"Any access control reader mounted on the unsecure side of a door is easy to “skim” by attaching a simple, cheap skimming device to the reader’s output. To help avoid these hacks, you should always use the following guidelines to prevent your system from being compromised: NEVER mount a reader on the unsecured side of the door. A reader on the outside of a door can be easily skimmed. Always mount the reader on the secure side and when possible, out-of-site."
First, this 'guideline' is self serving, because the vast majority of readers (99%+?) are mounted on the unsecured side of a door in plain view. The CEO's product happens to be an exception to this vast majority.
I also think 'the skimming risk' is plain unfounded, because I've not heard it be even a minor concern voiced from access users. Further, he's pitching his wireless product as being more secure than a 'skim-prone' conventional reader.
It is an absurd claim from a desperate vendor seeking attention in the wrong places. Maybe he has a decent product to bring to bear but claiming all others are venerable is at best a cheap scare tacit.
He is technically accurate in his argument. Unless I'm sadly mistaken, The weigand output on most (non ODSP) readers in not encrypted. It is not difficult to design a small device that captures that output and allows reproduction of credentials those quite simple. I've not heard of any circumstances where this has resulted in a real-life system "hack".. The concept is very plausible.
One of my customers is in the banking industry and goes through physical security audits and tests regularly.... it keeps me in business. A recent test had a "visitor" pick up an access card for the day. He didn't turn in the card when he left for the day. Over night, he cloned the card and then created a couple more guessing the number range. The following day he signed back in, apologizing for taking the card back to the motel. The next day he came in posing as an employee. He used a card with numbers lower than the visitor card. He got lucky - or not - it didn't work and the alarm went off. The guard properly challenged the card and the person. Security followed procedures and was congratulated on not falling for "people engineering" to get around security procedures. He went on to explain this was one of the first times he was caught doing this. So, how often it happens or tested????
As others said, the CEO should not have said 'never,' but point out that conventional access technology is moving on and "I have something better."
For a standard weigand reader, not a standalone with a relay, iI would think that is very small risk at this time. If you are talking someone of that knowlegde wouldnt they just pop a celing tile and and access wiring above ceiling to leave skimming device, and wouldnt you want to skim a reader at the most secure door, say IT room or such... to get the card info with highest access levels. The problem at this time in my opinion is the use of 26 weigand cards that are easily ordered from manufacturers. Give me a guest card to a building and i can order 500 cards in that range and get anywhere i want in 4 weeks.
I understand what you are saying BUT if the access control is properly maintained ie; someone looking at bad card reads, it wont take long for anyone with half a brain to discover someone is 'testing' cards attempting to gain entry. But most people buy the equipment and only use it as a 'reactive measure' and never even consider a 'proactive' approach for their own good.
I think they are referring to this type of attack.
The reader outside isn't really the problem it is an untampered Wiegand reader. If you use Wiegand and the cable can be accessed without detection, the system can pretty easily be compromised. In my opinion.
While the article is ridiculous, skimming is pretty easy. I made one of these as an introduction to arduino and use it regularly (for finding bit information of access control systems I'm taking over).
Instead of creating two devices, I just used a smaller dual prox reader (reads 125khz and 13.56Mhz) to find site code information of almost all access control systems out there.
Project was pretty easy once I learned arduino a bit and worked just as easy once I powered everything on.
Is it only the guideline that's self-serving? Or are the rest of us a bit guilty of that too? Rejecting it because of the self-serving reasons we don't want to agree (We've already deployed a lot of outdoor readers)?
I think most of the negative reaction people are having is probably because he started with "NEVER" instead of "Consider not" or something less inflammatory to people that are invested in the traditional approach.
His thought isn't wrong. It's not hard to get to the wiring of a reader, and once you're there, data could be skimmed off. How likely is it? I guess it depends on how valuable the target is, and how much of the information is on YouTube or whatever.
To me, this feels just like the data security conversations I have with larger clients. Some people write off a new concept as nitpicky, and others won't be able to tolerate the knowledge that there's a potential threat out there.
Some people write off a new concept as nitpicky, and others won't be able to tolerate the knowledge that there's a potential threat out there.
Isn't there something in between those two positions? That is, acknowledging it is some form or risk but also realizing that the cost / tradeoffs to eliminate that risk (given the available options on the market and what everyone has installed) is likely far greater than risk itself.