In recent years, multinational corporations such as Cathay Pacific, Facebook, Uber and numerous others have been heavily fined due to security and data protection violations. This period has seen data protection laws increase as more and more information is gathered and shared online. As such, it becomes crucial to account for security capabilities when choosing an embedded device that touches potentially sensitive data.

RFID readers very much belong to the ecosystem wherein personal or user identification data is transmitted either to a host system such as a PC or to an endpoint such as a Human Machine Interface (HMI). A passive RFID transponder, soft credential such as a mobile phone app using BLE/NFC or smart cards and other contact-based credentials all can carry sensitive data or personal information. In the case of smart card or contact-based credentials, the storage of personal information such as name, address or date of birth is more prevalent compared to contactless credential where an identification number may be used.

Security as a concept

RFID media may directly lead to a compromise in your intended application’s security

In general, security as a concept is always related to the entire system that includes RFID media (contact/contactless credentials), RFID reader, the host system and any database or cloud server. While accounting for security across a system is needed it is more important to consider the application or use case that is in question. One should carefully evaluate the consequences of any security breaches and if there is any sensitive information being exchanged from the RFID media to the host. As an example, the simple choice of RFID media may directly lead to a compromise in your intended application’s security. There are numerous references on security vulnerabilities related to Low Frequency (125KHz) contactless transponder types. The references focus on using interceptors to access unprotected static card information. The adversaries may then clone this credential that may be used for triggering action such as granting access to a facility or unlocking a computer. Some references also highlight vulnerabilities in the Wiegand interface about intercepting the data signals to capture card value.

Therefore, some older RFID transponders and communication interfaces that may be based on the aforementioned technology or have been subject to vulnerability hacks are now considered fundamentally compromised.

As mentioned previously, the overall security depends on every component of the system that includes the RFID reader. This article will mainly focus on some of the basic security considerations that need to be accounted for when choosing an RFID reader but also whether or not your application requires these abilities. Some of the key security considerations are as follows:

Does your application require encryption capabilities? If so, does the reader have the capability to execute cryptographic algorithms? 

In every application where RFID technologies are involved, there is a need to first assess whether encryption is required and if so, determine the exact channel where this needs to be enforced. It could be that the host interface requires the exchange of encrypted data or the air interface needs to transfer protected data. Once the requirements are established, one may then evaluate the strength of this security.

Furthermore, many types of contactless transponders can store data within their memory segments and encrypt or lock these segments with cryptographic keys. An apt card reader is one that can not only decrypt the memory segments and access the data but also provides an easy means for the end-user to carry out this operation. In many instances, the end-users have their own customised cryptographic keys for their credentials and are unwilling to share these keys with the card reader provider. Therefore, having the capability to load custom keys by someone other than the card reader manufacturer becomes essential. This can be facilitated in multiple ways, such as implementing high-level APIs and allowing the user to write applications for the card reader, or it could be enabling the customer with agraphical user interface to enter keys used to access data sectors.

Many types of contactless transponders can store data within their memory segments

Do you require encrypted data exchange? If so, where and can the card reader support this?

In a typical scenario, the card reader behaves as a medium to facilitate data collection and transfer between the contactless or contact-based transponder and the host system. The host system can either be an endpoint that locally validates the credential presented to it or it can be a microcontroller that sends data over the network to the cloud or a database for validation and authentication.  As mentioned previously, assessing whether the need for encryption is between the RFID media and the reader or from the reader to the host is important. If the former, the appropriate credentials are required. Depending on this factor you may then consider choosing an appropriate RFID reader.

There are use cases wherein personal information such as name, address, date of birth or biometric data can be stored within the credential, eg: smart cards or passports as credentials. Therefore, encrypting the exchange of such data both between the credential and the reader as well as the reader and the host becomes critical. Moreover, encryption algorithm engines such as AES, DES, 3DES, or the capability to implement custom algorithms, need to be present on the card reader as this enables ease of integration. In cases where smartcards or contact-based credentials are used, the host system typically drives the communication in its entirety. So, the card reader must also have:

  • Software capabilities such as Personal Computer Smart Card (PCSC) or Chip Card Interface Device (CCID) mode of communication. The availability of drivers to facilitate communication with the host also enables easy software integration.
  • Hardware support for communication standards such as ISO7816 and the presence of Secure Access Modules(SAM) slots and other contact-based interfaces.

Does your application require MUTUAL authentication with Secure Access Modules (SAM) and RFID media? If so, does the reader support This?

A Secure Access Module is a type of smart card that follows a contact-based communication standard to interact with a card reader. These modules ensure the protection of security keys as well as facilitate cryptographic operations. Typically, SAMs are used to generate application keys based on a specific master key or to generate session keys. They also enable secure messaging between the RFID media, the reader and the host system.

Many contactless credentials hold memory segments/applications that are encrypted with cryptographic keys. These keys are often stored in SAMs and supplied to card reader manufacturers. This not only ensures the security of the keys but adds a step in the authentication process. The card reader in this case should first perform authentication operations with the SAM and then carry out a series of cryptographic and bit manipulation operations between the contactless card and the SAM. This can be further secured by adding a key diversification step. The card reader must be able to support such a scenario both in the hardware as well as in the software. Many end-users require the card reader to natively support such a scenario and have the ability to provide high-level API’s to help in their implementation. In addition to this, high-security applications demand the transfer of data in an encrypted format. One can ensure end-to-end encryption/security with the help of SAMs. In such an architecture, the reader facilitates mutual authentication with the RFID media and the SAM, thus transferring protected data over a Radio-Link and also ensuring the security of encryption keys. The reader can also transfer data encrypted by the SAM to the host system maintaining a high level of security across the system.

Appropriate precautions are to be put in place to improve the overall security

Note that the safety of distributing SAMs as well as administering the installation process within the reader should be treated as a separate issue and tackled accordingly. There is also an issue of the readers being stolen or the SAM modules being dismounted from the reader. The security considerations here do not indulge in these topics and appropriate precautions are to be put in place to improve the overall security of the system. 

Does the card reader have communication interfaces other than Wiegand such as RS485 or RS232?

The Wiegand card as well as the Wiegand interface for data transmission is a 40-year old technology that originates from the Wiegand effect discovered by John R. Wiegand in the early 1970s. While the Wiegand cards are still in production, they have been largely replaced by newer and cheaper forms of access cards. However, these cards are still based on the Wiegand data format that is susceptible to interception as the data are available in plain text. Also, the Wiegand interface introduced in the 1980s remains prevalent across the logical access as well as the physical access control industry despite various security vulnerabilities. This technology no longer conforms to the current security standards. It is therefore important for integrators to choose a communication interface that can offer higher security from interception and support encrypted data exchange.

Do you require tamper detection technologies? If so, can the reader meet this requirement?

The need for tamper detection largely varies from one application to another so it is more important to consider whether this level of security is suitable for your respective use case. As an example, card readers attached to multi-function printers (MFPs) for releasing print jobs in an enterprise environment can be considered less critical since tampering with the reader can ultimately lead to the downtime of the printers but will not compromise the safety of your documents. Typically, in such scenarios, the card reader works hand in hand with the MFP and a print management solution that ensures the release of print jobs. Therefore, if the card reader is sabotaged or tampered with, the MFP or the solution simply prevents the release of any information.

On the other hand, high-security environments such as data centers certainly need greater protection. One must thoroughly evaluate the consequences of any attempts directed towards compromising the device integrity or the data associated with the device. These topics need to be considered separately and are outside the scope of this article. In conclusion, depending on the application, the credentials involved as well as the data that is being exchanged with the card reader and eventually the host, tamper detection technologies can improve the security of the device. There are several technologies in the market such as mechanical and optical tamper detectors that can be embedded directly on the card reader for superior protection against threats. 

Do you require the reader's ronfiguration or firmware to be securely shared or loaded on the card reader?  If so, can the reader meet this requirement?

We are all aware of system and application software updates as at some point our phones have received security patches or app upgrades over the network. In the case of card readers, the process is quite similar except here the software or configuration updates might require encryption based on your use case.  For example, if an end customer is reading static card numbers from an RFID media or isn’t using data protected by encryption keys this does not require the firmware or the configuration to be encryption for a simple reason that these files do not carry any sensitive information. The need to encrypt configuration/firmware files arises if the data that is being read by the reader contains any personal information or is part of a proprietary corporate format that is confidential, or should a customer wish to move to a higher security credential encrypted with keys. This means that either their existing card readers or new card readers must have a configuration that holds these keys.

Configuration or firmware must also be encrypted since it holds sensitive information

In such a scenario, the configuration or firmware must also be encrypted since it holds sensitive information. If the configuration or the firmware is encrypted, the file will no longer pose a security risk and can be shared with customers to perform updates to the existing readers or with the card reader manufacturers to load new readers with the configuration of firmware updates. This not only secures the sharing process but also the update process since the reader is now receiving an already encrypted file.

After all, it is essential to choose a card reader that can carry out the aforementioned security considerations but more importantly the security features that are chosen need to be appropriate to the requirement of the customer. Any integrator first and foremost should thoroughly evaluate the respective application. They should work with subject matter experts in the field and establish requirements and objectives. After developing the concept, system architecture, data flow as well as various secure channels, only then can one begin to account for the security features needed. This process not only helps cement the end system’s overall security view but also elucidates the exact security requirements that correspond to the resulting application.

In conclusion, choosing an RFID product that not only has the above security features but also has a flexible system design capable of accommodating future adaptions will prove to be the right choice for OEM’s and system integrators.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Kiran Vasishta Field Application Engineer, ELATEC USA

In case you missed it

Securing your business while working remotely
Securing your business while working remotely

It's a very common purchase for people to seek a smart security camera to remotely link them to their home whilst at work. Now the emphasis has shifted, with a lot more people working from home, business owners should consider a surveillance device to deter would-be thieves, protecting valuable equipment crucial for businesses to operate successfully. A robust security camera setup can aid existing security staff, and give business owners peace of mind out of hours.    According to a recent report, police forces are having to carry out extra night patrols in empty city and town centres, as burglars target shops, pubs and other commercial premises during the pandemic. During these unprecedented times, investing in a video security system can save you and your business money – and in more than one way. In addition to preventing loss of property from inside, surveillance cameras also prevent acts of theft and vandalism by outside individuals However, technology, improved mobile connectivity, apps, and cloud technologies has changed the security market and made it easy for anyone to set up a surveillance ecosystem with easy installation and constant round the clock, cloud monitoring. Plus, you can access footage from anywhere in the world via devices and apps – just in case you have to skip the country! The best cameras for SMBs Most good cameras have the much same functionality: excellent video and audio capabilities, remote access and programming, motion and sound detection, and the ability to capture still or video images and audio and save the data to the Cloud. But the burning question is, when you're trying to find a need in a haystack, what will work best for a small to medium sized business? A robust security camera setup can aid existing security staff, and give business owners peace of mind out of hours Now you can buy cameras that come packed with features such as integrated night vision, 1080p resolution, microSD card slot for local recording, two-way audio functionality as well as the latest latest 128bit encryption. They also have wide-angle lenses allowing users to see more of their office with a single camera, and some come with free, intelligent AI-Based motion detection. The AI gives users more choices on what is captured by the camera and when they should be alerted. Users can specify what types of motion they would like to detect, such as an intruder as opposed to a dog, an object crossing a defined boundary or into a specific area. They can also define multiple zones, alerting them immediately when movement is detected in particular areas. Easy installation is crucial These security cameras should also be easy enough to install and use that you don't need to fork out for expensive expert installation, and many can work with existing CCTV and CCTV DVR systems you may already have set-up. Many of the business security cameras are Wi-Fi enabled and come with their own apps, so you can view footage on your smartphone or tablet, no matter where you are in the world. It means you don't need to pay for a security team to watch the footage at all times (though if you can afford it, that won't hurt), and you can store your videos locally with an NVR on a HD, in the cloud with mydlink or do both with a hybrid NVR/cloud recorder. The apps use Rich Notifications which send a push notification with snapshot to the mobile device the moment activity is detected. Users can react immediately without the need to log into the app by accessing the camera’s live view or calling one of two pre-assigned contacts with a single tap. Any motion-triggered recordings can be saved in the cloud, or locally on a microSD card. Indoor, Outdoor or both? Indoor cameras can be smaller, more lightweight and are usually less intrusive than bulkier outdoor cameras The primary distinction between indoor and outdoor security cameras is the types of external factors each camera has to be able to withstand. While both types of cameras usually come in similar styles and with comparable features, outdoor cameras need to be able to contend with all types of weather and varying light conditions. Outdoor cameras are also more vulnerable to being tampered with, so they are typically made of more durable materials, like metal, and may be heavier or even housed in a casing in order to discourage easy removal. Indoor cameras can be smaller, more lightweight and are usually less intrusive than bulkier outdoor cameras. Both indoor and outdoor cameras utilise features like infrared, allowing for clear pictures in low light conditions and easy transitions when there is a sudden change in light-changing automatically from colour images in bright light to black and white when it gets darker. When doing your research, features to look out for include: Wide angle lens for optimum room view or full view of the front of your property Full HD 1080p at 30fps   ONVIF compatible - Open Network Video Interface Forum - The forum aims to standardize how IP products within the video surveillance industry communicate with each other. Night vision - look at length of the night vision - 5m is about right Your options will depend on your budget and specific needs, but the above features are a great start when you come to buy.

The future of property security: In-house processing units versus cloud-based video surveillance systems
The future of property security: In-house processing units versus cloud-based video surveillance systems

Nowadays, everything seems easier in the matter of surveillance. Sophisticated technology safeguards our valuables for us without asking for anything in return. But what if it’s not true? What if it comes with a price? Video surveillance systems are a popular way to keep the property under constant control. It’s not rare that the technological sophistication of these systems puts us in awe. They make us feel, and be, safe. Yet, there are doubts when it comes to ensuring privacy. And these worries are understandable. Privacy abusers wait around every corner. Some of the fish for data coming from our monitoring systems. Should we then give up and go back to the in-person property guarding? Not really. Countless advantages make an intelligent video surveillance system worth trying. How to find the best solution within the video surveillance systems? Which system is the most secure in protecting us from the threats of privacy abuse: in-house processing unit, or the cloud? Desire for safety Every human wants to feel safe. At the bottom of Maslow's "Needs Hierarchy," there are two most essential points. We desire to fulfill our physiological necessities - the need for food, water, warmth, and rest. In the second place, also fundamental is a need for security.Security doesn’t only mean keeping burglars away from the property Today's fast-paced world changes its outer expression, yet the significance of security is constant. We crave to feel safe and we are ready to do a lot to achieve it.  The core truth to begin with when it comes to security is its definition. Security doesn’t only mean keeping burglars away from the property. If it did, we would be content with any camera surveillance system, regardless of its privacy threats. The issue is more complex. Humans value their privacy. Not only keeping our valuables safe but also being away from the sight of others matters to us. We put efforts to protect our privacy, whether it comes to houses, businesses, or sensitive data. Data privacy Why is it so important? Ongoing cases of privacy invasions prove that data finds "new owners" very fast. These data takeovers can result in a major inconvenience and robbery on a large scale. Main privacy threats are information collection, processing, dissemination, and invasion. We want to protect data obtained by video surveillance systems. Privacy and security are sometimes compared to water and oilThese are, for example, video registrations, times of entrance to the property, number and identities of visitors, etc. Privacy and security are sometimes compared to water and oil. They say you can have security but you’ll lose privacy. They say you can have privacy, but you’ll lose security. These common convictions inspired a new generation of companies to create privacy-first security solutions. They are, in other words, security systems focused on not sacrificing privacy. Cloud-based systems Most of the time, popular video surveillance systems but at the same time insecure when it comes to privacy are running on the cloud. There has been a long discussion about its safety and it continues to raise privacy concerns. These systems too often fail in ensuring privacy, and they are vulnerable to hacking. Ring, Nest, and other home security companies experienced compromising mishaps on a large scale. It's not a secret that some cloud-based companies partner up with police departments. Also, if your data is too available, tech companies can sell it to advertisers.Data uploaded onto the cloud is exposed for anyone to meddle with Data uploaded onto the cloud is exposed for anyone to meddle with. According to the book The Age of Surveillance Capitalism_ The Fight for a Human Future at the New Frontier of Power by Shoshana Zuboff “Nest takes little responsibility for the security of that information and none for how other companies will put it to use. In fact, University of London legal scholars Guido Noto La Diega and Ian Walden, who analysed these documents, reckon that were one to enter into the Nest ecosystem of connected devices and apps, each with their own equally burdensome terms, the purchase of a single home thermostat entails the need to review nearly a thousand contracts.” Security and privacy vanish once a smart home system enables remote access. In-house processing units It all leads to the conclusion that keeping data in the in-house processing unit is safer and more private. It keeps us away from the eyes of governments, corporates, advertisers, and hackers. And since the market is proactive, solutions in that department came fast. Thanks to the advances to the internet of things (IoT), edge computing, and machine learning, it will be possible in the near future to find different surveillance private-secure systems on the market. A privacy-centered "architecture" processes and stores camera footage inside the propertyThey will combine the most advanced technology with sophisticated privacy protection. In the in-house option, a privacy-centered "architecture" processes and stores camera footage inside the property. For example, one Seattle-based startup is working on a solution that uses specialised IP cameras that work in groups with an edge computing device. An AI (artificial intelligence) algorithm analyses all the footage taken by the cameras. Once it detects anomalies, it notifies the final user. Those systems don't upload any of the customers' data to the cloud, they keep privacy and all the information at the customer's home. The in-house processing unit can learn to differentiate what its user marks as important. The system captures and saves only those pieces of information. Smart surveillance systems To give an example: users who wish to know when their dog is outside can set the cameras to detect it. If they wish to turn a blind eye to burglars, they are free to do it. Smart surveillance systems work with facial matching and pose detection technology. They can detect individuals that haven’t logged on to the system. This tool respects an ethical protocol. It isn’t sensitive to a specific gender, race, or age. Its purpose is to detect behavior identified as suspicious without targeting individual identities. By identifying people who aren’t a part of your daily routine, the system cuts any kind of security risk. The in-house processing unit video surveillance systems "do the watching" for you. The newest in-house processing unit video surveillance systems will sharpen the feature of crucial importance - privacy protectionThat revolutionises the way we think about security. The system that integrates all the security visual sensors into the “brain” of the system is the smartest and safest idea on the market. This “brain” later decides whether to notify the user about the potential danger or let it go. It deletes every irrelevant piece of data on the spot. This kind of cognitive machinery saves both your time and bandwidth. Thanks to them, you get rid of unnecessary alerts. The newest in-house processing unit video surveillance systems will sharpen the feature of crucial importance - privacy protection. The newest technology offers a plenitude of sophisticated surveillance methods. Our task is to choose the right one. The one that not only protects our properties and valuables but also our privacy. 

Key considerations for robust residential security
Key considerations for robust residential security

In the UK, one burglary occurs every 106 seconds. This means by the time you've finished reading this article, at least three will have taken place. Selecting robust physical security options to protect property boundaries and homes is essential to limit crime rates and deter opportunistic intruders. With 58% of burglaries said to take place while the homeowner is in, it seems that even the second wave of lockdowns, and an increased number of people confined to their homes, won't do much to eliminate the risk of burglary. Prioritise security for peace of mind Security is paramount, and in the case of new build projects, should be considered from the very beginning of the design process, not as an afterthought. When it comes to securing pre-existing buildings, there are countless security options which will ensure the perimeter is robust enough to withstand opportunistic attacks. It's also worth noting that security features don't have to be complicated. There are plenty of high-tech digital systems flooding the market, which can go a long way to reduce the risk of burglary and will provide peace of mind to the end user. However, this article will demonstrate how traditional security measures, such as high-quality perimeter fencing, can ensure practical safeguarding of properties for years to come.  Selecting robust physical security options to protect property boundaries and homes is essential to limit crime rates Timber! There are a number of different materials which can be specified to create a strong boundary. From metal railings, to timber fence panels, they will each help deter criminals somewhat. Wooden fence panels are a popular choice for their appearance, and the right product and installation can help to increase security.Our timber acoustic fencing can also reduce noise by up to 32dB and has a solid face with no hand or footholds, while still retaining the attractive natural timber aesthetic of a typical garden fence. However, maintenance is key, and one of the first thing burglars will notice is the condition a fence is in, rather than a particular style. Therefore, old, broken or rotten fence panels are a green light for opportunistic thieves. These can be easily broken or bypassed with minimal effort. When specifying fences as part of a new build housing development, we would suggest opting for high-quality timber, as this will ensure that it is protected against rot. Look for products with an extended guarantee or those that don't need additional treatment over the years. The condition of the fence should still be regularly inspected, and simple methods such as clearing piles of leaves away from the base of the boundary can help to prevent rot which weakens the timber.  Securing fence panels The recent rising cost of timber has led to a dramatic increase in fence panel theft, and panels that can be lifted from the posts are an easy target. Mitigate this risk by screwing the fence panels into the posts. This makes it much harder for the panels to be removed from the posts and creates a more secure barrier.  Concrete posts do offer benefits, but we always advise on timber posts for any fencing. They're strong, just like concrete, but they continue the same natural theme as the rest of the fence. Moreover, if you screwed the panels to concrete posts, they would most likely crack and become damaged, and then be at risk to the elements.  Astute design Design is also important. Installing fence rails on the inside of properties to prevent them from being used as climbing aids is highly recommended. Even better, using panels without rails on high-end developments is a clever tip if you want a secure fence with a high-spec look. Security features don't have to be complicated High fences with solid panels and no gaps in between make it considerably harder for potential burglars to climb over. They also offer better privacy to conceal rear garden areas from intruders, and are much sturdier than other alternative panels.  One common mistake is designing in features such as trees or children's climbing frames too close to the boundary. These can be used by burglars as climbing aids when attempting to scale the fence, making access easy. Investigate the surrounding area, which flanks the outside of the property boundary, as an unfortunately placed bin or bench can also help criminals gain entry. If the removal of these items is not possible, designing in a spiky bush can help deter intruders. It's also worth noting that gardens with numerous large features such as bushes or sheds can also negatively impact the level of security. A clear line of sight across the entire garden is highly recommended where possible. If this view is blocked, it's considerably easy for intruders to hide undetected. Front gardens  While tall, solid fence panels are recommended for rear gardens to prevent intruders from being able to see in and climb over, the opposite is true for front gardens. For street-facing gardens, a low fence or hedge is recommended to provide a clear view from the house. It also makes it much harder for intruders to hide from passers-by or neighbours, who can raise the alarm during a burglary. Another useful security technique to consider is a gravel drive. These create noise, which means the homeowner will know when it is in use. Pair this with a strong boundary fence, the likelihood of burglary dramatically decreases. This article only scratches the surface in unveiling the sheer volume of effective home security options on offer to protect homes and gardens. These investments can help minimise the risk of traumatic break-ins, while also simultaneously boosting the aesthetic of the property and its surroundings.