“Increasing the security of your smart card application” George Redpath & Eli Williams Tyco International Synopsis • As Access Control systems become more pervasive, their importance to the overall security of the enterprise grows, and as the system becomes more dependant on IT systems and techniques, the likelihood of the system being compromised increases. • This seminar will investigate some of the attacks which are being made upon systems, and investigate methods to ensure security is compromised. Target Audience • Designers and managers of medium and large scale commercial installations operating over a WAN Typical System Basic Attacks • Replay Attacks – Introduction of a known good sequence to a reading device. • Denial of Service – Continuous high frequency generation of data sequences so as to cause the panel to fail. • Spoofing – Introduction of device into the system to “take over” the identity of a valid device. Attack Sites • Attacks likely to be introduced at communication links. – Between the cards and the read head – Between the readers and the panel – Between the RS485 device and Panel – Between IP devices Smart Card Cloning • • • • Palm sized device learns Valid card number Can then replay card at reader Appears to system to valid card number Devices freely available on the internet – Approx $300 Cloning Video • http://www.youtube.com/watch?v=jeAQWJ4JDjw • Original Hack Device required:– Antenna – RF Board – PC • Third generation has no PC and runs from a lithium battery • Truly portable, selectable frequencies and Antennas Why does cloning work • RF Technology is inherently insecure – Depends upon the application to provide security • Proximity applications modulate a 125 Khz carrier – Simple to generate and replay • 1& 2 second generation13.56 Mhz applications – Too reproducible – Short key length True CPU & Dual Interface Cards Third Generation Second generation MiFare DesFire EV1 2K 1st generation Memory Cards MiFare Plus 4K MiFare Plus 2K Security Level 2 MiFare 4K MiFare “Classic” 1K Inside Contactless MicoPass MiFare DesFire EV1 4K HID Inside iClass Contactless PicoPass iClass MiFare DesFire EV1 8K MiFare Plus X Security Level 3 SmartMX / JCOP / Multos Products What is Wiegand? • The Wiegand effect was discovered by John R Wiegand, as a method of storing magnetic charge in a wire. • A Wiegand reader is E shaped magnetic coil with 2 windings so that placing a Wiegand wire over each section of the E causes a corresponding pulse in that winding. • This results in a 3 wire interface producing pulses of approx 1 msec in length, data 0, data 1 and ground. Wiegand Interface Wiegand Replay Process • • • • The devices is fitted across 3 wires. A card is swiped and the SMS sent to a phone The device buffers a set of card numbers The phone sends the open command back along with the number • If the door doesn’t open, a different stored number is sent • Door opens Why Does Wiegand Replay work? • • • • • Very simple interface Extremely well documented Open collector allowing multiple devices on the line Unusual to fit a tamper switch Relatively long distance between the read head and the panel • Can be operated remotely. • Can also defeat Biometric installations RS485 replay • 3 (or 4) wire interface – Data A – Data B – Ov – (+12V) • Relatively simple protocols – Usually well documented – Easily replayed • Device substitution can achieved without affecting tamper IP Vulnerabilities • TCPIP and structured wiring was designed as an open, standards based method of networking intelligent devices. • Security was added later • Device identification was originally controlled by the MAC address. • Difficult to know source and destination of a packet on a WAN. • Protocol has to assume temporal shifts. Designing for IP • Analyse the connections – It’s ok to have IP at unsecure locations, it’s what it connects to that is important. – Physically and logically segment the design • Implement secure protocols (TLS, SSL etc) • Robust device identification • Design randomness into the application protocol, each packet should be unique even if it comes from the same device and carries the same information. “The role of video verification to increase your security” Eli Williams Tyco International Video Verification • Monitored Video – Card ID vs. Video • Forensic – Internal Risk prevention • Facial recognition – One to Many – One to One • Other Intelligence Video Verification • Monitored Video – Card ID vs. Video Video Verification • Monitored Video Quick Access to Video linked events – Card ID vs. Video • Forensic – Internal Risk prevention • Facial recognition – One to Many – One to One • Other Intelligence Access Control Events Controller Status Video Integration Security Activity Video Verification • Monitored Video – Card ID vs. Video • Forensic – Internal Risk prevention • Facial recognition – One to Many – One to One • Other Intelligence Video Verification • Monitored Video – Card ID vs. Video • Forensic – Internal Risk prevention • Facial recognition – One to Many – One to One • Other Intelligence Video Verification • Monitored Video – Card ID vs. Video • Forensic – Internal Risk prevention • Facial recognition – One to Many – One to One • Other Intelligence Recommendations • Adopt a multi-factored approach to credential verification – Video verification – Well integrated Biometrics • Introduce Random challenges • Adopt a 3rd or 4th generation smartcard • Have a flexible, extensible approach to the system, things will change, allow for it in your design. • See the solutions on Tyco Stand D10, Hall 5 Thank You Any questions?