Gallagher Access Control Cybersecurity + CTO Interview
Security researchers praised Gallagher for their cybersecurity approach, but how does Gallagher’s cybersecurity approach differ, and what competitive differences does it bring?
In this report, based on an interview with the CTO Steve Bell and Director of Federal System Jeff Fields, we detail Gallagher’s cybersecurity approach, including ethical disclosure programs, HBus communication protocol and its differences to OSDP and Wiegand, and their cybersecurity focus for federal business.
Executive *******
*********'* ************* ******** ******** ******* *******:
- *********** ********** *******, ******* ******* **** various **** ***********, **** ** ****** (see *********), *********** *** *** ********* Authority (***) ******, *** ********** **** 30 **** ***** ****. * *** access ******* ********* ** ****
- **** ******** **** ******** ************* ************* between ******* *** ***********, ******** ********* firmware *******
- *** ***** ******** ******** ******** *** its ********, ********** *************** ****** ********, that *** ** *** ** ****** automatically
- ~**% ******* ******** ** *&* ******** on *************
Gallagher’s ******* ****** *** ** **** ** ******** ***********
******* **** ***********, **** ** ****** (see*** ****** ********* **** ************* ********), **** **** **** ********* ***** an ******* *** **** **** ******** to *************** **** ***********, ******* ******* with ***********.
**'* ****** **** ******, ******** *** having ******* *** ******** *** *************** disclosure ********** ******** *****. **** *********, they're **** ******** *******, ******* *** have * **** ************* **** ****, and ******** ****** ***, ****** ****** better, *** **** *** **** **** it.
Competitive ********** ** ************* *****
************* *** ******* *************** ****** ****** control **** **** ** ******* ******, with *************** *** ********* ** ************* and *********** ******** *********** ************* ***** work ******* ***** (******, ********, ***.) or ******* ***********. ***** **** ********* take * ********* ******** ** ************* disclosures (******* ** *** ******** ********** *** Industry), ********* ******* ** ******* ************* disclosure *******, *********** ************* *************** **** CVEs, *** ************* ******** *********** ** its *******.
*******, *********'* ******** ***** *** ******** translate ** ******** *********. *********'* ***** challenge ** ******* ** *** *********** against ***** *************, **** ** *** - **** ***** *** ********, ***** products ******** *** ***** ******** ******* (see*** ****** ******* ***** **********). **** ** *********'* ************* ******* could ** **** ********* *** *********** against ******** ***************, *** **** ** integration **** ******** ******** ******* **** and *** **** ** ******* *** entire ****** ** ******** *** ******* and ********** **** ** * ****** sell *** ***** **** ******** ****** control *********.
*********'* ***** ********* ** ********** *********** and ***-***** ** *** ******* ****** control *************** *******. ***** *** *** Prox ***** **** **** ********** *** over * ****** (************ **** ***************,******* **** ****** ******* ******* ******), ~**% ** *********** *** ********* cards *** ******** ******* (******* / *** *** ****** ******* Credential ***** **********), ************ *** **** ** ****** attention ** ****** ******* ***************.
**********
********* **** **** ** ********* ***** 18% ** *** ******* ** ******** and ***********, ******** ** *** ********** development ** ***** ******* **** *** platform.
*** ******* ******* **** ***** **** to ****. ** ******** * *********** portion ** *** *******, ***** **%, to *&*. **** ********** ******** *** status ** * ******* ******* ******* on ****-**** ******** ***********.
***** *** ********** ** ******* *** R&D ***** ** ****** ** ***** than ***********, ********* *** ******* ******* business ******** ***** *&* ******** **** do *** ******** ********* ** ************* or ******* ************.
*** *** ******* ********** ** *********'* integrated ******, ***** ******** ***********, *******, and ******** ********* ***** ****, *********** SSL ********** *** ****** ****** *********** and *** ********** ********* ** ***** platform.
*** ****** ** ** *********, ************ native **-***** *********** ***** ****, **** SSL ********** *** ****** ***********. **'** developed *** *** ***********, ***********, *******, and ********. *** **** *** ****** been ** **** ********* *** ********* our ********.
Responsible ********** *******
********* **** ***** ******** ** ************* includes ******* ******* ********** ******** *** actively ******** ***************.
** *** ******* ********** ******** *** address *************** ***********, ******** *** ****** through *** *******. ***** **** ******** vulnerabilities **** *** ****** *****, ** acknowledge *** ******* ******* ****** *************.
********* *** *********** *** ********* ********* (***) *********** ****. *** ******* ***** ** *** **** ******** *** one ** *** ** *** *******.
***** ******* ***** ************ ********* **** a *** ******, **** ** ****, Dahua, ******, *** *********, ********* ** one ** *** *** ****** ******* companies **** **** ******.
**** ***-********** ********* ***** *** ***** status ** **** *************** ** ****** more ******; *********, ** ** ********* to **** ** *** ****** ** CVEs ********* ** *** ***. ***** 2019,********* *** ********* **** ** ********** *** ******* *****. ** **********, HID *** ******** ~** **** ** the **** ******,********* ** **********. ** ********, **** ****** ******* vulnerabilities ** *** ******** **** *** not ********* (****** ******* *** *** ****** *** DEF *** **** ********,*** ******** ******* ***** **.** *** SE / **** ** ********** ** Cracked *** *** *** ********* ******).
Working **** ******** ***********
****** **** **** ********* ***** **** pen-testing ************* ** **** ****** ********** under ******* ********** **** ********* **** attacks.
** ****** **** ********** ************* ** test *** ******* ***** ********* **********, like ********* **** *******. *** ********* approach ** *********** *** ********** *************** is * ********* ** *** ********** to ********* *** ****** *******.
********* **** *** * **** ** security ********** *************** ***** *******.
HBus **** ******** ********
****** *********’* *********** **** ******** ********, similar ** ****, **** ****** *** bidirectional ************* ******* ******* *** ***********. HBus ** ** ********* **-*** ******** with ************* **** ******** *** ******** upon *** ******* ***************,********* ** *** ********* *******. *********’* ********** ***** ******* *******, OSDP, *** *** ***** ************** *** each ********.
**** **** **** **** *** ********* for ******** *********** *** ***********. **** implements ***********-***** ******** *** ******** ************** for *** **** *******, ********* *************, per *** ***.
** ********* **** *** *********** *** scalability, ******** *** ******** ** *** edge ******* ** ***********. **** ******** loading ************ **** **** ******, ******** a ****** ****** *** ******* *** reader *** **********, *** ********* ******** these **** *** ******** ********.
*********'* ************** ************ ** ***** ****** ******* HBus, ********* ******, ****** **** *********, and ********* *** ********.
*** ************ ** **** ***** **** to **** **** ******* ****** ******* 7 *** ********. ***** ****, ** have ************ ********* ** ***** **** features *** ****** *** ****** *******. For *******, ** ************* ******** ******* for ****** ******* ** **** *** 2017. ** ****, ** ***** ***** security ******** *** ****** ***** ** detect ****** *****. **** ********, ** introduced *** ********, ***** ****** *** Multi-Tech ******* ** **** ********* ****.
*********'* ************** ******* **** ******** **** **** are ***-*** ********* *** ** *** factory *** ******* *********** ******* (*.*., ESPKey) **** ***** ********* ** *** HBus *******.
****** *************, ********* ******** ************ *** Elliptic ***** **** **** **** ***** HBUS ****** ** ****** ***** ** no ****** **** *** ***** *** connect * *********** ****** ** *** HBUS *******. ** ************, ****** **** are ******** ********* *** ****** ** the ********** *** ****** ** **** even ********* ** *** **** *********** that ***** ***** *** ******** ** be ************. ************, **** **** * new ************** ******* ** *********, ****** keys *** *********. ** * ******* is ********** *** **** **** * day ***** **** *** ***********.
**** **** ****** ********* ******** ** generate ****** ****** *** **** ******* are ***** *******,*** ****** *************.
