Ambitious Mobile Access Startup: Openpath

By IPVM Team, Published on May 24, 2018

This team sold their last startup for hundreds of millions of dollars, now they have started Openpath to become a rare access control small business focused entrant.

Like many startups, the company is making big claims like 'mobile access control at no cost to users', and offers cloud-based management - eliminating on-site servers.

But how does it work? In this note, we examine Openpath, its strengths, weaknesses, and how it compares to other cloud access systems.

Startup ********** *** *******

***** ** **********, ********'* ******** team *** * ******** in ******** ******** *** new ** *** ******** security ******.

**********, *** **-******** **** technology ******* ******** ********** ******* *** ********** over $*** *******, *****-******* ***** ************* ********* ** * LinkedIn **** **** **** Openpath:

"* *** ** **** with *** **** **** *’** **** ******* **** for ** *****. **’** built **** ********* ******** and **’* * *** of *** ******* **** exceptionally ******** *** ****** people *** * ***** and *******."

********, ******** ****** $* ********* ******* **** *** co-founders, *** * ****** of ************* ******** *****, most ******* ******* ********.

Product ********

*************, ******** **** *** same ****** ************ *** methods ****** ** **** access ******* *******, ***** an **-** *-***** ********** (called ***** ***) ********* to **** ******* *****, position ********, *** *******, and *******.

*******, *** *******'* *** reader ******** ******* ******** like * '*****' ****** that ******* ***** **** a ********** ****'* ********** passes ****, * ********** app '******' ******, ** well ** ***** * regular ********* **** ******.

*** ****** ** *****-*****, and *** **** *** networks ** * *****-***** management ******. ****** '***** lock' ******** ******** **** ********* ** ****, ******** ******** ** door **** ** ***, instead ****** ** *********** with ******** ********, *******, or ******** **** ********.

*** (** *****) ******** video ******** ***** ******** approach:

Mobile ********** *******

****** **** ****** *******, Openpath ****** ***** * free ***, *** ** equipped, *********** ** **** credentials ** ****** ***** aboard ***** ****** *******.

**** ***** *********'* *********** $*** *******, ** ** * different ********** ******* *** available, ********* ***-******* **********/****** ***, smart ***** ***********, ** app-proximity ******* ****** **** button *** * ***-*** format **.** *** **** reader:

 

*** ****** ****** ****** to ****** ******** **** smartphones '**** ** **'* in * ***** ** pocket', ********** '*****' ** unlock ***** *** ******* up ***** *** **** to ***** ***** *****. 

*** *****-**** '*****' *** access ********** ******* ****** from ***** ***** ***** small ****** ***** ****** platforms ******** ********, **** **** ******* an ***, *** **** combined **** *** ****** support ** ********* *******.

Smart *** **** **********

**** **** ****** *******, the **** *****, *******, and ***** *********** *** controlled ** * **** panel. ********'* $*** ***** Hub [**** ** ****** available] ******** ** ** 4 *****, *** * readers - ****** ********'* RS-485 ********* ******* ** standard ******* ***** *******:

******* ******* ***** **** 3rd-party ******* *** *********, so *** ****** *** potentially **** **** ******** deployments ** ***'**** ********' **.** *** formats.

*** *****-********* ***** *** includes * ** ***** supply ** ****-******* ***** power ** **** ***** and *******, ***** ****** for **** **** **** strength ******** *** ********** duty *******.

System *******

********'* ******** **** ** ** up *****, *** **** cost, *** *** ***** based ****** **** *** an ***** ******* ******* ****, ***** ** $** per *****/ *** **** (discounted ** $** *** month ** ********* ** annual *****). *** ******* also ********* **** ******* larger **** ** ***** should '**** *****' *** negotiated *******.

*** *** ******* ****** out *** ******* *******:

  • * ****: * ****** office **** **** ******** ****** would ** $***, **** $40 *** *****.
  • * ****: * ******* small ********, **** **** system **** **** ******** readers ***** ** $*,***, then $*** *** *****.

Integrator/Installer *******

************** ****** ** *** public, ******** *********** **** **** users **** **** ** opt *** ************ ************ of *** ****.

***** * ****** ******** *******, *** ******** **** *** install ** ** *** installers, **** ******** ********** for *** ********* ********* equipment *** ******* *******. 

Bypassing ******* *****

*** ****** **** ******** shares **** ***** ****** startups **** ****, *** even *********, ** **** those ********* ***********, *** do *** **** ** the ******** ******** ******** dealer ******* *** ********* and ********* *** *******.

