Limiting or securing access to designated or sensitive areas is an important issue. As such, there is a current focus on technological systems for controlling access to designated areas in both the private and public venues. Such systems must be made highly impervious to attack by those wishing to gain unauthorized access to the secured area.
In access control systems, Radio Frequency Identification Devices (RFIDs) or other security credentials are typically used to store data that uniquely identify a holder of the RFID device or the holder's access authorizations. In order to gain access to an asset, such as a building, room, safe, computer, files, information, etc., a holder presents the RFID device to a reader that reads the data and subsequently transmits the data to a panel, processor, or a host system where a decision is made to either grant access to the subject asset or not. There are also readers that combine the functionality of a panel/host and the physical reader into a single unit that makes the access decision. This type of device is sometimes referred to as a stand-alone reader.
Attention has been focused on the security mechanisms employed by RFID cards to protect and secure the data exchange between the RFID device and the reader. Some of these techniques include the use of cryptography, mutual key authentication, secure channels, and even protection of the chip on the RFID device against physical and electrical attacks. However, little attention has been given to ensuring the integrity of the communications between the reader and its host/control panel as well as insuring the integrity of the reader itself.
A working assumption thus far has been that RFID device readers are trustworthy devices, when in fact this may not be the case. In many building access control applications, a reader is mounted on the unsecured side of a door in a location that is not under continuous scrutiny. In such a case, compromise of a single reader could result in a compromise of RFID device security if any secret information, such as keys, authorization codes and the like, were somehow extracted from the reader.
In addition, without knowing the authenticity of the reader an unauthorized or rogue reader could be used to replace an existing legitimate reader in a security system. This rogue reader can actually be any reader or data reply device capable of outputting data in the same format as the replaced reader.
In the access control industry, one of the most popular communication protocols used between a reader and a panel is the Wiegand protocol. Due to its popularity, the Wiegand protocol has become a de-facto industry standard. It is estimated that the majority of today's access control panels support the Wiegand protocol as the primary method to connect readers to the panel. It should be noted that several companies use their own proprietary communications protocols, but they still support the Wiegand protocol due to its popularity and widespread use. Because of this, a variety of non-RFID machine readable ID readers and other devices have standardized on the Wiegand protocol. Examples of these readers support smart card, proximity, magnetic stripe, bar code, barium ferrite, etc. There are also keypads, biometric devices, wireless Wiegand protocol extenders, protocol converters, and even robots that utilize the Wiegand protocol. The Security Industry Association (SIA) also recognizes the Wiegand protocol as an important standard in the access control industry. The Wiegand protocol has become so important that it has been published as an industry standard.
The Wiegand protocol is essentially a unidirectional protocol that only provides for data transmission from a reader to an upstream device (e.g., a control panel, host, or processor). Although there is a signal sent back from the upstream device to the reader, this signal is essentially a logic signal used to convey status to a cardholder by controlling a reader's LED. A superset of the Wiegand protocol adds additional logic signals to control an audible device in the reader and provides for additional reader LED colors. These are not bi-directional protocols because substantive data is still sent in only one direction. The host cannot give the reader a command. Only simple signals are sent from the host to the reader.
As popular as the Wiegand protocol has become, it has shortcomings. Examples of these shortcomings include the fact that the Wiegand protocol is susceptible to electrical noise, has distance limitations, and only allows data to be sent from a reader to an upstream device. Without bidirectional capabilities, it is very difficult to implement a modern protocol that provides for reader authentication.
Another issues is that the Wiegand protocol allows “party line” connections so that it is very easy to connect one or more additional devices to communication wires to monitor the communications between a card reader and a host in an attempt to harvest data streams to be used to compromise the system. Once a rogue device has been connected to monitor communications between the reader and control panel, an attacker could merely note when the door has been unlocked and flag the most recent data stream as one that will open the door. Then, whenever illicit entry is desired, the attacker could just “replay” that data stream causing the door to unlock. The attacker need not even remove the device from the communication wires because the Wiegand communications utilize an “open collector” electrical interface, which allows both the monitoring of messages and generation of messages from that same connection.
There is typically little stopping an attacker from harvesting one or more valid messages to gain illicit entry using different cardholder's data so that no suspicions are aroused. Accessibility to the Wiegand communications wires is increased by the fact that a reader is typically located on the unsecured side of a wall or door and, because of the nature of access control, may be at a location that is not under continuous observation or scrutiny. Making matters worse, many access control readers do not employ a tamper mechanism so that the removal of a reader to access the internal wiring or even to replace the reader with another compromised reader or illicit Wiegand generating device is undetectable.
There have been some attempts to address the shortcomings of the Wiegand protocol. One example of an extension to the Wiegand protocol is described in U.S. Pat. No. 6,988,203 to Davis et al., the contents of which are hereby incorporated herein by this reference. The '203 patent describes appending additional bits to the Wiegand data stream. This provides supplementary information from the reader to the upstream device as well as a CRC or other type of error detection and/or correction bits covering all of the data in the transmission. The '203 patent further describes transmitting data back to the reader from the upstream device via an LED control line.
Additionally, in PCT Application No. WO 2005/038729 to Merkert, which is herein incorporated by this reference, an access system that includes a signal generator located between a reader and a control panel is described. The reader utilizes a dynamic timing element that ensures a replay attack cannot be used to gain unauthorized access to an asset. The reader stamps any signal sent therefrom with a time stamp indicating when the message was generated. Then the control panel reads the time stamp to ensure that the message is authentic. An attempt to harvest a signal and resubmit that signal again at a later time will result in the control panel determining the signal is invalid. To ensure channel security between system elements, encryption and/or digital signatures are used. Unfortunately, this solution does not overcome most of the Wiegand deficiencies.
For instance, there is no way in the currently existing solutions that allows the control panel to continually monitor each reader in order to verify the fidelity of each reader. Thus, leaving open the possibility of having a valid reader replaced with a rogue reader without the system or system operator becoming aware of such actions.