Kiran Vasishta
Kiran Vasishta
Download PDF version
Related Links

In recent years, multinational corporations such as Cathay Pacific, Facebook, Uber and numerous others have been heavily fined due to security and data protection violations. This period has seen data protection laws increase as more and more information is gathered and shared online. As such, it becomes crucial to account for security capabilities when choosing an embedded device that touches potentially sensitive data.

RFID readers very much belong to the ecosystem wherein personal or user identification data is transmitted either to a host system such as a PC or to an endpoint such as a Human Machine Interface (HMI). A passive RFID transponder, soft credential such as a mobile phone app using BLE/NFC or smart cards and other contact-based credentials all can carry sensitive data or personal information. In the case of smart card or contact-based credentials, the storage of personal information such as name, address or date of birth is more prevalent compared to contactless credential where an identification number may be used.

Security as a concept

Security as a concept is always related to the entire system that includes RFID media

In general, security as a concept is always related to the entire system that includes RFID media (contact/contactless credentials), RFID reader, the host system and any database or cloud server. While accounting for security across a system is needed it is more important to consider the application or use case that is in question. One should carefully evaluate the consequences of any security breaches and if there is any sensitive information being exchanged from the RFID media to the host. As an example, the simple choice of RFID media may directly lead to a compromise in your intended application’s security. There are numerous references on security vulnerabilities related to Low Frequency (125KHz) contactless transponder types. The references focus on using interceptors to access unprotected static card information. The adversaries may then clone this credential that may be used for triggering action such as granting access to a facility or unlocking a computer. Some references also highlight vulnerabilities in the Wiegand interface about intercepting the data signals to capture card value.

Therefore, some older RFID transponders and communication interfaces that may be based on the aforementioned technology or have been subject to vulnerability hacks are now considered fundamentally compromised.

As mentioned previously, the overall security depends on every component of the system that includes the RFID reader. This article will mainly focus on some of the basic security considerations that need to be accounted for when choosing an RFID reader but also whether or not your application requires these abilities. Some of the key security considerations are as follows:

Does your application require encryption capabilities? If so, does the reader have the capability to execute cryptographic algorithms?

In every application where RFID technologies are involved there is a need to first assess whether encryption is required and if so, determine the exact channel where this needs to be enforced. It could be that the host interface requires the exchange of encrypted data or the air interface needs to transfer protected data. Once the requirements are established, one may then evaluate the strength of this security.

Furthermore, many types of contactless transponders can store data within their memory segments and encrypt or lock these segments with cryptographic keys. An apt card reader is one that can not only decrypt the memory segments and access the data but also provides an easy means for the end-user to carry out this operation. In many instances, the end-users have their own customised cryptographic keys for their credentials and are unwilling to share these keys with the card reader provider. Therefore, having the capability to load custom keys by someone other than the card reader manufacturer becomes essential. This can be facilitated in multiple ways, such as implementing high-level APIs and allowing the user to write applications for the card reader, or it could be enabling the customer with a graphical user interface to enter keys used to access data sectors.

Many types of contactless transponders can store data within their memory segments

Do you require encrypted data exchange? If so, where and can the card reader support this?

In a typical scenario, the card reader behaves as a medium to facilitate data collection and transfer between the contactless or contact-based transponder and the host system. The host system can either be an endpoint that locally validates the credential presented to it or it can be a microcontroller that sends data over the network to the cloud or a database for validation and authentication.  As mentioned previously, assessing whether the need for encryption is between the RFID media and the reader or from the reader to the host is important. If the former, the appropriate credentials are required. Depending on this factor you may then consider choosing an appropriate RFID reader.

