How Vulnerable Are Access Card Systems?

Aug 7, 2007 4:06 PM

According to a researcher who spoke and demonstrated his methods at the DEF CON hacker conference last weekend, a range of access card readers designed to grant or deny entry to office buildings, airport terminals and other sensitive areas are inherently insecure and easy to hack, reports The Washington Post.

Researcher Zac Franken showed how to use an ordinary proximity card -- a common ID access card that transmits encoded data as a radio frequency signal when waved in front of a reader -- in combination with a tiny programmable chip to gain access to restricted areas protected by any card reader that uses a Wiegand communications standard, according to The Washington Post.

The Wiegand protocol handles the verification of data when an access card is swiped in front of a card reader. Not all card readers use the Wiegand protocol, but it is among the most widely recognized standard in the industry, due to its widespread adoption in the 1980s.

When a card is waved in front of the reader, it sends a signal over a braid of wires to an access control system that verifies that the code hard-written on the card matches with one stored in memory. If it matches, the gate or door protected by the device is unlocked, and the person holding the card is granted access.

Franken's attack works in part because the access control system device on many Wiegand systems commonly stores the ID card number of the very last person to swipe their card. By embedding a simple program into a programmable chip and splicing it into the cabling on the back end of the unit, Franken showed how it was possible to use any proximity card to trick the device into replaying the code associated with the card of the person who most recently entered the protected area.

With a small change in the code, the Washington Post reports that Franken showed how he could deny access to all valid cards after swiping his own, a situation that conjures up some pretty terrifying bad-guy scenarios.

Franken said another weakness that makes the attack possible is that many card readers often are protected only by a plastic cover and two small metal screws. Removing the cover and screws and pulling the device away from the wall reveals a strand of wires. The device he demonstrated held the replay program on a tiny PIC chip -- an inexpensive, commonly available microcontroller with wire crimps on either side -- which was then spliced as a connector between the two ends of the wire strand.

Franken said a great number of biometric systems on the market today -- such as hand geometry and retinal scanners -- also transmit identity information using the Wiegand protocol. Franken said organizations that have Wiegand-based devices can take a number of steps to harden the security of the devices, such as using surveillance cameras at reader locations, or installing readers that include tamper-protection seals.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue