NEVER Mount A Reader On The Unsecured Side Of The Door?

Avatar
Brian Rhodes
May 24, 2016
IPVMU Certified

Catch this comment from the CEO of an smartphone access control vendor:

"Any access control reader mounted on the unsecure side of a door is easy to “skim” by attaching a simple, cheap skimming device to the reader’s output. To help avoid these hacks, you should always use the following guidelines to prevent your system from being compromised: NEVER mount a reader on the unsecured side of the door. A reader on the outside of a door can be easily skimmed. Always mount the reader on the secure side and when possible, out-of-site."

First, this 'guideline' is self serving, because the vast majority of readers (99%+?) are mounted on the unsecured side of a door in plain view. The CEO's product happens to be an exception to this vast majority.

I also think 'the skimming risk' is plain unfounded, because I've not heard it be even a minor concern voiced from access users. Further, he's pitching his wireless product as being more secure than a 'skim-prone' conventional reader.

What do you think?

EP
Eddie Perry
May 24, 2016

yeah and you shouldn't mount a lock with the key hole on the unsecured side as someone might pick it open.......

(2)
(10)
JH
John Honovich
May 24, 2016
IPVM

Eddie, you may have what it takes to be a manufacturer CEO....

(2)
EP
Eddie Perry
May 24, 2016

if they are willing to pay me what they pay them, I'll gladly put on a show and make a fool out of myself for about 5 years and then you will never see me again.....

(2)
(2)
MC
Marty Calhoun
May 25, 2016
IPVMU Certified

It is an absurd claim from a desperate vendor seeking attention in the wrong places. Maybe he has a decent product to bring to bear but claiming all others are venerable is at best a cheap scare tacit.

(2)
(1)
(1)
Avatar
Brian Rhodes
May 25, 2016
IPVMU Certified

Practically, has anyone ever heard of 'skimming' access cards?

The CEO says it is "easy to “skim” by attaching a simple, cheap skimming device to the reader’s output", but what does this look like?

I've seen magstripe skimmers, but who uses magstripes for access in 2016?

(2)
EP
Eddie Perry
May 25, 2016

Large scale enterprise systems do (20,000+) or those that use them for POS/access control all in one card.

but you are right most nowadays are prox readers as very few would need to use over 20,000 different accounts at one time

LA
Levi Angst
May 29, 2016
IPVMU Certified

Brian-

He is technically accurate in his argument. Unless I'm sadly mistaken, The weigand output on most (non ODSP) readers in not encrypted. It is not difficult to design a small device that captures that output and allows reproduction of credentials those quite simple. I've not heard of any circumstances where this has resulted in a real-life system "hack".. The concept is very plausible.

(2)
Avatar
Chuck Janzer
May 29, 2016
IPVMU Certified

One of my customers is in the banking industry and goes through physical security audits and tests regularly.... it keeps me in business. A recent test had a "visitor" pick up an access card for the day. He didn't turn in the card when he left for the day. Over night, he cloned the card and then created a couple more guessing the number range. The following day he signed back in, apologizing for taking the card back to the motel. The next day he came in posing as an employee. He used a card with numbers lower than the visitor card. He got lucky - or not - it didn't work and the alarm went off. The guard properly challenged the card and the person. Security followed procedures and was congratulated on not falling for "people engineering" to get around security procedures. He went on to explain this was one of the first times he was caught doing this. So, how often it happens or tested????

As others said, the CEO should not have said 'never,' but point out that conventional access technology is moving on and "I have something better."

(1)
JN
Jon Nickerson
May 25, 2016

For a standard weigand reader, not a standalone with a relay, iI would think that is very small risk at this time. If you are talking someone of that knowlegde wouldnt they just pop a celing tile and and access wiring above ceiling to leave skimming device, and wouldnt you want to skim a reader at the most secure door, say IT room or such... to get the card info with highest access levels. The problem at this time in my opinion is the use of 26 weigand cards that are easily ordered from manufacturers. Give me a guest card to a building and i can order 500 cards in that range and get anywhere i want in 4 weeks.

(1)
(1)
MC
Marty Calhoun
May 25, 2016
IPVMU Certified

I understand what you are saying BUT if the access control is properly maintained ie; someone looking at bad card reads, it wont take long for anyone with half a brain to discover someone is 'testing' cards attempting to gain entry. But most people buy the equipment and only use it as a 'reactive measure' and never even consider a 'proactive' approach for their own good.

(3)
DW
Debra Wooding
May 25, 2016
IPVMU Certified

Disagree if you are discussing outer doors of a building, they have to be mounted outside. I have several inner doors with readers on both sides with no issues there.

DW
David Westberry
May 25, 2016
IPVMU Certified

I think they are referring to this type of attack.

The reader outside isn't really the problem it is an untampered Wiegand reader. If you use Wiegand and the cable can be accessed without detection, the system can pretty easily be compromised. In my opinion.

(3)
RL
Robb Larsen
May 25, 2016

While the article is ridiculous, skimming is pretty easy. I made one of these as an introduction to arduino and use it regularly (for finding bit information of access control systems I'm taking over).

Instead of creating two devices, I just used a smaller dual prox reader (reads 125khz and 13.56Mhz) to find site code information of almost all access control systems out there.

Project was pretty easy once I learned arduino a bit and worked just as easy once I powered everything on.

At Blackhat 2015, they then introduced the BLEkey to skim cards. Requires tampering with the reader itself, but products like these is why you use the tamper wire on your access control (with an email generated rule alert) and supplement security with cameras and/or policy/procedure.

(1)
(1)
MC
Marty Calhoun
May 29, 2016
IPVMU Certified

Robb-

Do you have any idea where I could buy one of the Bishop Fox devices completely assembled? I would love to use it as a sales tool and show some of the naa sayers just how vulnerable they really are.

thanks

Avatar
Scot MacTaggart
May 29, 2016

Is it only the guideline that's self-serving? Or are the rest of us a bit guilty of that too? Rejecting it because of the self-serving reasons we don't want to agree (We've already deployed a lot of outdoor readers)?

I think most of the negative reaction people are having is probably because he started with "NEVER" instead of "Consider not" or something less inflammatory to people that are invested in the traditional approach.

His thought isn't wrong. It's not hard to get to the wiring of a reader, and once you're there, data could be skimmed off. How likely is it? I guess it depends on how valuable the target is, and how much of the information is on YouTube or whatever.

To me, this feels just like the data security conversations I have with larger clients. Some people write off a new concept as nitpicky, and others won't be able to tolerate the knowledge that there's a potential threat out there.

(1)
JH
John Honovich
May 30, 2016
IPVM

Some people write off a new concept as nitpicky, and others won't be able to tolerate the knowledge that there's a potential threat out there.

Isn't there something in between those two positions? That is, acknowledging it is some form or risk but also realizing that the cost / tradeoffs to eliminate that risk (given the available options on the market and what everyone has installed) is likely far greater than risk itself.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions