The Insecure Verkada Access Control System
While Verkada touts the security of its system and that how their new door controller was "built from the ground up", one particularly surprising and insecure element is its dependence on Wiegand and lack of OSDP.
Inside this note, the company answers why they made the choice and we examine how Wiegand represents a risk that most Verkada competitors have taken steps to mitigate.
[Update June 30, 2020 - Verkada tells IPVM they now plan to support 3rd party readers via OSDP "over the next 3-4 months."]
Verkada ****** ******** *******
*******'***** ************** ***** ***** *** ***** ******* are ********* *** *******:
******* ** *********** *** **************, ********* in *** *****. **** ****** ********* now ***** *********, *** (*************) *********************** ** *** ***-*****.
**** ***** *****-***** ****** ********* ******* OSDP. *** *******, ******, *****, *** Feenics ******* ****, ** **** ******* and *******.
Points ** *** **** ***** ** *************
******* ********* ** **** ****** **** chose ** ***** ******* ** ******** Wiegand ***** ** ****** ***:
*****, ** ******* ******* ** **** is *** **** ****** ******** **'** seen ** *** *****.
**** ***** *** ******** ***** ** 'secure' **** ** *** ******, ******* to** **** ******:
** *****'* **** *********** ******** ** OSDP (**** ** *****:*****://****.***/
*******/****-**) *** *** ******** ** ******* 3rd ***** **** *** * ******** update ** *** ****** ***** ** customer ******.
****** **** ***** ******** ********** ******** hardware *********, *** ** ******* ***** requires ******* **** **** * '******** update', ** ******** ********* *** ******* to **** ** * ******** ******.
OSDP **** ** ****-******** ******
***** ******* ****** ** *** ******* OSDP ***, *** ******** ** ****************** used **** ********** **** ********** *** high-security ********** *********.
** ********** ******* *** *** ****, many ** *******'* ******** ********* **** not ** **** ** ******** ** use *** *******'* ****** ******.
Wiegand ******* ****
*******'* *******-**** ******* ******** ** *********** to ***** *** **** **** *********** using ********** *** *********** ******* *******.
**** *******, *** **** ******* *** reader *** ********** ** *** ********* and '***-**-***-******' ************ ******* *** **** to *******.
** ******* ~$** ******,*** ******, ************ ***** ***** ** *******, can ** **** **** *** ******/********* side ** *** ****, *** ** undetectable ** *** ****** *** ****** managers.
*** *********** ******* **** *** **** be **** ** ****** ********* ****** of ***** ***** ** ** ****** stolen ********** **** ***** **** ******, bypassing ******* ********.
*** ***** ***** ***** *** ***** skimmers *** ********* *********:
******* ******** *** **** *** *********** to ***, **** **** **************** ~$** - $** ******.
Verkada's **** ******* ** ******* ****** *******
****$** ******* ******* ****** ** ******* 2020, *** ******* *** ***** ********* to ******* **** ******* ** *** access ****.
***** *** '***-***' ********** ****** ** not * *******-******* *******, *** ******* has ******* ******* *********** *** ******* development ** *** *******, *** ** OSDP ******* ********* * **** ** market ***********, *** * ******* ** constrained *********.
Fundamentally, ******* ** * ************* ****
******* ******** *** ******** ** ***** offerings, ******* ** '*******-******** ** **** **** **** ****** and ****'.
****** ** *** *******'* '************* **********' *****, ******* ***** ***** ********** to ********, ******** * ******** ** 'Removing ******** ***************'. *******, ******** **** support ****** ********* **** * **** documented *** ******** *************.
Verkada, *** ****
** ******* ** ** ***** ********* to ************* ** **** *****, *** company ****** *********** **** ******* *** add **** *******.
