A presentation made during the 2023 Black Hat Security Conference last August caused a stir in the physical security industry by exposing multiple vulnerabilities and weaknesses of the open standard used for secure communication of physical access control systems (PACS). The talk — titled “Badge of Shame: Breaking Into Secure Facilities With OSDP” — was based on a technical analysis of OSDP’s Secure Channel by researchers from security firm Bishop Fox.
Ars Technica, a digital publication under the Condé Nast umbrella, interviewed two researchers responsible for the analysis and concluded in an article that “OSDP is effectively broken even before it has gained anything near widespread adoption.” OSDP connects card readers and peripherals to controllers to allow control panels to verify credentials and then grant or deny access. Because it supports 128-bit AES encryption, smartcard technology, and other advanced functionality, it is generally considered as the more secure option for access control installations over the Wiegand protocol, according to Montreal-based Genetec.
Genetec responded to the Badge of Shame report, posting a detailed blog titled “What to do about OSDP vulnerabilities for access control.” It describes that “the physical security industry has been ablaze with questions and concerns about the OSDP protocol. With threat actors ready to capitalize on system weaknesses, organizations need to know the impacts of OSDP vulnerabilities and how to defend against OSDP-related threats.”
Genetec’s blog outlines the top five vulnerabilities that were uncovered by the researchers and describes how security integrators and their end-user customers should harden their systems and hence mitigate the associated risks. The steps are specific to Genetec systems, but also general enough to provide some level of guidance regardless of the system being installed.
“Cybersecurity threats are always evolving. And these OSDP vulnerabilities show how important it is to not only choose the most cyber-secure devices, but also follow recommended best practices to defend against threats,” the blog advises.
Security integrators may not even be aware of all of the threats to the access control systems they sell and install. But even if they are, some may be unaware of how to alleviate the risks. Larger integrators often have their own cybersecurity teams to address these threats. But smaller integrators without IT resources can be proactive too, by educating themselves on remedies they can use to avoid any dire outcomes.
The “Badge of Shame” occurrence, as it’s called, represents a relatively recent surge in interest in the cybersecurity of PACS, says Mathieu Chevalier, principal security architect and manager at Genetec. He points to two reasons for this: first is the exposure that physical security systems are getting at information security conferences such as Black Hat and DEF CON. Following the Badge of Shame presentation and Ars Technica’s coverage of it, Chevalier says many of Genetec’s customers reached out to learn if and how they might be impacted — the blog was one way the company responded. He says the technology to defend against the vulnerabilities exposed in the research already exists, but systems need to be configured properly, which is what the blog details.
The second reason for increased interest is because of availability of new hacker tools that are growing in popularity. “They embed the same hacking techniques that we’ve known for a long time, but in more convenient, easy-to-use and cheap fashions,” Chevalier says. “This makes the barrier of entry a lot lower for hacking access control systems.”
Hackers attempting to gain unauthorized access to a facility using stolen or cloned credential data is one of the top cyber threats against PACS, agrees Scott Lindley, general manager of Farpointe Data Inc., San Jose, Calif. “Inexpensive devices are readily available that can be used to conduct skimming, eavesdropping, or relay attacks — all methods of exploiting vulnerabilities in some reader and credential technology,” he says.
When formulating security policies and procedures, “People sometimes talk about physical security and network security as if they’re isolated things, when really there should only be security with a capital S,” suggests Peter Boriskin of ASSA ABLOY Opening Solutions Americas.
Thinking about these things in a siloed way creates a gap, he says. “There’s some dimension that somebody hasn’t thought about, paid attention to, or reviewed — that’s the point where the vulnerability is.”
Boriskin uses the Target hack as an example, citing the retailer’s network, HVAC, and credit card functions. Each of these functions has its own discipline, which normally never intersect.
“But it turned out that hackers were able to get onto the network by going after the traditional industrial control/HVAC systems first, and because they were connected to the same network as credit card point of sale terminals, these criminals were able to make that leap — all due to the fact that neither the HVAC nor the credit card side of operations were thinking about the other, which created vulnerability,” Boriskin cautions.
