Ambitious Mobile Access Startup: Openpath

By: IPVM Team, Published on May 24, 2018

This team sold their last startup for hundreds of millions of dollars, now they have started Openpath to become a rare access control small business focused entrant.

Like many startups, the company is making big claims like 'mobile access control at no cost to users', and offers cloud-based management - eliminating on-site servers.

But how does it work? In this note, we examine Openpath, its strengths, weaknesses, and how it compares to other cloud access systems.

**** **** **** ***** last ******* *** ******** of ******** ** *******, now **** **** ***************** ****** * **** access ******* ***** ******** focused *******.

**** **** ********, *** company ** ****** *** claims **** '****** ****** control ** ** **** to *****', *** ****** cloud-based ********** - *********** on-site *******.

*** *** **** ** work? In **** ****, ** examine********, *** *********, **********, and *** ** ******** to ***** ***** ****** systems.

[***************]

Startup ********** *** *******

***** ** **********, ********'* ******** team *** * ******** in ******** ******** *** new ** *** ******** security ******.

**********, *** **-******** **** technology ******* ******** ********** ******* *** ********** over $*** *******, *****-******* ***** ************* ********* ** * LinkedIn **** **** **** Openpath:

"* *** ** **** with *** **** **** *’** **** ******* **** for ** *****. **’** built **** ********* ******** and **’* * *** of *** ******* **** exceptionally ******** *** ****** people *** * ***** and *******."

********, ******** ****** $* ********* ******* **** *** co-founders, *** * ****** of ************* ******** *****, most ******* ******* ********.

Product ********

*************, ******** **** *** same ****** ************ *** methods ****** ** **** access ******* *******, ***** an **-** *-***** ********** (called ***** ***) ********* to **** ******* *****, position ********, *** *******, and *******.

*******, *** *******'* *** reader ******** ******* ******** like * '*****' ****** that ******* ***** **** a ********** ****'* ********** passes ****, * ********** app '******' ******, ** well ** ***** * regular ********* **** ******.

*** ****** ** *****-*****, and *** **** *** networks ** * *****-***** management ******. ****** '***** lock' ******** ******** **** ********* ** ****, ******** ******** ** door **** ** ***, instead ****** ** *********** with ******** ********, *******, or ******** **** ********.

*** (** *****) ******** video ******** ***** ******** approach:

Mobile ********** *******

****** **** ****** *******, Openpath ****** ***** * free ***, *** ** equipped, *********** ** **** credentials ** ****** ***** aboard ***** ****** *******.

**** ***** *********'* *********** $*** *******, ** ** * different ********** ******* *** available, ********* ***-******* **********/****** ***, smart ***** ***********, ** app-proximity ******* ****** **** button *** * ***-*** format **.** *** **** reader:

 

*** ****** ****** ****** to ****** ******** **** smartphones '**** ** **'* in * ***** ** pocket', ********** '*****' ** unlock ***** *** ******* up ***** *** **** to ***** ***** *****. 

*** *****-**** '*****' *** access ********** ******* ****** from ***** ***** ***** small ****** ***** ****** platforms ******** ********, **** **** ******* an ***, *** **** combined **** *** ****** support ** ********* *******.

Smart *** **** **********

**** **** ****** *******, the **** *****, *******, and ***** *********** *** controlled ** * **** panel. ********'* $*** ***** Hub [**** ** ****** available] ******** ** ** 4 *****, *** * readers - ****** ********'* RS-485 ********* ******* ** standard ******* ***** *******:

******* ******* ***** **** 3rd-party ******* *** *********, so *** ****** *** potentially **** **** ******** deployments ** ***'**** ********' **.** *** formats.

*** *****-********* ***** *** includes * ** ***** supply ** ****-******* ***** power ** **** ***** and *******, ***** ****** for **** **** **** strength ******** *** ********** duty *******.

