Rocks vs Wiegand: Access Control Risks
Wiegand is an access control security risk but so are rocks. How should security professionals handle such risks?
Access control manufacturer PDK's founder talked about their new OSDP enabled product while emphasizing that other fundamental risks still exist, such a simply throwing a rock through glass to break in.
Inside this report, we share:
- PDK Founder contrasts Wiegand vulnerability to rock smashing risks
- Comment on how OSDP used to segment access market
- Why exploiting Wiegand does not take great complexity
- OSDP importance as 'Industry Standard'
- Examining how OSDP fixes Wiegand risk
For background, see OSDP (vs Wiegand) Access Control Guide.
PDK ******* '*** **** ****' ********* ****
****** ******* **** ****** ****, ** ****** ************ **** **** while **** ******** ******* ******** *******, physically ******** * ****** ** * major **** ******:
** *******, *** *** ********** *** new, ****** ******** ****-******* ******** ********* ***. *** *******'******-****** ******** **************** ******* **** *** ** *** support ****.
**** *****, ********* *** **-******* ** PDK (**********)****:
************'***********'.*******,************************,*'******************,***,******************? (*******?)*****,****,***'****************************************.*******,******'***************************************.********,*******,*************************************************************,******************.
**** **** '** ******* ******'
***** **** **** **** **** ** used ** ************* *** ******** ********** to ************ '******* *** ******' ** exclude ****** ********* **** ** *** have **:
****, ***** **** ** ***** ** the **** ****, *** ****, ***** in **** *****, *'* * ****** bit ** * ******** **** ****** like ****. ***, *** **'** *** a ***** ** *********** ****** *** organization **** *** *** **** ***** this ********** *** *** ** ********* what's **** *********.
*****'* ** ******** **** *****'* ********** in *** ********, ****'* ********* ** large ************* ** ******* *** ******, right?
*** ** ******* ******
*** ********* ********** *** '*******-********' ** using********(************* ****) ******* **** ***** *** doors ** *** *****:
**** ***'** ********* ** **** (******* door **********) ******, *** *'** *** my ********** *** ** *** ****, and *'* ******* ** ****, ***** three, ****, ** **** ****, **** the ******* ** **** ****, ** really ** *** ******* **** ******** is ***** ** *** * ******* and *** *** **** ***, *****, and ***** ***, *** ****, *** wires *** ******* ** **.
*******, ******** ********** *******'* ******** ** not ******* ******* ** ******. ** fact, ***** ******* ******* ****** **** than * *********** *** * *** minutes ** ***.*** ***** ***** ***** *** ******* are ********* *********:
******* ******** *** **** *** *********** to ***, **** **** **************** ~$** - $** ******.
OSDP ********* ** '******** ********'
***** ****** **** '********* *********' *** to ** ******** '** ******** ********' for ******, *** ******* ***** ** saying ** *** ******* ** ***** security:
**, *** ****, *'* *** ***** say **** * ***'* ******* ** OSDP, * ***** **** **'* ********* important. *** *** ***, ** *** the **** ** ***** ********* ******* it *** *** ***** ***** ** do *** ******* ********* *** ***** it. *** ****'* **** ** *** is ********* *** ****** ** ****. And *** ******* ** ****** **** out *** ***. *** **** ** truly ********** *** *** **** **** that **** **** *** **********. *** there *** ********* ***** ***** ** features **** *** **** ** **** adjustments ** ******* ** ******* ** becomes ** ******** ******** ** ******** specific.
OSDP **. ******* ****
**** ** ********* ******* ** **** security ** *** **** *********** ** access ******* ** ***********.
******** ******** ******* *.*.*, ***-*** *** ********** ** **** on **** ******* ****** *** **********. Previous ******** ** **** *** *** support **********, ** ** *** *** defined ** '*********' ***** ****.
**** **** ****** *******, *** ******** between ****** *** ******** ********** ** encrypted ******* **** ************ *** ********* copying **** '*** ** *** ****** devices.