UPDATE, ******* ** *** **** *** ***** *******
***, ******* **** **** "****** ** roll *** ******* *** *** ***** OSDP ******* **** *** **** *-* months." **** **** ****** **** ******* on ***** **** ********, ****** *****:
1OSDP *******: We have built the hardware to support OSDP (we have a 4-wire input next to the 6-wire input for Wiegand, designed for OSDP readers). To be clear about what we support initially, we informed you and our partners that we do not support OSDP in the first version of the product. We have always planned to launch OSDP for all devices (third party devices and a potential Verkada reader) in the near future.
** *** **** **** ** **** - *** *** **** ****** ** the ******** ***** ** **** *** developers ** ***. ** **** ***** in **** ******* **** *** *******. In *** ******* ********** ** ****, you'll ****** * *-**** ***** ***** beside *** *-**** ***** *** *******. That ** ******** *** **** *******. We *** ********* ** ***** ****** protocols, ** *** **** ********* *** a *****-***** ******** ****** **** ******** access ******* *** ***** *** ****-**** verification ** ****.
*'* **** ***'** ***** **** ******** of *** ************ - **** ****** ones, ***** **** ******. *** **** majority ** ********* **** ******** ******* infrastructure, *** ********** ***** **** **** Wiegand ************** ** ****. ******* ** this, ** **** **** * ********* decision ** ******* **** ******* *** OSDP *********. **** ** **-******* ** purchasing ***-*** ******* ** ***** ****** not ** *** ****** - *** we ***'* ***** **** ****** ******* folks **** ********** **** ********** ********! For **** ** *** *********, ** are **** ** **** ***** ******** access ************** **** ****** *** ****** resistant. *** ******* ******* ************ **** the ****** *** *****, ******* *** person *** ****** ******** ************ ** can ****** ******** ***** ***** *** tampering ****** *** ***** ** **** a ****** ** ******** *** **** identified. ** **** **** *** ********** analysis ** ***** ****** ************* ****** as *** ******** ** *** ******* lines ****** * ******** ****** ****** would ** **** ******* *** ********* through ******* *******.
***** *** *** *** **** **** at ***************. * **** ** **** easier ** *** **** *** *** interface **** **-** *** ** **** not ******* * *******.
* **** ***, ******* ** *** mirror ******* *** *** **** ** me * ******** ** * ***** really *** **** ** ****** * vulnerable ****.
** ****** ****** ** *** *** dark ****** ** ** *** ********* scrub ******* *************.
*** ********* ** *** **** ****** are *** *********. *** ******* ** the **** *** ***** ******** ****** are *** *********. ** **** * reader ** * ******* ** * perimeter **** ** *** ******** ********?
****: * ****** **** ****** ***** up ** *** ********, ******** *** reader ** *** ***** **** *** then ******** ** **** *** ****** world. ****** ******.
********? *********...*** *** *** **** ******** this *******?? ** *** **** * comment ****** **? ** ** *** REPLY ****** ** *****. ****** **** all *** ********** ***** ** **** been ***** **** ** ** ***** group ** ****** ******* ***** **** actually ******** *** ****.
**???? ****** ****? ***! ** *** implementation ****? ******* *** *** ****** you **** ** ** ****! ***...***** layers.
***** ** *** ******* ** *********. Somewhat **** *** ******** *******. ******* to ****, *** **** ********* ******** forum ********* ** **** ***********, **** YOU.
**** ** *** **** ****?
******* ****** ** * **** ******* and ******* **** ********** *** **** never **** *********** * ********** **** technology ********** **** ***** ***** **********. Yes * ****** ** **** ***** minute(no *** *********)..** * *** **** upside. ******* *** **** ******* ** market * ********** ******** ********** **** defaults **** ****** ********* ********* ** the ****** ***** ** *** ****** security ** ***.
****** **** ****** ****** *** **** forthright *** *** **** **** ********* on ***** **********. ****! ********! ** NOT ****** *** **** ** ****** of *******.
******* **** ******* ** **** *** pressure ** *** ***** *****, ******* thermal ****** ******* ***** *** **** new ***** ******* ** **** ***** chops **** ***** **** ** ******** angst.