System *******

********'* ******** **** ** ** up *****, *** **** cost, *** *** ***** based ****** **** *** an ***** ******* ******* ****, ***** ** $** per *****/ *** **** (discounted ** $** *** month ** ********* ** annual *****). *** ******* also ********* **** ******* larger **** ** ***** should '**** *****' *** negotiated *******.

*** *** ******* ****** out *** ******* *******:

  • * ****: * ****** office **** **** ******** ****** would ** $***, **** $40 *** *****.
  • * ****: * ******* small ********, **** **** system **** **** ******** readers ***** ** $*,***, then $*** *** *****.

Integrator/Installer *******

************** ****** ** *** public, ******** *********** **** **** users **** **** ** opt *** ************ ************ of *** ****.

***** * ****** ******** *******, *** ******** **** *** install ** ** *** installers, **** ******** ********** for *** ********* ********* equipment *** ******* *******. 

Bypassing ******* *****

*** ****** **** ******** shares **** ***** ****** startups **** ****, *** even *********, ** **** those ********* ***********, *** do *** **** ** the ******** ******** ******** dealer ******* *** ********* and ********* *** *******.

******, **** **** * feature **********, ******** ******* on **** ** *** rather **** ******* ******* features ** ** ********* access ******.

******* ** ***** ******** focus, ******** ******* ******** to *** *****, *** is ****** *********** ******** ******* ** ******-****** webpages. *** *******'* ********* is ******** ** ***** whose ********* **** *** greatly ****** **** ****** usability ********, *** **** 'deep' *********** ** *********, it ******* ****** **-******* platforms **** *-*****.

** *****, ******* ********* is *** ******** ** security-first ****** ** ***, but ***** *** **** a **** ********** ********** interest.

**********

******** ***** **** *** challenges **** ***** ******** grade ****** ******** *** the ********* ********** ****** market:

***** *****: ******* ********* ****** as ** '****** ******* system', ****** *****-******** ****** market ****** ******, ** ****, Openpath ******** ********** *********** locks, ***** *** *** hundreds ** * ****** door ****** ******** **********.

** ************: ** ******, *** ****** does *** ********* **** or ******* *****, ****** systems ***** ******* **** access **** *****. **** modest, *** **** ****** integrations **** ******** ******* are *** *********, *** users *** **** *** closed *********** ********* ***********.

Less ********* ***** ****** ***********

*** ** *** ******* barriers ******** ** ****** to **** ** **** price.

** *** **** **** a ****** ****** ** one **** ** ************** installed, *** ~$*** ******** cost *** $** ******* subscription ** ************* ****** than ******* ********** ***** cloud ********** ****** ******** like *********, ** ******** [**** ** longer *********] ********* ********** *** ~$600 *** $** *** month ** ************ ****.

Early ****** ** ******

***** ******* ** **** and ******* *************** ** weak, **** ** ********'* first ***** **** ****** control, *** *** *******'* strategy **** ********* ******. Indeed, ** *** ******* emerges **** ******* ******, even ****** ********* **** ************* with ********* ******** *** competition *** ** ********.

***** *** ****** ** well-heeled ** ***** ** funding *** ** *********** ****, **** could ********* ****** ** be **** *********** *** certainly ****** ********.

 

Comments (10)

I'm always a bit suspicious (or something) when the spelling is bad.

You guys should add to the 'Weakness' list, the fact that this new access control manufacturer here in 2018, is still continuing to support Wiegand (which is nearing 50 years old & highly vulnerable to exploitation).

Heck, you guys at IPVM wrote about this issue over 4 years ago: https://ipvm.com/reports/wiegand-vs-odsp

Not saying this team's new venture will be unsuccessful, only that they seem to be solely focused on delivering 'convenience-driven' security. As opposed to building a leading edge technology that offers all of those features, conveniences, AND improves their clients' security postures & risk mitigation strategies.

This is the first of many comets that will be the demise of access control integrators, manufacturers and the entire design-o-saurs.

 

Wiegand support will be the part of the demise of access integrators?

I don't for a second mistake Wiegand as secure, but it is hardly a weakness unique to Openpath. 

Agreed Brian, that Wiegand is not an OpenPath specific issue.

My only point was that this manufacturer missed a golden opportunity to really differentiate themselves from the already crowded market of Access Control, which is overwhelmingly saturated with Wiegand inter-operability.

(This is the equivalent of introducing a new security technology in 2018, that's still using Windows 95)

Social Engineering and Card Cloning is like 1% as bad as any of the many "Man-in-the-Middle" attacking modules that have been designed to exploit Wiegand... but yet the former garner all of the attention.

 

Some things to consider:

* You can't trick a lobby receptionist thousands of times, 24/7/365, to gain entry into secured areas.

** Cloning one card here or another card there, is not nearly as detrimental as having 100's or 1000's of employees delivering their card credential information to you. (As they swipe into a Wiegand-based reader.)

 

References:

MitM #1 (Released in 2015): www.blekeyrfid.com

MitM #2 (Released in 2017): https://redteamtools.com/espkey

MitM #3 (Released in 2018): https://github.com/rfidtool/ESP-RFID-Tool/blob/master/README.md#esp-rfid-tool

Wiegand (A Decade of Decryption- By Brandon Chung): http://www.cs.tufts.edu/comp/116/archive/fall2017/bchung.pdf

 

This is a loaded topic Brian, I am available to help if you and John want to turn this into an official write-up...

A little late to the dance, instead of an official write-up how about you do a full read up first.

Google, Alexa..um.. what is:::

La Carte a Puce,

Instant ciphertext-only cryptanalysis of GSM encrypted communication,

Building and Transport Cards: Attacks and Defenses,

Alrebraic Attacks on MiFare RFID Chips,

The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime,

Algebraic Attacks on Stream Ciphers with Linear Feedback,

MFCUK,

If your password is 123456,

Hear of darkness -  exploring the uncharted backwaters of hid iclass,

Engineering and Access Control Systems,

Cryptanalysis of the Random Number Generator of the Windows,

Reverse-Engineering a Cryptographic RFID Tag,

Silence on the Wire,

IPVM.COM,

MitM #3 released 2 months ago... not sure how that makes me late? Plus I'm speaking of a specific type of threat, and have not disclosed other areas of research.

I'd love to collaborate (and learn) with you Undisclosed #2, but your angle seems a bit hostile. I hope I've misread this.

My info is available, please reach out if you can. I believe there's strength in numbers...

I am hostile, you did not misread. I wish I had time to reach out but I am very busy. Relax, us trolls sit in amazing places. I am sure you are on top of your game, I just like to give people a nudge here and there.

I dislike access control systems that still incorporate wiring systems that resemble a VW bug. Although open path uses a defeated credential it can be turned off, it is only there as a compatibility and migration plateau and was not a design miss. If the system contains WWII cabling and terminations then what else can be lacking in their upgrade? 

Manufacturers clone each other's board technology and enough engineers have musical chaired their way around the industry seeking that next raise. There are no secrets, at the process's design level and pic technology, it is common knowledge amongst some nerds. Look at the iStar Ultra, they finally got rid of the ribbon cable and now connect ACM via USB(bout time, and...why stop there?). What about the IP-ACM? cool toy however why did they stop at copper ethernet? It just takes a lantronix XPICO and you are BLE, and A/B/G/N! You can DIY with a XPICO kit and connect ether to ether...however manufacturers can do it for a lot less. Why stop there? The card reader itself should be GSM! and not like the reader from openpath going back to another Volkswagen fuse block 4 reader panel. 

This thread...from ambitious access control systems to inevitable integrator comets of demise to H10301 foreplay and back to a post about another system that will be sold on amazon and installed by union electricians on their day off. For all the technology that pushes us forward there will be some that rears us back. For now I'll pass on all these beta systems that simplify complexity by simplifying vulnerability and eventually the integrator and his workforce must be let go. Who drags a wire to every device? Got a glass break?-here's a wire for that!, got a card reader?-got a wire for that too!, got a door contact, double door you say? we can series those together and yes we got a wire for that. Still running around with a digital multimeter looking for ground faults? WHY? 