******* **** *** ******* ******* ****. For *******,*** $** ******** ***$** *** **** ************ *** ********** **** (********** ** how ****** *** ****** **) *** makes ** **** ** ****, ******, or ********* ****** **** **** ** break **** ** ****** ******:
****** ***** ****** ****** ** ********** to *** **** ** ******* ******* when ******** *** ********* ** *** reader. *** **** *********** **** ********* can **** ** **** ** ****** identical ****** ** ***** ***** ** to ****** ***** ******* ******* ** systems ********* ******* ********.
****/****
******** *** ** ***'* **** ********* have * ****** ** *******.
** **** * ****** ******, ** is *** ********** ** *********!
*** * **** *****, ****. ** can ********** ****** * ****** ****.
********, *** ******* ************* ** **** access ******* ******* ** **********. ** need ** ***** * **** ******* the ******, **** **** *** ******* to ***** ** ***** *** ******** and **** **** ***** **. **** people **** **** ******** **** *** door **** *** *** **** *****. During ** ******** ***********, * **** that * *** *** **** * building ***** **** ********* **** **% of *** ****.
**** ********** ** **** ******* ******* of *** * ***-*******, ****-***** ******** to ******** **** ** *****. *** level ** **** ****** ******* **** facility ** ******** *** **** ** mandatory ** *** ******** ** *********** at *******.
******* ***** ** ********** *** *********** to ******** ***** ** ******* **** as ******* **** ************** ***** *** networks ** ************** ***********. *******, ** most **********, ***** *** *** ********** cases ** ** ******** ******* ****** using ***** *******. ***** *** *** easier **** ** ***** * ********: tailgating, ******** * *****, ** ****** looking *** * **** **** *** failed ** ***** ********.
**** **** ***** ****, * ***** that ** ** ************* *** * manufacturer ** ******** ** ***** ******** that **** ***** ******** *************** **** more ****** ******** *** ** ******** at ****** *** **** ****. **** consumers *** ***** *** ********** (******* false) **** *** ******** ******* **** by * * ********* ************ **** indeed ******* ********. ******* * ******* with ***** ******* ******* ** ********** in ** *******.
* *****'* **** **** ** ***** types ** ******* ** *** ***** anymore. *** **** ***** ** *** easiest ** ******* *** ****** *** you ***** ** **** ******* ** find ***.
* ******* *** **** ** ******** to ** ********* *** **** **** don't ****** ****. ***** ******* ** to ******* * *** ****** **** a *** ********** *** **** ***** are *** ******** **** ***** ********* cards ****. **** ******* * ******** to *** * ********** **** ** even * **** *** ** *** extra ****.
**** ** ****** *********** ** ****** bid ***** ******* *** *** **** readers.
* *** ******* ******* *** *** comments *** *** ********* **** * was ********. * ***** *** **** question ****** **, "*** **** ** your ********* **** ***** ******** *****?"
*** ** *** ****** * ******* the ******** ***** ** *** ********* at *** **** ** *** *** don't ****** ******** ** **** ** more ******. *** *** ******* *** a ***** ******* *** * *** floored **** **** ********* ****. * have **** *** *** **** **** installed ** *** **** *** *****. I ********** *** ******** ************** *** the **** *****, *** ***** ** no ****** *** ** ******* **** didn't **** ****** ******* ******.
** ******* *********, *** ******* ** often **********. ****** ***** ******* * mullion ** ********* **** ** ****.
* **** ****** ****** **** **** I **** ******* ***** ** ******* just ** *** *** ******** **. I **** ***** **** ** *** area ** ******* *** ****** *** as ****** *'* ******** ** ** there *** ********* ** *** **** anything. **** ** ****** **** ***** when *** ********* ***'* ********* **. If *** *** ******* *** *** part *** ******* **** ********* ********, people ********* ***'* ******** ***. **** when *** **** ********** **** ** raise ******. ****** **** ***'* ****** true. * *** ********* ******* ***** ago ***** * ****** *** *** back ******* * ******* **** ****** a ***** ** * **** ****. He *** ******** *** *** ***** time ** **** *** *** ******* and ** * ***** *** ****. The ***** **, ** ***** ***** for ****** ** **** *** ** employee **** * *****.
