Improving Access Control Security

Today in Security: Improving Access Control Security
​In the 1970s, John Wiegand revolutionized access security. For the first time it became economical and more secure to replace lock and key with card readers and lock controllers.

Brandon Arcement and Steve Lucas, from HID Global and Mercury Security respectively, give this little history lesson as part of their webinar earlier this month: How Open Supervised Device Protocol (OSDP) Is Revolutionizing Access Control Systems (webinar is free with registration) presented by Security Management magazine and HID.
What became known as the Wiegand protocol quickly became a standard in physical security access control, long before it officially became a Security Industry Association (SIA) standard in 1996. The problem with security revolutions? They generally inspire bad guy revolutions as well, and that’s certainly true in access control.
As Arcement and Lucas describe, one vulnerability of the card-reader-controller access system lies in the card itself. Criminals learned to pull information easily off the cards. As a result, the security industry has focused a lot of work and energy in making that as hard to do as possible. With technologies like processor chips and RFID tags rather than magnetic bars and strips, stealing information directly from a card became much harder. The bad guys then shifted tactics: if the cards were too hard to crack, could they find vulnerabilities on the other side of the Wiegand protocol, from reader to controller? The answer was yes, yes they could. There are plenty of sites on the Internet that show and even sell kits that enable users with 60 seconds and a screwdriver to swipe the information being sent from reader to controller. Arcement and Lucas demonstrate how and why Wiegand systems are vulnerable in this way, as well as some other limitations of the Wiegand system.​​
Unfortunately, we’ve begun to transition from history lesson to current practice. Much of access control today still uses Wiegand protocols. And while most of them may be too secure for 60 seconds and a screwdriver to exploit – the vulnerabilities are still there. Enter Open Supervised Device Protocol or OSDP. While it’s been around more than a decade and was adopted as an official SIA standard in 2011, it is still very much on the upswing rather than in widespread use. The webinar details how OSDP addresses the vulnerabilities of Wiegand systems and how it enables greater security, as well as provide some tips on making the upgrade.