The expectation to simplify is overlooked by security engineers who have been led to believe they must have an elaborate, complicated value priced solution that sounds like he is smart in fact damn near genius and in the end what do we get?

More Volksweigands!

Your background sounds diverse & astonishing, would love to learn more about ways on how you may be putting it to good (actionable) use. Let's stop talking about it, and let's do something about it.

You've got my info... leaving the door wide open for collaboration.

["Volksweigands"... Never heard that before - That's pretty damn funny!]

 

Login to read this IPVM report.

Related Reports

Openpath Presents Two Door PoE Controller on May 21, 2020
Openpath presented its new PoE controller at the May 2020 IPVM Startups...
Startup Calipsa Presents AI False Alarm Filtering on Jul 21, 2020
Calipsa presented its AI false alarm filtering platform at the 2020 IPVM...
PSIM CNL Acquired By Everbridge on Mar 09, 2020
The end has finally come for CNL. Despite for years saying they would...
IPConfigure Presents Orchid Fusion VSaaS on Apr 30, 2020
IPConfigure presented Orchid Fusion VSaaS at the April 2020 IPVM New Products...
LSP Presents 2nd Generation FP Power Supplies on Apr 29, 2020
Life Safety Power (LSP) presented its FP2 power supply in the April 2020 IPVM...
Low Voltage Nation Wants to "Help You Carve Out A Fulfilling Career" Interviewed on Jul 06, 2020
It is difficult to make your way in this industry as there is little formal...
Sequr Presents HID based Cloud Access Control on Jun 04, 2020
Sequr presented HID based Cloud Access Control at the May 2020 IPVM Startups...
USA's Feevr Thermal Temperature System Examined on Mar 31, 2020
This US company has burst on to the scene, brashly naming itself 'feevr' and...
Startup Videoloft Presents Cloud Storage on May 27, 2020
Videoloft presented offsite cloud storage at the May 2020 IPVM Startups...
OpenEye Presents Cloud Integration For Remote Alarm Monitoring on Apr 29, 2020
OpenEye presented its cloud-to-cloud integrations designed for remote alarm...
Milestone Launches Multiple Cloud Solutions on Feb 18, 2020
Milestone is going to the cloud, becoming one of the last prominent VMSes to...
Ivy League Grads Present Percepta Shoplifting Detection on Jun 17, 2020
Ivy League graduates of the University of Pennsylvania presented their...
ROG Security - Cloud AI For Remote Monitoring on Jan 28, 2020
ROG Security is offering cloud-based AI analytics to remote guard companies,...
Proxy Acquires Ring Maker Motiv on Apr 29, 2020
Fresh off of raising $42 million, access startup Proxy has acquired...
Brivo Presents ACS100 Single-Door Combo Controller & Reader on Apr 27, 2020
Brivo presented its first integrated reader and controller, the ACS100 at the...

Recent Reports

Video Analytics Online Show September 2020 Opened - Axis, Avigilon, Bosch, BriefCam, Genetec, Milestone + 30 More on Aug 12, 2020
IPVM's sixth online show will feature 35+ Video Analytics companies...
The German Company Powering Many China Temperature Tablets (Heimann) on Aug 12, 2020
Many fever tablet suppliers market German-made Heimann thermal sensors while...
Salesforce Drops Dahua and Hikvision on Aug 12, 2020
Salesforce has dropped Dahua and Hikvision as customers, forcing the two mega...
Access Control Course Fall 2020 - Register Now - Save $50 Last Chance on Aug 12, 2020
IPVM offers the most comprehensive access control course in the...
Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Telpo China Temperature Tablets Tested on Aug 10, 2020
The provider for overseas companies ranging from Canon Singapore to US'...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...