*** **** ******* ******** * ********* to ******** ** ***** ****** *** system ****** *** ****** ** ***** off-line, *** ** ******* ******* * wide ***** ** ********* ****** *******. As **** ******* *********** *** **-*** rather **** ***/**, ***** ** ** need ** ****** * ******* ******** port ** *** ***-****** **** ** the ********.
***** **** *** ** ************ *** access ******* ******* *** ******** ************* and *************, *** ***** *** ****** HBus ***** ** ****** **** ********* products, ** **** ** ******* ** a ******* ***** ** *** *******'* products. ** ****, **** ***** ** more ****** ** *** **** *** for ***** ******* ** *********** ********* lines ** ******** *** ***** *** easily ****** ** ****.
Twice * **** ******** *******
****** ******** *** ********** ** ******** service *** ******** ************* ** *** security ********. ** ******** *********'* ***** on ******** ******* ** ******* ***** threats, ************ *** *******’* ********** ** customer ************ *** ********, ** ** told ****.
*** *** ****** ** ****** ******* is ******** *******, ******* ******* ******* partnerships ** ****** ************ *******. ** emphasize *********** ******** ************* *** ********* updating *** ******* ** ******* ***** threats *** ****** *********.
*** ********* ******* ************* ******* *** ******** ***** *** months ** "**** ******* **** ***** threats *** ****** ************."
Federal ******* *** *************
****** ********* *** ******** ******* ********* for ********* ******** ** ******* ************, noting *** ******* ********* *** ********* required ** ********* ********. **** ******* underscores *** *******'* ********* ** ****-******** standards, ** ** ********* ** ****.
** ******* ************, ** ***** ** how *** ******** *** ****** ****** requirements *** **************. **** ******** ********* product *******, ***** *** ***** **** three ** ****** ******, ********* ** the ******.
*** ******* ************ *********** *** *********, ********* ********, FIPS, *** ****.
*** ****** ********** *** ***** ******** ******** Guide.
** *** ******* ** ****** *** coverage ** ****** ******* *************, ********* adding ************* ** ******** ****** ************* ******** - *****.***, Brivo, ***, *******, ****, ********, ***, Verkada.
******* ***** ************ ********* **** * CNA ******, **** ** ****, *****, Hanwha, *** *********
*'** ******* **** **** ** ******** increasingly *******. ******* ***** **** ******** it ********.
*** ** *** *** ********** ** going ******* *** ******* ** ******** a *** ** *** ******** **** the **** **** *******. ******* *** customers ******** ***** ******* *************** (***'*) and ********* **** ** *** ******** they **** **** ***** ** ** a ************** ** ** ***** *********.
"******* ********* ******** ***** ******* ***************" via **** ********* ** ********* **** liability ********?
*** ******* ** *** ********, (*** so **** ******) ** ******** ** long **** ******** ************* ******* ********* and *** ******** *** *********. ** such ********* *** ********* ** ********* product *************** *** **** ********* **** to ******* ******** ** ******** ** less ***** *********, *** **** **** about **** ******** *** *** ****** advantage ** *** ********.
********* ** * *** ** * strange ***** ******* ****.
***'* *** ** ***** - ***** security ***** ** *******.
* **** **** ** ****** ********* at ***** ** ********* **** *** only ** **** ** ***/*** *** also ****** ********** (******** ******/***** ******* animal ******** ***) *** ** ***** 2021 ****** **** **** ** - they **** ************ **** ******* **** as ******* ***.
* ***** *** ***** ********* ********* from *** ******* * *** *** how *** ***** ******** **** ***** is * ******* ******* *********. *** having **** **** ** **** "******* beast" *** **** **** ** ***** there *** **** **** ***** ***** between *** ******* ********.
**, ** *** **** * *** minutes, * **** ***** ** ********** at *********, *** ***** ** ****, a ******* ****** *** **** ******* the **** ******* *** ****** ******* product ********.
* **** ***** ** ****** **** Gallagher ** * ******* *******, ***** by *** ********* ****** *** ** years. *** ******* ********* (********* & Executive ********) **** **** ********** ** the ******* **** *** ****** *** continued *** *************** ******** ** ******* growth.
