Farpointe Data, the access control industry's trusted global partner for RFID solutions, has just posted the first radio frequency identification(RFID) Cybersecurity Vulnerability Checklist for access control manufacturers, distributors, integrators, and end users to use to protect their access control systems from becoming hacker gateways to their facilities and IT systems. Knowing what to do is especially important now that government agencies, such as the United States Federal Trade Commission, have begun filing lawsuits against businesses that do not provide good cybersecurity practices.
"Seemingly daily, end users are being reminded of how their access control systems are no longer secure," emphasises Farpointe Data President Scott Lindley. "They learn how a hotel had to pay a ransom to release guests that got locked into their rooms via a hack of the electronic key system or how easy it is to spoof popular access cards."
Series of cybersecurity attacks
Since the start of 2017, end users have been informed of a series of hacks on various credentials states Lindley.
- The Chaos Computer Club stated that they "hacked a padlock product and its accompanying mobile app which communicates via Bluetooth Low Energy (BLE) to the padlock. This could potentially also affect hotels with mobile room keys as their door locks also communicate with smart phones via BLE technology and exchange confidential information."
- IPVM reported how a $30 copier easily spoofed a popular proximity card. The column stated that the copier "used to copy the cards works much the same way as normal card readers, with transceiver coil, power supply, IC chip, buzzer and even LEDs components shared by both. Given the principal operation of contactless card readers, the copier excites the coil and delivers power wirelessly to the card, which then momentarily stores energy and then uses it to broadcast card details back to the copier."
- In an on-site demonstration at the ShmooCon hacker conference, an ESPKey, a small device that costs about $100 to make and has half a dozen wire clamps, a Wi-Fi transmitter and 4MB of memory, showed that it takes two or three minutes to break into an RFID card reader wall plate, attach the ESPKey and reinstall the wall plate to capture the ID codes of everyone in the workplace.
Prevention of cybersecurity attacks
To help prevent such attacks, the new Farpointe Cybersecurity Vulnerability Checklist covers a range of topics that can lead to hacks of contactless cards and readers. Sections include default codes, Wiegand issues, reader implementation tips, card protection solutions, leveraging long range readers, assuring anti-hacking compatibility throughout the system and leveraging additional security components.
"We are encouraging every access control manufacturer, dealer, distributor, integrator or end user to go to our website to either download or print out this Cybersecurity Vulnerability Checklist and use it," adds Lindsey. "The link is available right on our home page. With increasing news stories of hacking throughout the world and the fact government agencies are now reviewing such cybersecurity lapses should make channel partners providing access control products and systems take notice and implement anti-hacking solutions, such as Farpointe provides, to their customers."