Top Cyber Threats
While PACS are just as vulnerable to cyber-attacks as other IoT-based devices and systems, there are some differences making them stand out. For one, they may run on the same network as other building infrastructure — power-meter readers, for example — that could be used as an attack vector.
“From an IT perspective … the vulnerability could be due to being out of sight and out of mind and the assumption that PACS are just part of the building, which might lessen the [security] focus on these systems compared to network devices like print servers, web servers, or DNS servers,” says Peter Boriskin, chief technology officer, ASSA ABLOY Opening Solutions Americas, New Haven, CT.
Another unique aspect of PACS is that they almost always include components mounted at the perimeter of a building, Boriskin says. This provides physical access to the products in a way that other types of security systems don’t have.
In addition, a denial-of-service (DoS) attack against a PACS takes on a different level of criticality. If someone is denied access to their video cameras or access control system, it can affect how they get into buildings and do their jobs. The implications are more serious than if someone is denied access to a print server. “So, when it comes to denial of service for physical assets, the stakes are higher,” Boriskin says.
Will Knehr, who has a career in cryptologic warfare — conducting cyber-defense missions for the NSA, CMF, DoN, DoD and DISA — offers a list of top cyber threats to PACS:
Inexpensive devices are readily available that can be used to conduct skimming, eavesdropping, or relay attacks — all methods of exploiting vulnerabilities in some reader and credential technology.
— SCOTT LINDLEY, Farpointe Data Inc.
- Hacking or unauthorized access: Attackers may exploit vulnerabilities in the system to gain unauthorized access, potentially leading to breaches in physical security. “Physical access control systems tend to be a Linux Kernel with vulnerable software running on top of them, like OpenSSL, Apache or Java that are not often maintained or patched. They are also rife with unsecured services like SSH, HTTP, RTSP, and FTP,” says Knehr, who is senior manager of information assurance and data privacy at i-PRO Americas Inc., Houston.
- Network-based attacks: Because many PACS are connected to networks, they are susceptible to network-based attacks such as DoS or man-in-the-middle (MitM) attacks. “Industrial Internet of Things (IIoT) devices are favorites for hackers to use in DDoS attacks,” he says.
- Malware or ransomware: PACS can be targeted with malware, which can disrupt their functionality or encrypt data for ransom, Knehr says.
Another way to look at threats is to categorize them by their origin. DMP believes cyber-threats generally fall into one of three categories: people, processes/policies, and products.
People could pose an insider threat themselves or be used to conduct a “social engineering attack.” In an insider attack, employees with authorized access may intentionally or unintentionally cause harm through something like data theft, sabotage or negligence which leads to security breaches, explains Dave Roberts, vice president of cybersecurity at DMP, Springfield, MO.
In a social engineering attack, cybercriminals deploy attack techniques to deceive individuals into divulging sensitive information or performing actions that compromise security. “Common techniques include phishing, pretexting, baiting, smishing and even tailgating to physically defeat a PACS,” Roberts says. He stresses the importance of cybersecurity training and awareness programs for employees.
Security policies and procedures that are poorly defined or implemented also can lead to vulnerabilities and potential breaches. Some areas where this might happen are in credential management, system administration, and system auditing. Roberts explains that as cybercriminals get more creative, their attacks are better disguised and can be quite complicated. However, well-defined processes with checks and balances can help thwart these more complicated attacks, he says.
“An example of leveraging a process to help protect against vulnerabilities would be using an Identity Access Management (IAM) platform to automate credential management by synchronizing credential provisioning/deprovisioning and group/access assignments with an IT permissions system or a human resources platform,” Roberts describes.
Finally, defending on-premise systems from cyber-attacks requires expertise and involves a significant amount of risk, liability and costs, he says. “Software applications, operating systems, and hardware devices may contain inherent weaknesses or vulnerabilities,” Roberts says. “If left unpatched or unmitigated, these vulnerabilities may potentially be exploited by attackers. On-premise systems often require the end user to be responsible for managing and protecting software/hardware systems within the PACS.”