** ****, *** *******’* ****** *** credited **** *** ********* ** *** electric ***** *** *** *********** ** animals
**** *** *******’* ** *****, ************* has **** *** ** *** ********* ‘superpowers’ **** ******** ** ****** *** company *****. *** ************* ******** ********:
- *********** - ** **** * ******* mount ********** **** **** ******* *** all *** ********** ******** ********* *** brand-new ********** **** **** *** **** processor.
- ******** ********* ******** - *** ****** management *******; ******** ***** **********, ***** scales, ***** ********** *** *****, *** the *** ********* *******. ** ********, our ***** ** ********* ***** **********, energisers, **** ******* *** ********** ********** all *** *** ********* ******** ************
- *** *********** ** ********* ******** ***** for *** *** ******** ********* *****.
- * *********** ***** *** ******* ***** but **** **** *** ******** ***** of **** *** *** ********* ******* products.
******* ****** ** ******* ** *** superpowers *** *** ********** *** ******** experience ******** ******* ***** **** ****** the ********* ******* *****. ********* * product ** ********* ************* ********** ** all *** ********* ***** ******** *** be * ********* *** ** ****** valuable ****** *********’* ****** ******** *** agricultural ******* *****. ***** ** **** opportunity *** ********* ******* ******* *** Animal ********** *** ******** *&* *****.
********** *** ****** ******* ******** **** developed *** ************ ** ***, **** a ********* ***** *******, ***** *** brand **** ** ******. ** *** 1970s *** ***** *** *********** ** the *********** ** ********** *** *** station ********** ***** *********** ************** ******* communicated ** * ****** ***** *******. Part ** *** ********** *** ***** hours **** ******** ***** *** ****** cards *** ***** ****** ************ (**** encrypted *** ************** ** *** *****). These ********** ************ ****** *** ******** technologies *** ****** ****** *******.
***** *** ******* *** ****** ********** and ******** ** ********* *** ***** different *** ***** ** * *** in ****** **** *** ********* ** supplying ***** ******* **** * ***** Pacific *******. ** **** **** ******* technology ******** ******** **** ** ***** to *** ** ********* ************ *** sales ************** ** * ****** *****, and ** ***** *** ********** ** establishing **** **** ************ ****** *** world, *** ** ****** ***** ******** by *** *******.
**, **** *** **** **** * “strange *****” ** ***** ******* ** is ******** *** *************** ********** ** our ************ ********** *** ********* *** marketing ************ ****** ****** *** ************* business ***** **** ** *****.
** *****,
** ******** ** * ******* *** user ** ********* ** *** ***. We **** **** ******** **** ********* will ** ****** ******* *** **** technology **** ******* ****** ******* *.* upwards *** ** * ******** ****** to ******* ***** ******** **** **** no ****** *** ** ******* *** GBUS ******** **** **** ******** .
On *** ******* ****** ******* *.* ** **** *** ****** ** *** ************* ******** ** ****** ***/***/****** (*** * ***** ***) **** ** **** ******** .
** **** ** ******** *** , why ** ********* ********* ******* *** customer ** ***** *********/ ******** ** thousands ** ******* ** ******* ********* working **** ******** **** **** ******** if **** ****** ** ******* ** access *** ******** ******** **** ** version *.* ******* ?
Is *** ******* **** ********** *** ******** ** *** ***** ***** *** **** ******** *** ********* ** * ****** ******* ?
Why ******'* ********* ****** ** **** *** ********* *** ****** ** **** ********* **** ** ****** *** **** ** **** ******** **** ******** *.* ******* *** *** *** ******** ** ** ** ***** *** **** ? (** ********* *** **** **** & **** ******** ** *** ****** )
This ********* ** **** *********** **** *** ***** ********* **** ** ****** ** ****** ****** ******** ****** ,***** ******** ** ********* ** *********** ***** *** ***** *** ******* * ******** *** **** ** *** * ******** ******* **** *** ** ****** ** **** ** ******** ******* ****** ******** *.* *** ******* .
* ********** ********** ******* ***** ** this ** "***** ******** " *** , *** ** **** **** ********* (especially ***** ** ****** ******** ) should ***** **** *** ****** ** we ** *** ** *** ****** GBUS ** **** ******** **** ******* 9.1 *******.