**** **** **** ******** *******, **** asked ***** *** **** ***. * said *** **** ******* ** ***** they ********* ****..."**, *** **** ********." This ********* **** **** ******* *** used ***** *** *** **** ****** at *** **** *** ***** **** the ***** *******.
* ******* *** ******* "****" ******** risk *** ******* ****** ******* ***-***** remains *** ********* *********** *** *** ability *** **** ** ** ********** in ** ******* ** *** ***** grocery *****.
**** ** **** *** ******* ***** recognize **** ***** *********** *** ******** WORSE **** **** (******* **** *** spoofing * **** ****-****** *** ****** it **** **** **** ******* *** a **** ****** **** **** *** not) **** ********** ** ** **** to **** *** ****** *** ******* readers *** ***********.
********** *** ****** ****--*** *******--*** ******* way ** ******** * **** ****** entry *****.
******** ******* **** * **** *** gain ******* *****, *** ****'* **** a ********** ***** ****** ** *** (layered ********), ** * ***'* ***** it ** * ******* ***** ** PDK.
**** ** ********* *** ******-******** **********, "checks *** ***" *** * ******** manager *** ***** ** **** **/*** is ********* ****-*********, *** ************ **** the ******** ******** ** ******** *** tech.
* ***** *** ***** ***** ***** a **** *********** ** **** *** may *** ** ***** ** *** intrusion *** * **** ****, ** ever. ** ** ** ******** ****** sensitive *********** *** *** *** ** aware. **** * **** ** **** be ****** ******* *** *** *** can ***** ** *** **** **** accessed ***** ******.
********** *** ****** ****** *** **** actually **** ** ***** ** * duplicated **** ** ****. ********** ********* on *** *** **** *** ****** there ** ** ***** *** ** the *** ****** ******** ** *** non ****** ****. * **** *** seen **** ** ** ****** ************* though.
* *** *** ***** ****. ***********. I **** *** *** *** ******** and **** ** ****.
*****, *** ** ****** **** ** saying **** * ******* ****** ** alerting ********* *** ** ******** ****** is ****** **** *** ****** ** alerting ****** *** ** ******** ******.
*******, ** **** *****'* ********* *********** the ********* ** *** ******** ** much ** *** ********, * ***'* know **** *****.
************: "***, ***** ** * *********** flaw ** **** ******, *** **'** provided ** ***** ** *** ***** know ** **'* **** *********!"
********: "***...*** ***'* *** **** *** the ****? **** ** **** * lot ** *****?"
************: "**...**..."
********: "**, **** ** **** ** really, ****** ********* ** *********, *****?"
************: "*** ** ****..."
** ***********...*****, ***** ** *** *** actually ****** * ********, *** *** fact **** *** ******** ** * whole *** *** ********* **** ** such ** ********** ** ** ***...
********* ** *** ********, ****** ******* is **** ** * ********** ** actual ********. ** **** * ******** that ********* *** ****** *** ****'* want ** **** *** **** ** register *** ** *** ********* ** the **** ** *** ****** ****-***. So **** ********** *** ****** ********** to **** *** **** **** ** an ************ **** *** *********. **** was **** **** * ****** *** and *** ******* ***** ****'* ******* even ***** **'** ********* **** ***** it ** ******** ********* ******** **** to *** *** *****.
***** !! ** ****** ** *** still * ****** ** ******* ****** on ****** *******. ***** **** * one-down-man-ship ******** ** ******** ******** *** we ***'* **** ********* **** * tamper ** *******.
***