Hacker AT THE DOOR

Oct 1, 2007 12:00 PM, By Ashley Roe

A presentation at DEF CON 15 exposed vulnerabilities in Wiegand card access systems

Media scrutiny

According to industry sources, what has been reported and concluded by various media outlets about Franken's research on the vulnerability of Wiegand card readers is one-sided. One article posed the question of how many terrorists have infiltrated U.S. airports using Franken's method.

“Those guys are sensationalists,” says Bill Nuffer, president of Deister Electronics USA, Manassas, Va. “I think a lot of the headlines and conclusions were blown out of proportion following his presentation.” Nuffer voiced his opinion when he responded to a blog on the subject penned by Washington Post resident security blogger Brian Krebs' Aug. 5th post on the demonstration. “Mr. Krebs would have you believe that the nation's physical security infrastructure will collapse as an army of techno-looters, suddenly emboldened by his article (or their own diabolical research), descends to ravage the assets of industry and government,” he wrote.

Davis says that after seeing Franken's presentation and reading the news reports that followed, a question occurred to him reminiscent of famed radio commentator Paul Harvey. “Where's the rest of the story?” Davis asks. “Many of the reports implied that this [someone using Franken's method to gain unauthorized entry] had already happened.”

Which suggests another question: Should users be concerned?

Wiegand woes

Introduced in the 1980s, the Wiegand protocol emerged after the discovery by John R. Wiegand of the effect created when specialized alloy wire is processed such that two distinct magnetic regions are represented in the same homogenous piece of wire. The two regions react to each other through changes in polarity. The technology was applied to radio frequency identification (RFID) card readers using Wiegand-based sensors to associate card swipes with the rest of an electronic entry system. Identifying data about a user is provided through a card swipe and then communicated and verified internally at the reader.

Vendors picked up on the popularity of the technology and began creating access control systems and components that communicated through Wiegand. Over the years, the protocol has become a de facto standard, and it remains so today even as newer protocols are hitting the market. There are many advantages of it. “The Wiegand interface can stretch 500-ft., it's inexpensive, easy-to-implement, robust and pretty immune to electrical disturbances,” Davis says. He estimates that the standard is used in 90 percent of card readers today.

Yet, as with many systems, there are points of vulnerability. Franken says the biggest point is that the protocol is plain text, which means there is no authentication between the reader and the access control system. This makes it easier to intercept user data and replay it. The second point, as Franken describes, is that “two screws and a plastic cover” are the only components protecting most access card readers. Essentially, a screwdriver is presumed to be the only tool necessary to gain access to the internal wiring.

Likelihood of an attack

Many vendors are puzzled by Franken's research because they do not see a high likelihood of attack using his method. They acknowledge that it is possible and that it is not even a difficult thing to do. But what is the likelihood of it actually occurring?

“Zip chance,” says Hunter Knight, president of Integrated Command Software, Houston, a provider of integrated security solutions, including access control software. “The fact that he was able to hack the system does not say anything. It is factually true that someone can go get a reader off the wall, mess with the circuits and manipulate them, absolutely,” Knight says. “If you can get access to the internal wire on any system and have enough money, time and energy, then anybody can replicate the Wiegand signals. A competent electrician or other electronics professional ought to be able to do that in a heartbeat.”

Whether someone is likely to do it maliciously is another consideration.

Nuffer of Deister Electronics considers the attack from a return-on-investment (ROI) perspective. “I think it is incredibly unlikely that some company has actually suffered a loss as a result of it being done,” he says, adding that both users and providers of security systems operate on an ROI basis, asking the question “how much money and time am I going to spend on my security system relative to the probability that it could be breached?”

Nuffer likens the debate to the differences in guarding a McDonald's restaurant and Fort Knox. A user would use more sophisticated security systems to protect Fort Knox because the losses in a breach could be catastrophic.

The very fact that a Wiegand access card reader is the only security provision protecting an access point would suggest that the losses of a breach would be well-contained, Nuffer says. “It is hard to understand why someone would take the risk of trying to get through the front door of a building. The return would not be a $1 billion in gold bullion,” he says. “If that is the only protection they have, then the potential loss is small.”

Adds Knight, “If you're worried about James Bond-type attacks, then as a user, you should think about something more sophisticated (than Wiegand) to protect your assets. Wiegand systems are good as a basic filter on who comes in. They are cheap, robust and immune to noise, and they go a long way.”

Industry sources say users should instead focus on their entire security equation.

Security in depth

Knight says there is a process to building and implementing any kind of system, including security. A user makes a detailed list of the requirements of the system, obtains a proper design, builds according to that design and repeatedly tests it to make sure that the design and implementation processes correlate.

“Security is not just technology at different places. Security is a whole host of practices that are performed within an organization,” he says. Adds HID's Davis, “Security is a holistic approach. It has multiple redundancies, and it is layered.”

In other words, just because a hacker finds a way to beat an initial access point, such as an external card reader, does not mean he or she will not be challenged with two or three more layers of security provisions. These might include closed-circuit television cameras (CCTV) aimed to monitor and log activity around the reader or a reader tamper switch that informs security officers that the unit has been compromised and may be manipulated.

Mark Visbal, director of research and technology for the Security Industry Association (SIA), says users need to instead be concerned with the risk of their individual application before making an assumption about the security or lack thereof of their Wiegand access control systems.

“You do a risk assessment and then you build a system commensurate to that assessment,” he says. “I understand that this is a concern, but you have to put these concerns and risks into perspective for your own application.”

SIA did not release an official statement addressing Franken's claims about the technology's vulnerability, and it does not plan to. “There will be no industry response. I recently met with members at our access control industry group meeting at the ASIS (2007) conference, and I asked what our members thought. Should we take a position or should we not?” Visbal says. The members agreed they would take no position at all.

Visbal compares the issue to the “999 key” phenomenon in the 1970s. A “bump” or “999” key is a key commonly used to bump pin tumbler locks relatively easily. A 999 key can easily be purchased from common online retailers for less than $10.

“999 keys are still out there, but we still have regular pin tumbler locks on our front doors,” Visbal says. “We haven't changed those.”

He adds that with new access control system innovations, such as the U.S. government's Personal Identity Verification (PIV) credential program, vulnerability questions will disappear. The PIV standard calls for government user credentials to be replaced with cards that integrate with both physical and logical access control systems, carry two fingerprints for biometric authentication and contain both contact and contactless smart card interfaces.

Bumping up security

Users who want to increase security around their reader to calm their concerns have a few options, according to industry sources as well as Franken.

“The single most significant thing that can be done is to install a tamper device,” Davis says. A tamper device or switch is a device that automatically signals an alarm when a card reader is manipulated, for example, opened up or taken off a wall. Many suppliers, including HID, regularly install tamper devices on their card readers.

Users can also use security screws, or fasteners, to install their card readers. Security screws provide added security through a drive design that prevents removal with ordinary screwdrivers. Example types include screws with low-profile heads that install flush with the surface of the application and large diameter screws with specially designed threads for increased fastening strength.

Perfect security?

Many industry sources contend that perfect security is unattainable. “Every user needs to be aware that there is no such thing as a perfect physical security system,” Nuffer says. “All security is an ROI thing.”

Visbal adds, “There is nothing in this world that cannot be defeated with enough brains, money energy and expertise. We all know that, right?”

Knight, who also voiced his opinion by commenting on Krebs' Security Fix blog, wrote, “The purpose of the security system is to raise the cost and difficulty of violation of one's security to more than one's estimated threat…”

But Franken thinks differently. “Security systems exist for one reason and one reason only: to make you secure, to secure whatever it is you are protecting; not to raise the cost of it,” he says.

Members of the industry say they will continue to stress that protection from any security breach, whether physical or logical, lies in the hands of the user.

“This is a little made-up sensation that brings no new news. What he is talking about doing could have been done 10 years ago,” Knight says. “He has actually identified one of the hardest ways to penetrate a perimeter. It's an enormously complicated approach.” Knight says users need to be more concerned, for example, with tailgating incidents. “Following someone in is the easiest way to hack the system,” he says.

Franken says he has three additional versions of the gecko under development. One will be able to store data from multiple IDs on a flash chip, another will interface with wireless systems through Bluetooth technology and will be “ideal” for biometric devices. The third will feature a GSM (Global System for Mobile Communications) interface and potentially be able control access systems remotely.

With Franken's new versions in the works, a variety of other Wiegand-based access systems may soon be under scrutiny. The issues clearly are not going away.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue