Risk of hacking is greater in access control systems


Farpointe Data is notifying access control manufacturers, distributors, integrators and dealers that hacking of access control systems has become a threat far bigger than most think. Protecting their end-users from hackers is imperative for channel partners.

According to Lindley, the most important is that the U.S. Federal Trade Commission (FTC) has decided that it will hold the business community responsible for failing to implement good cyber security practices and is now filing lawsuits against those that don’t. An appeals court has backed its lawsuit against the hotel chain operator Wyndham Worldwide for not protecting consumers’ information and, just recently, the FTC filed a lawsuit against D-Link and its U.S. subsidiary, alleging that it used inadequate safeguards on its wireless routers and IP cameras that left them vulnerable to hackers.

“Prospective penalties go beyond FTC threats, though,” Lindley warns. “A luxury hotel in Austria, the Romantik Seehotel Jaegerwirt, recently had to pay hackers a ransom after they managed to access its electronic key system and lock all the hotel guests in their rooms. Approximately 180 people were staying at the hotel on that day. Many were locked in their rooms, while others were locked out of theirs. The hackers demanded €1,500, about $1,600. The hotel decided to pay, explaining that they felt that they had no other choice, especially because neither police nor insurance could help them.”

Adding to the problem, states Lindley, is that Wiegand, the industry standard over-the-air protocol commonly used to communicate credential data from a card to an electronic access reader, is no longer inherently secure due to its original obscure and non-standard nature.
For this reason, Farpointe has introduced features such as potting all readers and options that can be added to the readers. The first is Maxsecure, which provides a higher-security handshake, or code, between the proximity or smart card, tag and reader to help ensure that readers will only accept information from specially coded credentials. The second is Valid ID, a new anti-tamper feature available with contactless smartcard readers, cards and tags. It can add an additional layer of authentication assurance to NXP’s Mifare Desfire EV1 smart card platform, operating independently, in addition to, and above the significant standard level of security that Desfire EV1 delivers. Valid ID lets a smart card reader effectively help verify that the sensitive access control data programmed to a card or tag is not counterfeit.

“With the increasing incidences of hacking throughout the world and the fact that the FTC is now reviewing such cyber security lapses should make channel partners providing access control products and systems take notice and suggest anti-hacking solutions to their customers,” Lindley argues