Security Integrators Can Be Defenders, too
That work doesn’t necessarily need to be left to the end user, however. Cybersecurity can be a value-added service offering from security integrators to their clients. Small and medium-sized end users may not have the IT resources that larger enterprises do, so integrators can help them with services such as utility tools, network scans, even penetration tests, says Michael Kobaly, executive vice president of global engineering at AMAG, Hawthorne, CA.
Network scans, in particular, are important because a network is an attack vector for PACS. “If you’re not scanning your network for malicious activity, open ports or things like that — if there’s activity on your network that you’re not aware of, the attackers now have as much time as they need to try to break into your system. So, if you find a risk, patch it up as quickly as possible so you can minimize the impact,” Kobaly warns.
Kobaly echoes others when he cites the top threats to PACS as unauthorized access to the security network, which could be through social engineering or bad password management; credential theft; and exploiting the software.
These top threats also align closely with those of Sean Peterson, director, product marketing and support at Aiphone, Redmond, Wash. “I think something as simple as exploiting weak passwords, conducting credential phishing attacks, or intercepting and tampering with access cards or badges are three easy ones — but also potentially the most common,” Peterson acknowledges.
“Social engineering is the way that most systems are being attacked these days,” Kobaly explains. “People fall for phishing links or other links in their phone or emails, and they click on a link and download something; they don’t even realize that they’re compromising the machine. You have to really educate the end users as much as possible.”
Integrators, working in concert with their end-user customers, need to implement a solid password management policy that includes unique user accounts, two-factor authentication, and single sign-on — different methodologies to make sure that each user is protected, he advises. Having employees, such as a receptionist, who share a single password is a really bad practice, he says.
And finally, the practice of updating software should be well-managed. “If you’re not updating your software regularly, there could be exploits there that people aren’t paying attention to,” Kobaly says, adding that there is a tendency for end users to stay on a prior version when it’s working well. Updating the Windows operating system is equally as important. “That’s where the vulnerabilities are,” Kobaly adds. “So, if a customer is running [AMAG’s] Symmetry version 8 from eight years ago, on a Windows 2012 machine that hasn’t been patched in a while, there could be attack surfaces there if you don’t patch those machines.”
Some manufacturers are putting their products through penetration testing, which allows them to learn if there are any weaknesses in their device that would cause information that is supposed to be secure to become accessible. Pen-testing ensures that products such as card readers and keypads are properly defending the information they contain.
Pen-testing involves intentionally performing a cyber-attack on a device to uncover vulnerabilities and provide guidance on strengthening the device against real-world cyber-attacks, says Scott Lindley at Farpointe Data.
As part of its ongoing commitment to ensuring the security of its systems and data, Farpointe last year conducted a penetration test of its CONEKT line of mobile-ready readers. Results of the CONEKT test revealed no significant vulnerabilities, Lindley says.
“We do pen tests internally ourselves. We also have a third-party auditor do it once a year, just to see what they can find,” says Michael Kobaly at AMAG.
Penetration testing, commonly known as ethical hacking, simulates a cyberattack on a system or product. Pen-testing should be carried out by an independent cybersecurity professional. A comprehensive report outlining the findings is then furnished, aiding manufacturers in recognizing the effectiveness of their product’s defenses and identifying vulnerabilities that may be exploited.
While there is no universally approved standard for pen-testing, the cybersecurity industry adheres to various accepted methodologies grounded in best practices.
Tactics & Tools for Defending PACS
There are several other tactics and tools that security integrators can use to address potential threats to PACS and improve their security posture. Some are essentially the same as those used for other systems.
First, Boriskin says, there must be solid barriers put up between PACS and the internet, such as:
- robust firewalling;
- vetted and valid network access control lists;
- virtual private networks (VPNs); and
- nimble, constant patch control so updates and patching are occurring as soon as they’re available, including antivirus protection.
“All these things must be done routinely. Are you doing red team or purple team assessments of the system? It’s often the end user in concert with the integrator who makes this happen,” he says.
Boriskin also believes that good penetration testing is a must. If the security integrator doesn’t have the knowledge and expertise to do it themselves, then they can align with a cybersecurity or penetration testing firm that does.
“Not only does the integrator have the capacity to offer a very valuable additional service, but they have a mechanism for auditing where vulnerabilities may exist or how well systems are protected,” he says. Integrators are increasingly going in this direction; it’s an important capability/service to have in their quiver, he believes.
Chevalier emphasizes system configuration. As Genetec’s OSDP blog demonstrates, secure configuration of a PACS is foundational to cybersecurity. Systems must follow manufacturers’ recommendations, such as those provided in a hardening guide. And a hardening guide often provides the fundamental base of best practices for integrators, end users or both.
In addition to observing a hardening guide, your manufacturer may offer other tools. Genetec, for example, has a Security Score dashboard widget that helps users measure their system’s security level and build a plan to increase it, Chevalier says. “It automatically tracks the security of your system in real time and provides you with a clear assessment of where you stand,” he explains. “It is a dynamic hardening tool that lays out guidelines and then monitors whether the different elements of your system comply. Based on your compliance with the criteria, the widget gives you a score so that you know how secure your whole system is at all times.”
As a trusted advisor on security matters, integrators can take several important steps before the PACS is even installed. First, they can look for alternatives to older, less-secure technology, Lindley says. For example, 13.56MHz contactless smartcards offer increased security over 125kHz proximity by employing 128-bit encryption to card/reader transactions. Additionally, as an advanced communication protocol, OSDP offers a host of security enhancements over the legacy Wiegand protocol, he says.
Lindley also advises integrators to recommend to their clients that security-sensitive networks (such as PACS) be isolated from other, less-secure systems. “That way, the PACS is not vulnerable if a hacker is able to exploit a weak point on another network,” he says. They also should recommend and implement multi-factor authentication processes, as Kobaly also notes.
Using firewalls and segregating the PACS network can limit the spread of network-based attacks, Knehr agrees. “Enable and configure 802.1, lock down firewalls, create VLANS and enable segmentation, and ensure router and firewall ACLs are tight,” he advises. Finally, implementing advanced malware detection and prevention tools can help protect against malware or ransomware, Knehr says. He recommends tools such as IDS, IPS, and SIEM, etc.
An example of leveraging a process to help protect against vulnerabilities would be using an Identity Access Management (IAM) platform to automate credential management by synchronizing credential provisioning/deprovisioning and group/access assignments with an IT permissions system or a human resources platform.
— DAVE ROBERTS, DMP
In addition to software updates, Kobaly reminds integrators to not overlook any firmware upgrades that also might be required.
When it comes to the three categories of potential threats DMP outlined — people, processes/policies, and products — activity is required across all three spectrums, says Troy Riedell, director of cloud access control at DMP.
Managing people as a source of threats involves implementing comprehensive security awareness programs, training employees on cybersecurity best practices, conducting simulated phishing exercises, and fostering a security-conscious culture within the organization, Riedell says.
“The most important best practice for end users is educating their employees on risks associated with compromised credentials. According to the 2023 Verizon Data Breach Investigations Report, 74 percent of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering,” Riedell says.
Treat cybersecurity for a PACS just like you would treat any other device or service, Peterson recommends. For example, “have strong authentication methods, audit your PACS like you would any other network solution, and keep your user base educated and trained. Involve the end user’s network security team as early as possible and assure them that many of the measures they take to keep their network … safe can be utilized when securing PACS.”
Peterson says it’s easy to keep it simple to mitigate the most common malicious intents. “Use strong passwords, implement strong users and credentials management while auditing often, and have strong network security discipline across the entire network,” he says.
Roberts at DMP reminds that good cyber hygiene requires a team effort encompassing the manufacturer, security integrator and end user.