01 Jun The importance of security in physical access systems
Federico Dotta, Principal Security Analyst at HN Security (Humanativa Group)
The security of the corporate physical perimeter is a very critical aspect for companies of a certain size, of fundamental importance for the protection of corporate assets, digital and otherwise. Common solutions include on one hand the use of personnel assigned to the purpose (guards, receptionists, etc.) and on the other supporting IT systems, such as access systems based on badges, video surveillance systems and alarm systems.
The reasons for the attention paid to this aspect of corporate security are many. An attacker able to access the internal perimeter could easily connect to the corporate private network, access critical information not digitized or take advantage of the privileged position it has obtained to carry out social engineering attacks against employees, by exploiting the fact of being physically inside of the company perimeter.
Although the use of physical access systems is considered fundamental, an often-underestimated aspect is the convergence between the physical perimeter and the corporate IT infrastructure. This convergence, in fact, can determine non-calculated risks, introduced by IT vulnerabilities in the devices used by the physical access systems, which can be exploited to circumvent them or to obtain access to the corporate private network.
To identify and mitigate the resulting risks, it is necessary to evaluate the robustness of the systems and devices used also from an IT point of view, including them among the objectives of the penetration tests. In the following paragraphs we will analyze different technologies used for access control, from the point of view of an attacker.
Security for access control
One of the main ways in which the physical perimeter of the company is controlled is to install an access control system in all access gates.
In most cases, the access to these gates is controlled by so-called badges. These badges, made of plastic material, often show visual information for the identification of the employee and contain a digital identification of whom it was issued to, information that is read by turnstiles and similar devices to allow or prevent access to certain areas.
The technologies associated with badges are constantly evolving: there are many with different characteristics, both in terms of information that the badge can contain and in terms of robustness. The investment that the adoption or updating of a physical access control system requires is important and difficult to justify in a short period of time.
In most cases, companies do not have the expertise and skills necessary to evaluate the products offered by suppliers. This often involves the adoption of systems that are secure on paper, but which have vulnerabilities in the specific technologies used.
The most common problems related to these technologies range from the total absence of security mechanisms to vulnerabilities deriving from the obsolescence of the technology used. Much of the most serious problems stem from the fact that many manufacturers, instead of relying on known standards, have implemented their own encryption and authentication algorithms, probably for performance reasons and hardware-related limitations.
Approaches of this type do not offer additional protections, as the so-called security through obscurity (the algorithm is safe because the attackers do not know the details of how it is implemented) is a practice universally considered dangerous. Usually, sooner or later, implementation details are discovered or inferred, for example through reverse engineering activities carried out directly on the electronic components.
Entering the merits of the risks for the company in the event that these systems are not adequately secured, the main one is that an attacker may be able to evade them and access the internal perimeter. In most cases, this is done by cloning an employee badge, when weak or vulnerable technology is in use, or by reconstructing its content.
Badges and identification information
From an IT point of view, a badge can be seen simply as a container that holds, in a more or less protected form, an authentication information.
In most cases, this information is simply a numerical identification of the employee or alternatively a couple formed by the identification of the employee and the company for which he works. Protecting these identifiers, therefore, is of fundamental importance as it may be sufficient for an attacker to know them or be able to derive them to gain access to the internal perimeter.
An interesting scenario encountered on several occasions concerns a less technological aspect of the protection of these identifiers. Badges often display employee identification information, such as name, surname, role, and a photograph, printed on them. It is not uncommon to also find an alphanumeric identification of the badge / employee which, although at first glance it may not seem significant, it is often the same digitally saved within the badge and used by the access control system. An attacker, therefore, could obtain all the information necessary for cloning a badge simply by looking at an employee’s card.
Another aspect that should not be underestimated is that these identifiers are often incremental numbers. Having access to one of them (reading it from a physical badge, extracting it from your company badge or from a temporary badge provided to visitors), if the technology is not robust enough it is possible to obtain more privileged access simply by trying to guess the identifiers of employees that can access to areas of interest.
Access control technologies
The technologies used for this type of systems are many and very heterogeneous. Some of the most used technologies will now be examined, illustrating their risks and problems.
The manufacturers of access control systems today have safer alternatives in their catalog than those described in this article, but despite this the technologies described are still the most commonly encountered in business realities. On one hand, companies are often not aware of the problems of the technologies in use and on the other, many vendors continue to offer them despite being obsolete.
The technologies considered are the following:
- Magnetic stripe systems
- Contactless RFID systems with HID Corporate 1000 technology
- Contactless NFC systems with Mifare Classic technology
- Contactless NFC systems with HID iClass technology
Magnetic stripe systems
One of the obsolete technologies but still widely used today is the one based on the magnetic stripe.
Magnetic stripe authentication systems were invented by IBM in 1960. As it can be deduced from the date of birth of this type of systems, they do not offer any protection of the data they contain, which are saved in clear text and are easily readable and writable, as well as suffering from multiple technological problems that can cause the data saved on them to be lost.
An attacker with very easy-to-use hardware costing less than $ 100 can clone one of these badges in seconds. However, the attacker needs to physically obtain a valid badge for the time necessary to read it.
Subsequently, the first contactless technologies took hold in the physical security ecosystem. These technologies make it possible to create “thinking” chips that receive power via radio waves, without the need for an on-board battery. For this reason, they lend themselves well to the creation of company badges and are the most used today. We can consider these RFID badges more than as memories that save data, but as real processors on which it is possible to implement authentication and data encryption protocols.
The first contactless technologies used for this purpose were based on low-frequency RFID protocols and did not implement data encryption or authentication protocols. One example is the HID Corporate 1000 technology, which is still widely used in business contexts.
As for the magnetic stripe, an attacker can read and duplicate a valid badge in a few seconds, but in this case the risks are even higher as cloning can also take place remotely: the possibility of creating readers of the size of a briefcase with readily available consumables that can read these badges from more than a meter away. The distances are further increased by using professional hardware.
A few years later, many manufacturers began to employ high-frequency contactless technologies (called NFC) for the creation of some product lines. Being more recent technologies, they usually implement authentication mechanisms between the badge and the reader and encryption of the data contained on the badges. Unfortunately, as anticipated, many of these technologies instead of relying on known standards have implemented their own proprietary encryption and authentication algorithms, keeping their details confidential.
One of the most popular examples of using a proprietary algorithm is the Mifare Classic technology. This technology has caught on in the market and has seen a huge spread for guaranteed security and a relatively low cost (more than 10 billion chips sold and 150 million readers, according to the manufacturer). Between 2007 and 2008 some researchers completed the reverse engineering procedure on the technology, revealing the details that subsequently allowed to find numerous security problems, making it possible to recover the encryption keys in a few seconds and allowing rapid cloning of the badges. This technology continues to be one of the most used ever.
Another significant example concerns the first versions of HID iClass, a technology chronologically subsequent to Mifare Classic. This type of badge was initially sold in two different configurations: Standard Security and Elite Security. In the standard configuration, any reader from any company used the same encryption key to protect the contents of the badges. In 2010 a researcher published an article explaining how to extract this key common to all badges from any reader, making products with Standard Security configuration completely ineffective.
Although it was possible to upgrade to the “Elite Security” mode which uses different encryption keys for each organization, this required additional costs and interventions on all readers and all badges. Subsequently, even in this mode, numerous security problems were encountered, which can be exploited in order to obtain the encryption keys necessary to clone a badge or create a valid one.
In addition, the badges often use more than one technology at the same time. The most common example is the contactless and magnetic stripe badges. The reasons for the presence of more than one technology can be many. The company may have acquired these particular badges to allow a comfortable migration from one more obsolete technology to another more recent, or simply the supplier may have proposed this type of badge even if the company only needed one of the two technologies. In any case, if the authentication information is present on both technologies, the security of the mechanism often depends on the weaker of the two technologies, whether it is used or not.
While these scenarios and technologies may seem like a thing of the past, sadly this is not the case. On one hand, in fact, suppliers continued to offer vulnerable technologies even many years after the discovery of the problems described (and it cannot be excluded that they are still proposed), on the other hand replacing a vulnerable access control system requires huge costs. Depending on the systems, in fact, it may be necessary to replace turnstiles, management software and all company badges.
For this reason, it is of fundamental importance to carry out a check on the physical access infrastructure, aimed at highlighting the problems present and consequently the risks that the company is running and of which it may not be aware and to rely on specialized companies to carry out adequate analysis on the technologies proposed by the suppliers before acquiring and implementing them. Implementing a system without adequate checks often forces the company to remain exposed to risks for many years.
HN Security analysts are available to support you in assessing your current security status, through specialized penetration testing and security assessment activities on devices, applications and networks dedicated to physical access systems and in the analysis of the technologies proposed by suppliers before they are acquired.