*** ****** ** **** ***** ** nigh, ***** *....*****!!!!!
********.
**** ** * ****** ******* *** I ** ************ *** *** ********* at ***. **** *** **** ** money **** ****** **** *** ******* capable ** ***** ******. **** ************ of *** *** ********** ** ******* was ****** **** *** ** ***** you ****** **** **** *** *** skip **** ** *** ** ******?
*** ***, **** ********** ** *****-***** with ** ******* ************. ********* ** employee, *** **** *** ** ****** issues? **** **** ** ******* ******.
************, *** **** ** *** */* ports **** * *** ** ******** on *****-***** ******. ***** *********, **** release *******, **** *********, *********.
*'* ** ******* ** **** * response **** *** ****** *** *********. Why **** *********, ** **** ***** they ********* ****.
*** *** ** ****, ******. *'* curious ** *** ** **'* * disagreement **** *******, * ***** **********, or *********.
****'** ****** *** ******** ** *** attention, *** **** ****** ******* ******* is... *** ** ** *** ****...
****.
***...*** ** ****. **** **** ** 'epic ****' ** **. **** ****** (US)$80 *** ?*** ******** ***** ***** for **** **** ** ***** ****** in. **** ** *******, *** *****'** done ****** **** ****!
**** ***** ***** ** ***** *** any *** ***** **** *****'* ****** on *** *** **** *** **** end ******. ** **** *** ** down **** ****** ********* **** ****'* going ** ** ******* ******* ******* they **** ** **** ** *** cloud ** **** **** ********** ***.
******* ***** ** **** ****** *****. The ****** ** ****-***** *** ************ beyond * **** ******* *************.
***** ** *** "***** *** ********" option :)
*** **** **** *** **** ******** to ******** ** **** ** ** is ** *** **** ******* ******* as *** ****** (********) *** *** using. * **** *** **** ********* in *** ****** *** **** **** using ** *** ***** * ****. While * ** **** ***** **** be **** ** ***** *** ** any ***** *** *******, ************* ******* is ***** ** *** ****.
******, ** #** - **** ******* from **** * ******* **** ****.
*** *** ******* ** *** *** add/remove *********** ** ****** ****** ******* internet ************?
******* ******* (**** **) **** *****:
********: ** *** ******* ****?
********: ****, ** ******* ******* **** for *** *** ******* **'** ** extending **** ******* *** *** ***** readers **** *** ****
(****** *****, *** *** ***** **********)
*** '*' ** **** ****** *** 'Open', ***** ***** ** ** ************* and *** *********** ** **** ******* readers.
** *** (*** **********) ******* ****** does *** ****, **** **** ***** the ********** **** ******* ***** *** party **** ******* ** ****, ** the '********* **** *** ****' ********* contradicts *** *****.
** ** ***** ? **** ***** doesn’t ***. ****** ******* *****’* **** UL *******.
*** ***** *** * ****. ***** massive ********** *** ***** **** ** understanding ******/******** ******** *** *** ******.
******* ** ** **** **** **** pushing ***** ******* ******* **** ********* chips *** ******* **** *** **** cybersecure ******** ** *** ******.
**** **** ** ***** ** *-* years **** **** *** ***** **** underneath ****. ** ***** ** **** will ** ****-*** ** ****.
*** ******* ******** ****** ******* ******* this **** *** * ******** **** and ******* **** * **** ***** Sales *****. * ******* ***** ** minutes ***** *** **** *** ** talk ***** *** ***** **** ***, how **** ********* **** **** *** how **** ****** ****** ** *** the *******.
**** * **** **** ** *** include **** ******* *** *** ****, I *** **** **** ****** **** still **** ******* ** ** ***** the **** ** *****-*******.
#***************
* ***** ** *** ******* "**** car *****" **** ** *******. ***** frankly * *** ******* ********* ** it. *******, ********** ****** ***** ****** wise, ********** **** *** **** *** polished, **** *** * ******** ******** and ** *** *** *** **** any ****** ** ***** ** **** to ** ****** **.