******, **** **** * feature **********, ******** ******* on **** ** *** rather **** ******* ******* features ** ** ********* access ******.

******* ** ***** ******** focus, ******** ******* ******** to *** *****, *** is ****** *********** ******** ******* ** ******-****** webpages. *** *******'* ********* is ******** ** ***** whose ********* **** *** greatly ****** **** ****** usability ********, *** **** 'deep' *********** ** *********, it ******* ****** **-******* platforms **** *-*****.

** *****, ******* ********* is *** ******** ** security-first ****** ** ***, but ***** *** **** a **** ********** ********** interest.

**********

******** ***** **** *** challenges **** ***** ******** grade ****** ******** *** the ********* ********** ****** market:

***** *****: ******* ********* ****** as ** '****** ******* system', ****** *****-******** ****** market ****** ******, ** ****, Openpath ******** ********** *********** locks, ***** *** *** hundreds ** * ****** door ****** ******** **********.

** ************: ** ******, *** ****** does *** ********* **** or ******* *****, ****** systems ***** ******* **** access **** *****. **** modest, *** **** ****** integrations **** ******** ******* are *** *********, *** users *** **** *** closed *********** ********* ***********.

Less ********* ***** ****** ***********

*** ** *** ******* barriers ******** ** ****** to **** ** **** price.

** *** **** **** a ****** ****** ** one **** ** ************** installed, *** ~$*** ******** cost *** $** ******* subscription ** ************* ****** than ******* ********** ***** cloud ********** ****** ******** like *********, ** ******** [**** ** longer *********] ********* ********** *** ~$600 *** $** *** month ** ************ ****.

Early ****** ** ******

***** ******* ** **** and ******* *************** ** weak, **** ** ********'* first ***** **** ****** control, *** *** *******'* strategy **** ********* ******. Indeed, ** *** ******* emerges **** ******* ******, even ****** ********* **** ************* with ********* ******** *** competition *** ** ********.

***** *** ****** ** well-heeled ** ***** ** funding *** ** *********** ****, **** could ********* ****** ** be **** *********** *** certainly ****** ********.

 

Comments (10)

I'm always a bit suspicious (or something) when the spelling is bad.

You guys should add to the 'Weakness' list, the fact that this new access control manufacturer here in 2018, is still continuing to support Wiegand (which is nearing 50 years old & highly vulnerable to exploitation).

Heck, you guys at IPVM wrote about this issue over 4 years ago: https://ipvm.com/reports/wiegand-vs-odsp

Not saying this team's new venture will be unsuccessful, only that they seem to be solely focused on delivering 'convenience-driven' security. As opposed to building a leading edge technology that offers all of those features, conveniences, AND improves their clients' security postures & risk mitigation strategies.

This is the first of many comets that will be the demise of access control integrators, manufacturers and the entire design-o-saurs.

 

Wiegand support will be the part of the demise of access integrators?

I don't for a second mistake Wiegand as secure, but it is hardly a weakness unique to Openpath. 

Agreed Brian, that Wiegand is not an OpenPath specific issue.

My only point was that this manufacturer missed a golden opportunity to really differentiate themselves from the already crowded market of Access Control, which is overwhelmingly saturated with Wiegand inter-operability.

(This is the equivalent of introducing a new security technology in 2018, that's still using Windows 95)

Social Engineering and Card Cloning is like 1% as bad as any of the many "Man-in-the-Middle" attacking modules that have been designed to exploit Wiegand... but yet the former garner all of the attention.

 

Some things to consider:

* You can't trick a lobby receptionist thousands of times, 24/7/365, to gain entry into secured areas.

** Cloning one card here or another card there, is not nearly as detrimental as having 100's or 1000's of employees delivering their card credential information to you. (As they swipe into a Wiegand-based reader.)

 

References:

MitM #1 (Released in 2015): www.blekeyrfid.com

MitM #2 (Released in 2017): https://redteamtools.com/espkey

MitM #3 (Released in 2018): https://github.com/rfidtool/ESP-RFID-Tool/blob/master/README.md#esp-rfid-tool

Wiegand (A Decade of Decryption- By Brandon Chung): http://www.cs.tufts.edu/comp/116/archive/fall2017/bchung.pdf

 

This is a loaded topic Brian, I am available to help if you and John want to turn this into an official write-up...

A little late to the dance, instead of an official write-up how about you do a full read up first.

