue seriously are numerous. According to the UK’s National Crime Agency (NCA), cybercrime has now surpassed all other forms of criminal activity. The NCA’s Cybercrime Assessment 2016 recommended stronger law enforcement and business partnership to fight cybercrime, with ‘cyber-enabled fraud’ making up 36 per cent of all crime reported, and ‘computer misuse’ accounting for 17 per cent. The report also suggested that the problem is likely far worse than the numbers suggest, noting that cybercrime is vastly under-reported.
On the look out
Maybe these figures should not come as too much of a shock considering that infiltrating IT/OT systems simply involves the use of the card reader protocol to enter a facility, allowing access to computers. Those computers then act as a gateway to the target’s internal internet, allowing a hacker to access sensitive data that can be used for a variety of purposes including identity theft and industrial sabotage.
The amount of personal and corporate information now stored via networks is growing exponentially thanks to the Internet of Things (IoT). Estimates about the amount of connected devices set to be in use over the next few years vary enormously. According to Intel, the IoT is predicted to grow from two billion objects in 2006 to 200 billion by 2020, when there will be around 26 smart objects for every human being on Earth. Meanwhile, IBM claims that every day we create 2.5 quintillion bytes of data – according to the US definition that’s 1 followed by 18 zeros – and to put that huge number into perspective, it equates to filling up 57.5 billion 32Gb Apple iPads.
Data protection is an area where failure is not an option – security, legal and regulatory compliance is vital, while data loss and leakage risks must be mitigated. On 25 May 2018, the General Data Protection Regulation (GDPR) becomes European law. Its primary objectives are to give citizens and residents control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the European Union (EU). It requires any organisation that operates in the EU, or handles the personal data of people that reside in the EU, to implement a strong data protection policy, encompassing access, secure storage and destruction.
Organisations have to be more aware than ever of how to protect themselves against hackers and although it is the IT network infrastructure that is the focus of attention in terms of preventing such cyberattacks, a comprehensive risk evaluation requires a meticulous approach to mapping all of an organisation’s IT related assets and processes, including access control.
One highly recommended course of action is to carry out a penetration review that will identify whether credentials can be cloned or copied, and whether a system is vulnerable to a ‘sniffing’ attack. A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Many access control card readers are not fitted with tamper devices and even those which are tamper protected may not be removed and checked after a tamper to see if a sniffer has been fitted.
In the event that any weaknesses are discovered, a security option that not only secures the cards and readers but also uses the latest Open Supervised Device Protocol (OSDP) should be implemented to ensure that sniffing devices can’t be installed behind the reader or along the communications path. OSDP also allows peripheral devices such as card readers and biometric readers to interface with control panels or other security management systems.
It is also possible to upgrade as many old readers as required, depending on a risk evaluation. Those readers that are upgraded will securely read a new card and those left as less important readers will simply read the old part of the card, and can be upgraded when budget is available.
One of the reasons that hacking has become so widespread is that the chances of getting caught are close to zero. Prosecutions are disconcertingly rare and by the time the alarm is raised the culprit has usually covered their tracks to evade detection. In a world where 100 per cent protection can’t be achieved, every organisation, no matter its size, is a target and like most other aspects of successful security strategy operation, access control should be reviewed and tested on a regular basis.