There are use cases wherein personal information such as name, address, date of birth or biometric data can be stored within the credential, eg: smart cards or passports as credentials. Therefore, encrypting the exchange of such data both between the credential and the reader as well as the reader and the host becomes critical. Moreover, encryption algorithm engines such as AES, DES, 3DES, or the capability to implement custom algorithms, need to be present on the card reader as this enables ease of integration. In cases where smartcards or contact-based credentials are used, the host system typically drives the communication in its entirety. So, the card reader must also have:

  • Software capabilities such as Personal Computer Smart Card (PCSC) or Chip Card Interface Device (CCID) mode of communication. The availability of drivers to facilitate communication with the host also enables easy software integration.
  • Hardware support for communication standards such as ISO7816 and the presence of Secure Access Modules (SAM) slots and other contact-based interfaces.
Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Kiran Vasishta
Kiran Vasishta Field Application Engineer, ELATEC USA

Related videos

Nedap provides AEOS access control system to secure key cabinets and enhance visitor management for Lufthansa

Nedap provides AEOS access control system to secure key cabinets and enhance visitor management for Lufthansa
Ava explains their unified security approach to enhance cybersecurity solutions

Ava explains their unified security approach to enhance cybersecurity solutions
'Gimme a Minute' with Security & Safety Things - Smart camera safety for COVID-19

'Gimme a Minute' with Security & Safety Things - Smart camera safety for COVID-19

In case you missed it

Why the touchless office is another argument for going passwordless
Why the touchless office is another argument for going passwordless

Security experts have discussed the demise of the passwords for years. As early as 2004, Bill Gates told the RSA Security Conference that passwords “just don’t meet the challenge for anything you really want to secure.” Change has been slow, but the sudden increase in remote working and the need for enterprises to become touchless as they try to encourage teams back to the office is increasing traction. Here we look at the future of passwordless authentication - using the example of trusted digital identities - and share tips on choosing a solution that works for your organisation. The move away from passwords was beginning to gain momentum pre-pandemic. Gartner reported an increase in clients asking for information on ‘passwordless’ solutions in 2019. Now Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will put in place passwordless methods by 2022. This is up from 5% in 2018. The many limitations of passwords are well-documented, but the cost of data breaches may be the reason behind this sharp upswing. Stolen credentials – usually passwords – and phishing are the top two causes of data breaches according to the 2019 Verizon Data Breach Incident Report. Each breach costs businesses an average of anywhere between £4M to £8M depending on which studies you read. A catalyst for change As in so many other areas, the pandemic has been a catalyst for change. Newly remote workers using BYOD devices and home networks, sharing devices with other family members, and writing down passwords at home all make breaches more likely. And seasoned home workers represent a risk too.  It also means that enterprises are developing new procedures to mitigate the spread of disease. This includes a thorough examination of any activity that requires workers to touch surfaces. Entering passwords on shared keyboards or touchscreens falls squarely in this area of risk. As does handling physical smart cards or key fobs. Enterprises are expanding their searches from “passwordless” to “passwordless and touchless,” looking to replace physical authenticators. In the quest to go touchless these are items that can be easily eliminated. The future of passwordless authentication Using fingerprint or facial recognition often only provides a new front-end way to activate passwords Common alternatives to passwords are biometrics. But, using fingerprint or facial recognition often only provides a new front-end way to activate passwords. Passwords are still required for authentication after the biometric scan and these live in a central repository vulnerable to hackers. With one successful hack of the central repository, cyber-criminals can swipe thousands of details. In other words, biometrics on their own are not an improvement in security, only a better user experience. They need to be combined with a different approach that adds another layer of security. A more secure option is to move away from the centralised credential repository to a decentralised model. For example, one based on trusted digital identities. This is where digital certificates are stored on users’ phones. Think of encrypted digital certificates as virtual passports or ID cards that live on a worker’s device. Because they are stored on many separate phones, you are able to build a highly secure decentralised credential infrastructure. A solution that uses people’s phones is also compatible with touchless authentication systems. You can replace smart cards and key fobs with a phone-based security model and reduce the number of surfaces and items that people touch. This is especially beneficial for workplaces where people have to visit different sites, or for example in healthcare facilities. Replacing smartcards with a phone in a pocket reduces the number of items that clinicians need to take out and use a smartcard between and in different areas, which may have different contamination levels or disease control procedures. How do trusted digital identities work?   Workers unlock their mobile devices and access their trusted identity using fingerprint or facial recognition Here’s an example installation. You install a unique digital certificate on each user’s mobile device — this is their personal virtual ID card. Authorised users register themselves on their phones using automated onboarding tools. Workers unlock their mobile devices and access their trusted identity using fingerprint or facial recognition. Once they are authenticated, their device connects to their work computer via Bluetooth and automatically gives them access to the network and their applications with single sign on (SSO). This continues while their phone is in Bluetooth range of their workstation, a distance set by IT. When they leave their desk with their phone, they go out of range and they are automatically logged out of everything. Five tips on choosing a passwordless solution More automation means less disruption Consider how you can predict and eliminate unnecessary changeover disruptions. The task of onboarding large or widely dispersed employee populations can be a serious roadblock for many enterprises. Look for a solution that automates this process as much as possible. Scalability and your digital roadmap Will you maintain remote working? Having a high proportion of your team working remotely means that passwordless solutions will become more of a necessity. Are you expecting to grow or to add new cloud apps and broader connectivity with outside ecosystems? If so, you need password authentication that will scale easily. Encryption needs and regulatory requirements If your workers are accessing or sharing highly sensitive information or conducting high-value transactions, check that a solution meets all necessary regulatory requirements. The most secure passwordless platforms are from vendors whose solutions are approved for use by government authorities and are FIDO2-compliant. Prioritise decentralisation Common hacker strategies like credential stuffing and exploitation of re-used credentials rely on stealing centralised repositories of password and log-in data. If you decentralise your credentials, then these strategies aren’t viable. Make sure that your passwordless solution goes beyond the front-end, or the initial user log-in and gets rid of your central password repository entirely. Make it about productivity too Look for a solution that offers single sign on to streamline login processes and simplify omnichannel workflows. For workers, this means less friction, for the enterprise, it means optimal productivity. Security improvements, productivity gains and user goodwill all combine to form a compelling case for going passwordless. The additional consideration of mitigating disease transmission and bringing peace of mind to employees only strengthens the passwordless argument. The new end goal is to do more than simply replace the passwords with another authenticator. Ideally, enterprises should aspire to touchless workplace experiences that create a safer, more secure and productive workforce.