**** ******** ******* **** **** ******* to *** ****** **** ** **** in ******* * .* ******** *************.
****** *** **** ******** ** **** important *****.
****** *** *** ********* ***** *** obsolescence *******.
** ** ********** *** **** ** have **** **** ************* **** *** users ** *** ******* *** ** make *** ******* ** ****** ** possible *** *** ***** ** **** their ******* ** ** **** **** our *******.
***** *** *** ** ******* *.* you ** ***** *** ******* ******* that ** ******* ** ****** ** a * ******* *****. * ** assume *** ******** *** "**** ************ Notice" **** ** ***** **** ****. Hopefully *** **** *** *** *** back ***** ** **** ********** **** in ***** ***** ** ******* * 40% ******** *** ***** ***** ** buy * **** ********** ******. ***** that ***** *** ** ****** ** the **** *****.
*** **** ******* ********* ** *** GBUS ****** ** ******* *** **** over ** ***** ******** ********* ** when **** **** *** ********* ***** your **** ******* *** * *******.
- **** - **** *** ********** ** our ************* ********.
- **** - ****, *** ******* ************* protocol, *** ********** ** ***********.
- **** - **** ******* **** ****** into ****** ****** ** **** ********** the *** ** ***** ******* **** cycle.
- **** - **** ******* **** ****** into *** *** ******, ********** ***** was * ****** ****** ** **** products ********* *** **** **** ************ of *** **** ***** ** ******** was ********.
- **** - ************ **** **.* **** be *** **** ******* **** ******** GBUS.
*** ******* ******* ****** ******* ***** came ** ****** ** **** *** that *** *** *** *********** ********** of *** ****** ******* *******, ** have *** * ****** ** ********* transition ***** ******* *********** ** ******* with **. ** ** ****** **** over *** ******* **** ** *** customer's **** **** *** ********** ** needing ** ****** ** ***** ****** to ***** ***** ******** ** ** the ****** **********.
** ** *** ********* * **** bar **** *** ***** ******** *********** and ** ********** *** * *** part ** *** *********** ** **** to ****** * ******** **** **** have ***** ***** ******** ******** ***** with ******* ***********. **** ** *** new ************* ** **** ******** **** the **** ** ***** **** **** on ****.
** *** ********* * *********** ****** over *** ****** ***** ** **-********* our ****** ** **** *** ************ of *** **** ***********, ** ** some ***** ** **** ** ***** the ***** ************ ******.
* **** * **** ********* ****** but ** *** **** *** ******* questions, **** * ******* *** ***** out ** *** ********* **** *** your ****** ** *** *** ("**** the ****" ** ********.*********.*** )
***** ***** *** *** *** ******** and *** ************ . *** ,***** we **** ***** ********** ******** ** the ********* ****** **** ** ******* partner ** *** "**** ************ ******" back ** ***** **** **** ******* of *** ***** ** *** ** % ********, **** ** ***** ** certainly ***** ********* ** **.
** ********* ** * ******** ****** going ******* *** ** **** *** how ****** **** *** ** *** future.
*'** **** *** * **** **** Luis ***** *** ** *** ***** Directors, ** ******** *** **** ** email *************@********.*********.************ **** *****
**** ******* *****,
* ******* *** ** **** ********* afternoon *** * ** ***** ** say **** ** ********* ******** ** our ******** *** *** ********* ** work **** ** *** *** ***** to ******* ** *********'* ******** ******** for ********* ****** **** ** ****.
** *** ** * ******** **** to *** *** *** ******* ** this **********, ** ***** ***** **** being * **** *** *** **** 12 ***** ****,
" *** ********* ****** ******* ****** has **** * ***** ******** ****** for *** ***********, ******** ** *** constant ****** *** ****** *** ******* of ******** ************** "
***** , ****** ***** .
***** *******, **’* **** ** *** a *** ******* ******* ****** ***** and **** ****** **** **** *** doing *** *** ***** ******.
*********** ** ****** ******** *** * can *** *** **** *** ***** down **** ****.