** *** **** * ***** ** the ******** **** ***** **** ****** and ******* ** *** *** **** thing ***** ****** ***** **** ****** they **** ******* ***** ****** ** first ***** ****** ***** **.....
***** * ***'* ******** **** ******** anyone *** **** ***** ****, ** aren't ******* ***** ****** ********.
*** ** *** ***** ****? *** do ******** ******* ********* ****? ** they **** **** **** **** **? Do **** ****? **** ******, *** that's *** *** ********.
*** ****** **** ** ******* ******** asset **** *** ** ***** ********* on ** ******** ********** ** ******* is ** **** *** ********** ** enterprise ********** **** * ******** *** reliability **********.
******* ****** **** * *********** ***** system **** **** *** ******* ******** would ** * ****** **** ** swallow; ********** ** *** ***** ***** they *** ********. ****** *** ** the **** **** ******* *** * bad ****.
**** **** **** **** *** ********* not ** *** **** ********, **** have **** **** *** * **** time ** **** ******* ***** *********** who ***** ********* * ****** ** their **** *** *** ******* ***** they *** ****** ****** *** ****** rookie ******** *** ***** ** ******** security ****** ** *** *******, *** all **** **** ** ** ** sell, ****, ****. **** *** ** their ***** **** ** *** ****, the **** *** **** **** *** changes ** ** ******* ***** *** says "*'* ***** ** ******** * amount ** ******* *** **********, * want **** ******* ** **". ************* for ****, **** ***'* ********** **** they *** ******* *********** *** **** in *** ******** ********, *** ****** their *** ******* *** *** *** looking ** ********* *********. **** **** to **** ******** **** **** *** a ******** ******* *** **** **** a ******** ********...............***** *** *** **** will *** *** ***** **** *** security ******** ** * ***** ********* animal..
**** ***'* ********** **** **** *** loosing *********** *** **** ** *** security ********, *** ****** ***** *** dealers *** *** *** ******* ** different *********.
***** **** ** ********** *** ***'* care ******* **** *** ***** ****** money. ***** *** ***** ***** ******* is ****'** ********* **** *** "***********" members ** *** ******** ********, ***** has **** ********* *** ****** *** haven't **** ***** ** **. **** and **** *** ******** ****** *** being *** ** ****** ** ********. Mostly ** ******. *** ** ***** and ******** ***** ****** ** ****** tight, *** **** *** ** ****** different. ** **** ************, ****** ** do *** **** *****, **** ** different ******* ** *** ********. *** so **** *** **** **** *****, even ***********.
*'** ****** **** ******* ** **** typical ** *******. ********* ** ****** seem ** ****, ** ******* ** the **** **** ******** ** **** sales *** *****. ** ****** ***'* always ***** ********. **** ****** ***** threat *** ** ******* ** * firewall ****, ** **** ************. * am ************ * ***, *** * am ****** *** **** *** ***. The ****** ** ** ****** *'** seen ** ** *** **** ****** prop ***** ****, *** ****** **** rooms ******* ********, **** ***** *** critical ************** ***** (**** *******/*****).
******** **** ***** ** ** ******* Verkada, *** *'* *** *** ** say **** ****'* ** *****, *** I ***'* ***** *** ***** ****** land ****** ** ****. ** ** the ******** ******** **** ***** ***** the ******** ** ******* *** * long ****. *** ** **** ***** continue ** **** **.
** **** ****** ** **** ********* we *** ****** **** ******* ******* we *** ****, *** *** ****'* survey **** ** ***'*. ** ** we **** ******* ** *** ******, maybe ** **** ** *** ****** first. ******* ******. ******* ********* ******* you **** *** * **** *** of ** ** ***. **** *** results **** * ** ******, **** of ****** *** **** ******* **, but **** *** ** ******* ** customers ***'* **** ** *** *** extra *** ****. ** ** ***'** already ***** **** **** **** *** customers, *** ***** ******* ** *** different?
* *** ****** ****-******* **** **** first ****** **. ***** ****** *** a **** ***, *** ******** ** see * *** ** ********* **** people ******* **** ***. ***** * bit ** ********, * ***'* ****.
*** ******** ******** ***** ******** ** folks ***** **** * *** **** credibility ** **** ** ******* ** readers ** *** ***** **** * simple ****** ****** ** ******** *** BLE ******. * ***** *** ****** will ** **** ******** ** *** reader. ****** ** *** *****. ******** down-time ******* ** *** ****** ** opposed ** *** **** **********.
***
* ******** *****. *** ****** **** is **** ** *** ****** ***** the ******** ** *** ******, **** the ******* ***** (*****) **** **** typically ** ** *** ******. ** that ** ** **** **** **** the ****** *** *** **** & you **** ****** ****** ** *** lock ***** & **** *** **** the ****.
@**** -- ***** *** ****** ** systems **** ***** ****** ***** ******* so *** ***** ** *** ** the *********** ******. ****** ***** ********* is * ***** **** ****** ** you *** ***** ** ****** **** from *** **** **** *** ********* wiring ** **** *****.
**** ***** ****, ***** *** **** cases **** **** *** *********** ******, some **** *** **********. **** ** to *** * ******** ****** **** supports **** ************ *******.
**** ** ****, ** **** **** them, ******* ** ** **** ******* bit ** **** **** **** ** mounted *******. * ********* **** ***** get ******* ** *** **** ****** behind *** ******, **** **** ** pull *** *** **** ***. **** in ******* *** ****** ****** *** NOT ********* **** *** ******* ****** to *** ***** ******. **** ********* just **** ** '****' *******.
**** ****.. **** *** * ************ to **** ****** *************. *** *** what **'* ***** ** ******* *** previous **** **** ********* ************* ** the ****** *****, ********* * ******'* call ** ****** ****** :)
**** ** *** **** ** *** Industry ****? ********* ** ******* ** are *** "*********"!!
* ***** *** ***** **** ** lost **** ** **** *******'* ******** and ****** ********* ** *** **** most **********'* **** *** ******* *** how ** **** **. **** ** the *********** ***** *** ***** ** is *********. **** *** ********* **** customers ********. ******* *****'* **** ** need **********'* ***********, **** **** ********** and **** ** * *** **********. I **** ** *** ** ** suck ** ** ******** ** *******. They ********* **** ** * *** deficiency *** *** ********** **.
**** **** ******* *** ******** *** they **** **** **** ******* **** do *** ******. ***** **** **** one *** ****** ** ****** *** brand **** *** *** ***** ** listen ** ** "*********". *** **** would ** ****** ***** ******* *** traditional ************* ******** ** *** ***** asses ** **** *** *** ** products ** *** ******* **** ** a ******* *******, ********* ** **** all ** ********** *** *******...** ****** or ******.
**** ****** ****** * ********** ***. It's * ***** **** *** ********* to ***** **** **** ****** ******* have ******, ***** **** *** ******* adapt. **** ********* ** *********** ***** R&D.
* ****** ** '** ***** ****** when * ******** **** **** *** wave ** *** ****** ** ******* with *** ******** *****. * ***** it *** ** *** *** ******* flaw, * * ***** ********* ************.
*** **** **** *** '** ****** had * * ***** *** *** rest ** *******.
***'* ******* **** *** *********. ***** guys *** ***** *** ****. ***** access ******* ************ ***** *** ********** and **** *** ***** ***** *** game - ****, ********* *** *** Motorola.
*****'* ***** * **** ***** **** through *** *********** ******* **** * lot ** ********* *** **** ******* folks *** **** *** ** *** to ************* *** ***********.
****** ** **** *** **********. **** anyone **** ***** *** *** *** one ** *****?