Part 2 - Security considerations for embedded system RFID readers
Part 2 - Security considerations for embedded system RFID readers

Does your application require MUTUAL authentication with Secure Access Modules (SAM) and RFID media? If so, does the reader support this? A Secure Access Module is a type of smart card that follows a contact-based communication standard to interact with a card reader. These modules ensure the protection of security keys as well as facilitate cryptographic operations. Typically, SAMs are used to generate application keys based on a specific master key or to generate session keys. They also enable secure messaging between the RFID media, the reader and the host system. Ensuring security Many contactless credentials hold memory segments/applications that are encrypted with cryptographic keys. These keys are often stored in SAMs and supplied to card reader manufacturers. This not only ensures the security of the keys but adds a step in the authentication process. The card reader in this case should first perform authentication operations with the SAM and then carry out a series of cryptographic and bit manipulation operations between the contactless card and the SAM. This can be further secured by adding a key diversification step. The card reader must be able to support such a scenario both in the hardware as well as in the software. Many end-users require the card reader to natively support such a scenario and have the ability to provide high-level API’s to help in their implementation. In addition to this, high-security applications demand the transfer of data in an encrypted format. One can ensure end-to-end encryption/security with the help of SAMs. In such an architecture, the reader facilitates mutual authentication with the RFID media and the SAM, thus transferring protected data over a Radio-Link and also ensuring the security of encryption keys. The reader can also transfer data encrypted by the SAM to the host system maintaining a high level of security across the system. The reader can also transfer data encrypted by the SAM to the host system Note that the safety of distributing SAMs as well as administering the installation process within the reader should be treated as a separate issue and tackled accordingly. There is also an issue of the readers being stolen or the SAM modules being dismounted from the reader. The security considerations here do not indulge in these topics and appropriate precautions are to be put in place to improve the overall security of the system.   Does the card reader have communication interfaces other than Wiegand such as RS485 or RS232? The Wiegand card as well as the Wiegand interface for data transmission is a 40-year old technology that originates from the Wiegand effect discovered by John R. Wiegand in the early 1970s. While the Wiegand cards are still in production, they have been largely replaced by newer and cheaper forms of access cards. However, these cards are still based on the Wiegand data format that is susceptible to interception as the data are available in plain text. Also, the Wiegand interface introduced in the 1980s remains prevalent across the logical access as well as the physical access control industry despite various security vulnerabilities. This technology no longer conforms to the current security standards. It is therefore important for integrators to choose a communication interface that can offer higher security from interception and support encrypted data exchange. Do you require tamper detection technologies? If so, can the reader meet this requirement? The need for tamper detection largely varies from one application to another so it is more important to consider whether this level of security is suitable for your respective use case. As an example, card readers attached to multi-function printers (MFPs) for releasing print jobs in an enterprise environment can be considered less critical since tampering with the reader can ultimately lead to the downtime of the printers but will not compromise the safety of your documents. Typically, in such scenarios, the card reader works hand in hand with the MFP and a print management solution that ensures the release of print jobs. Therefore, if the card reader is sabotaged or tampered with, the MFP or the solution simply prevents the release of any information. On the other hand, high-security environments such as data centers certainly need greater protection. One must thoroughly evaluate the consequences of any attempts directed towards compromising the device integrity or the data associated with the device. These topics need to be considered separately and are outside the scope of this article. In conclusion, depending on the application, the credentials involved as well as the data that is being exchanged with the card reader and eventually the host, tamper detection technologies can improve the security of the device. There are several technologies in the market such as mechanical and optical tamper detectors that can be embedded directly on the card reader for superior protection against threats.  Tamper detection technologies can improve the security of the device Do you require the reader's configuration or firmware to be securely shared or loaded on the card reader?  If so, can the reader meet this requirement? We are all aware of system and application software updates as at some point our phones have received security patches or app upgrades over the network. In the case of card readers, the process is quite similar except here the software or configuration updates might require encryption based on your use case.  For example, if an end customer is reading static card numbers from an RFID media or isn’t using data protected by encryption keys this does not require the firmware or the configuration to be encryption for a simple reason that these files do not carry any sensitive information. The need to encrypt configuration/firmware files arises if the data that is being read by the reader contains any personal information or is part of a proprietary corporate format that is confidential, or should a customer wish to move to a higher security credential encrypted with keys. This means that either their existing card readers or new card readers must have a configuration that holds these keys. In such a scenario the configuration or firmware must also be encrypted since it holds sensitive information. If the configuration or the firmware is encrypted, the file will no longer pose a security risk and can be shared with customers to perform updates to the existing readers or with the card reader manufacturers to load new readers with the configuration of firmware updates. This not only secures the sharing process but also the update process since the reader is now receiving an already encrypted file. After all, it is essential to choose a card reader that can carry out the aforementioned security considerations but more importantly the security features that are chosen need to be appropriate to the requirement of the customer. Any integrator first and foremost should thoroughly evaluate the respective application. They should work with subject matter experts in the field and establish requirements and objectives. After developing the concept, system architecture, data flow as well as various secure channels, only then can one begin to account for the security features needed. This process not only helps cement the end system’s overall security view but also elucidates the exact security requirements that correspond to the resulting application. Elucidates the exact security requirements that correspond to the resulting application In conclusion, choosing an RFID product that not only has the above security features but also has a flexible system design capable of accommodating future adaptions will prove to be the right choice for OEM’s and system integrators.  

What does 2020 mean for the future of security trade shows?
What does 2020 mean for the future of security trade shows?