Google, Alexa..um.. what is:::

La Carte a Puce,

Instant ciphertext-only cryptanalysis of GSM encrypted communication,

Building and Transport Cards: Attacks and Defenses,

Alrebraic Attacks on MiFare RFID Chips,

The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime,

Algebraic Attacks on Stream Ciphers with Linear Feedback,

MFCUK,

If your password is 123456,

Hear of darkness -  exploring the uncharted backwaters of hid iclass,

Engineering and Access Control Systems,

Cryptanalysis of the Random Number Generator of the Windows,

Reverse-Engineering a Cryptographic RFID Tag,

Silence on the Wire,

IPVM.COM,

MitM #3 released 2 months ago... not sure how that makes me late? Plus I'm speaking of a specific type of threat, and have not disclosed other areas of research.

I'd love to collaborate (and learn) with you Undisclosed #2, but your angle seems a bit hostile. I hope I've misread this.

My info is available, please reach out if you can. I believe there's strength in numbers...

I am hostile, you did not misread. I wish I had time to reach out but I am very busy. Relax, us trolls sit in amazing places. I am sure you are on top of your game, I just like to give people a nudge here and there.

I dislike access control systems that still incorporate wiring systems that resemble a VW bug. Although open path uses a defeated credential it can be turned off, it is only there as a compatibility and migration plateau and was not a design miss. If the system contains WWII cabling and terminations then what else can be lacking in their upgrade? 

Manufacturers clone each other's board technology and enough engineers have musical chaired their way around the industry seeking that next raise. There are no secrets, at the process's design level and pic technology, it is common knowledge amongst some nerds. Look at the iStar Ultra, they finally got rid of the ribbon cable and now connect ACM via USB(bout time, and...why stop there?). What about the IP-ACM? cool toy however why did they stop at copper ethernet? It just takes a lantronix XPICO and you are BLE, and A/B/G/N! You can DIY with a XPICO kit and connect ether to ether...however manufacturers can do it for a lot less. Why stop there? The card reader itself should be GSM! and not like the reader from openpath going back to another Volkswagen fuse block 4 reader panel. 

This thread...from ambitious access control systems to inevitable integrator comets of demise to H10301 foreplay and back to a post about another system that will be sold on amazon and installed by union electricians on their day off. For all the technology that pushes us forward there will be some that rears us back. For now I'll pass on all these beta systems that simplify complexity by simplifying vulnerability and eventually the integrator and his workforce must be let go. Who drags a wire to every device? Got a glass break?-here's a wire for that!, got a card reader?-got a wire for that too!, got a door contact, double door you say? we can series those together and yes we got a wire for that. Still running around with a digital multimeter looking for ground faults? WHY? 

The expectation to simplify is overlooked by security engineers who have been led to believe they must have an elaborate, complicated value priced solution that sounds like he is smart in fact damn near genius and in the end what do we get?

More Volksweigands!

Your background sounds diverse & astonishing, would love to learn more about ways on how you may be putting it to good (actionable) use. Let's stop talking about it, and let's do something about it.

You've got my info... leaving the door wide open for collaboration.

["Volksweigands"... Never heard that before - That's pretty damn funny!]

 

Read this IPVM report for free.

This article is part of IPVM's 6,594 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
RapidSOS Company Profile on Oct 12, 2020
RapidSOS has raised $100+ million providing dispatchers free software and...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
ButterflyMX Raises $35 Million on Sep 30, 2020
Startup ButterflyMX has raised $35 million for its smartphone based intercom...
Startup Calipsa Presents AI False Alarm Filtering on Jul 21, 2020
Calipsa presented its AI false alarm filtering platform at the 2020 IPVM...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Low Voltage Nation Wants to "Help You Carve Out A Fulfilling Career" Interviewed on Jul 06, 2020
It is difficult to make your way in this industry as there is little formal...
Startup Visual One Presents Object Detection and Smart Search on Aug 26, 2020
Visual One, a Y Combinator backed startup led by a PhD in machine learning...
Openpath Raises $36 Million on Jul 16, 2020
Openpath has raised $36 million as 2020 has become a boom year for access...
CDW Sells School District 36 Low-Res, No Blackbody Hikvision Fever Cameras With Federal Funds on Oct 01, 2020
Mega IT distributor CDW sold low-resolution Hikvision fever cameras with no...
Startup Vaion Presents End-to-End Cloud Managed Video Surveillance on Aug 20, 2020
Vaion presented its end-to-end cloud managed video surveillance offering at...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
Clorox Announces, Then Pulls, Fever Camera on Oct 15, 2020
For almost one week, Clorox was marketing fever cameras. The booming...
FaceFirst Problems And Layoff on Oct 01, 2020
FaceFirst, a US company and one of the oldest ongoing facial recognition...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...

Recent Reports

VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...