Weighing the hacking risks
It’s a story that seems worthy of front-page headlines: A hacker exposes a major flaw in the protocol that underlies many of the world’s access control systems, defeating it in minutes with some clever programming and off-the-shelf components. That’s exactly what happened during the DefCon conference in Las Vegas last August, when Zac Franken demonstrated how to attack the widely used Wiegand protocol.
However, even in today’s high-security era, the news attracted relatively little attention. As noted by security expert Mike Davis, Director of Intellectual Property at HID Global, “How’s the industry reacting? They aren’t really publicly commenting.” In fact, while Wiegand does have some flaws, properly configured security systems should remain at relatively little risk. The issues raised by Zac Franken – as well as some of the solutions for staying secure – are detailed below.
Wiegand dominates
Wiegand is a 20-year old, relatively basic standard; yet it lives on at the heart of many cutting-edge access control systems. It was adopted from the original Wiegand Reader Technology that includes an authentication code contained in 26 bits of data. Many readers in use today communicate with upstream devices by leveraging the Wiegand Effect technology, which uses separate wires to represent zeros and ones. Today, almost any kind of reader technology, such as Proximity, Contactless Smart Card and even advanced biometric systems, still often use the Wiegand Protocol to communicate between readers and access control panels. “The Wiegand protocol is so dominant in our industry, it is phenomenal,” states Davis.
Like any other communications standard, the Wiegand Protocol has some good features and some weak ones. Its strengths include its wide industry adoption; its low implementation cost; the ability to travel relatively long distances; and the fact that it is electrically robust and immune to damage.
Unfortunately, Wiegand also has some limitations. First, it provides no authentication between readers and access control panels, making it easy to intercept codes. Second, 26 bits of data are very limiting. According to Davis, the commonly available Wiegand format supports 256 different facility codes and 65,535 unique IDs – allowing for the possibility that users of access systems at nearby buildings could have compatible cards and even identical IDs, like having your neighbor press his garage door opener and also open your door. However, this is extremely unlikely.
Franken exploited the first weakness: He created a device with a small microcontroller that was programmed to record access codes from a Wiegand-compliant reader and respond to a special card. He then spliced the device into the wiring of the reader. The device could then monitor communications and store codes, and use one of them to open the door when the special card is presented to a reader compromised by the device.
Tricks of the trade
If attacking Wiegand is so easy, why aren’t more people worried? Actually, the attack is still quite difficult and risky – particularly compared to other break-in methods. Since Franken did not release his code, criminals would require a sophisticated knowledge of firmware programming to replicate his work, and would also need to pry away the access control reader from the wall. And not all companies use the 26-bit Wiegand format because they want to insure that their formats are unique. Depending on which format is actually used, some may only be available from the manufacturer to that particular client.
Accordingly, the risk of a Wiegand break-in seems comparatively low. As Davis observes, “There are so many ways to get into a building without using any technology at all – if you have an apartment building with a glass door, anyone with a brick can get in.” Other methods include social engineering – tricking someone into letting you in – or other low-tech approaches like attaching a piece of paper to a stick, pushing it under a door and waving it around to activate an indoor motion detector release.
Companies can certainly create a better alternative to Wiegand, but new protocols could lead to other issues, like increased cost and reliance on proprietary communication protocols. Relying on a common standard allows different vendors to create compatible products and achieve economies of scale. A proprietary standard would greatly increase cost and potentially tie customers to a single vendor. Meanwhile, some other technologies – like TCP/IP – might be even more open to attacks than Wiegand, since more programmers are proficient in its use.
Safety in layers
So what’s the best solution? Follow industry best practices. Access control systems typically support the tamper mechanisms provided by the manufacturer; although rarely utilized in practice, they should be. Facilities should also train a camera on key access areas or have security personnel visually inspect readers once a day. And any possible evidence of tampering should be investigated immediately.
While these measures may be more than enough for basic needs, high-risk facilities must implement multiple tiers of security. “You never design a security system with a single point of failure,” observes Davis. CCTV, guard patrols, additional access control devices and other measures can all be used to create a greater level of assurance. Even if Wiegand is replaced with a better alternative, that technology will be vulnerable to attacks as well, so a layered approach is essential. As stated by Davis, “If you rely on a single access control element to do everything, then you haven’t implemented a system worthy of accomplishing its task.”
* indicates mandatory field