Trade shows have always been a basic element of how the security industry does business - until the year 2020, that is. This year has seen the total collapse of the trade show model as a means of bringing buyers and sellers face to face. The COVID-19 pandemic has effectively made the idea of a large trade show out of the question. Today, even air travel seems incredibly risky, or at minimum a huge hassle. The good news is that the industry has adapted well without the shows. A series of “on-line shows” has emerged, driven by the business world’s increasing dependence on Zoom and other video conferencing platforms. The fact is, 2020 has provided plenty of opportunities for sellers to connect with buyers. It’s easy to dismiss these sessions as “Death by PowerPoint,” but some of them are incredibly informative. And conveniently accessible from the comfort of a home office. Internet transforming businesses We have already seen how the online world makes it easier than ever to connect with customers. In the consumer space, businesses like Uber, Shopify and Airbnb have proven that the Internet can transform how business is done. But in the security industry, we hear: “You can’t replace the value of meeting face to face.” That’s definitely true to some degree. A lesson of 2020 is the need to take a hard look at the economic model of trade shows However, the reality of 2020 suggests that there are alternatives that are almost - emphasis on almost - as good. And that don’t cost as much. And that don’t take away as much time from the office. And that don’t involve the effort of schlepping luggage through an airport yet again to a hotel in a beautiful city you will never see where you will spend three days in a big exhibit hall eating overpriced hot dogs and regretting your choice of footwear. Economic model of trade shows Sure, you’ll meet up with old pals, and get some value out of the experience. But how much value versus the cost? A lesson of 2020 is the need to take a hard look at the economic model of trade shows - how much they cost versus the value they provide. Considering how well we have gotten along without them, one wonders how and why trade shows have become such an integral part of our industry, and of hundreds of other industries, for that matter. I have had many conversations with exhibitors at trade shows in the last several decades. I have heard probably thousands of complaints about the slowness of the foot traffic, the high costs of exhibiting, the price and hassles of travel. The question I have often wondered (and asked): Is it worth it? Defray the costs Usually, the complaining exhibitor will reluctantly admit that it is, and/or provide some other justification, such as one of the following: All my competitors are here. If I don’t exhibit, it sends the wrong message to the market. That’s why I need to have the largest booth near the front of the show, too, because it’s all about perception and positioning ourselves in the market. We need the show for the sales leads, which drive our sales for the next six months. If I meet one large end user who turns into a big sale, the extra revenue pays for it all and makes everything worthwhile. This is the only time I get to see my sales staff or other coworkers from around the country. We have a sales meeting this week, too, so it helps to defray the costs. Success of alternatives The realities of 2020, and the challenges to the business world, will impact the nature of commerce for years to come Given the experience of the year 2020 without any trade shows, might some of these justifications melt away? At a minimum, companies will be taking a hard look next year to evaluate what they missed about the trade show experience, and more importantly, what the impact was on their business (if any). What is the future of trade shows? After the 2020 hiatus, exhibitors and attendees alike will be starting with a clean slate, taking a fresh look, reexamining the value proposition with new eyes, braced by the successes (while acknowledging the failures) of alternatives that emerged as necessities during a global pandemic. Ensuring safety and security The realities of 2020, and the challenges to the business world, will impact the nature of commerce for years to come - including trade shows. During the pandemic, we have all had to reinvent ourselves, deploy new strategies, work around new challenges, and in the end, hopefully, emerge better for it. There’s no reason trade shows shouldn’t undergo the same transformation. And it’s likely the “new normal” could look very different. The security market has found new opportunities during the pandemic, including new applications for existing technology and a renewed emphasis on the importance of ensuring safety and security. That positivity will hopefully carry our industry triumphantly into the new decade, and trade shows will adapt to find their place in the newly revitalised industry. As it should be.

Security beat

What does 2020 mean for the future of security trade shows?

What does 2020 mean for the future of security trade shows?
View all

Round table discussions

As baby boomers retire, what is the impact on physical security?

As baby boomers retire, what is the impact on physical security?
View all

Security bytes

Getting to know Chris Bone, CTO at ASSA ABLOY Group

Getting to know Chris Bone, CTO at ASSA ABLOY Group
View all
Featured white papers
Boosting on-site safety and security

Boosting on-site safety and security

Download
Optimise your business with analytics and AI

Optimise your business with analytics and AI

Download
How end-to-end video security solutions can help your organisation with social distancing

How end-to-end video security solutions can help your organisation with social distancing

Download
More expert commentary
In pursuit of providing a safe and secure environment in the workplace

In pursuit of providing a safe and secure environment in the workplace
Why RMR is more important than ever for security integrators

Why RMR is more important than ever for security integrators
Why the touchless office is another argument for going passwordless

Why the touchless office is another argument for going passwordless
Featured products
Delta DSC7090 Beam Barricade

Delta DSC7090 Beam Barricade
ACT365 Contact Traceability Reporting

ACT365 Contact Traceability Reporting
Dahua HDCVI Active Deterrence Camera

Dahua HDCVI Active Deterrence Camera
Updated Privacy and Cookie Policy
We have updated our Privacy Policy for GDPR.
We also use cookies to improve your online experience, Cookie Policy