Sustainability is no longer a nice-to-have. It’s essential for our planet’s future. To meet customer…
Is Outdated Access Control a Disaster Waiting to Happen?
Are outdated access control systems a disaster waiting to happen? Well, the short answer is yes.
Today’s access control systems handle pretty much everything — from visitor management to data analysis. They integrate with other business systems, offering both security and convenience in one neatly personalised package.
So, what’s the problem?
The problem with connectivity
The first problem is connectivity. Organisations often rely on an integrated mishmash of new and old systems. Once a cybercriminal has breached the weakest link — the legacy access control system — they can easily gain access to every other connected system.
Freely at large in your network, cybercriminals can not only cripple business operations by sabotaging air conditioning, lifts, heating and ventilation. They’ll also disable security systems and, while there, take a good look at every piece of confidential data they can find.
Physical security risks
The second problem is physical security. Old-fashioned access control systems are shockingly vulnerable to cloning, interception, mimicking and other forms of attack. Put simply, they make it easy for criminals to walk through the front door.
Forewarned is forearmed so, in this next section, we’ll look at some of the most common methods of attack used by cybercriminals.
Cloning
Cloning, sometimes known as skimming, exploits the vulnerability of proximity devices such as fobs and access cards. Criminals use readers to copy the code transmitted from the device, then use this information to clone it.
This is disturbingly easy to do. Firstly, the readers used for the attack are cheap and easy to buy. Secondly, many organisations are using proximity technology which is more than 50 years old. The communication protocols used in this technology may have been cutting-edge in the 1970s — but they are no longer fit for purpose. There is no encryption in place.
Tapping
Tapping is where cybercriminals intercept the data transmitted between an access control device and its controller in order to steal credentials. As an example, this could be the data transmitted between a card reader and a central server.
In effect, it’s wire tapping — and once again, it’s shockingly easy for a criminal to gain access in this way. They simply remove the reader from the wall and attach a low-cost, readily available monitoring device. Once the device is set up, criminals can log and replay card readings at will.
Mimicking, or relay attacks
Mimicking is also known as a relay attack. If your car has been keylessly stolen within the last 10-odd years, you might be familiar with the term. You’ve probably been the victim of it.
Relay attacks typically involve two criminals working in tandem. Attacker 1 positions themselves close to, say, an access fob, and uses a transmitting device to capture and send the fob’s low-frequency signal to attacker 2.
Attacker 2 is positioned near the target system and re-broadcasts the captured signal to the fob reader. Because it mimics the signal from the genuine fob, the reader is tricked into allowing access.
How to solve the problem
Those are just some of the attack methods for outdated access control systems. There are several more and, as we write this, criminals are undoubtedly coming up with new ideas. The question is, how do you solve the problem?
We’d recommend starting with a professional risk assessment. Once you’re aware of the current threats and vulnerabilities, you’ll know which systems need updating or replacing — and, equally as important, which ones don’t.
If you’d like us to carry out a risk assessment for you, we’d be happy to do so. Get in touch with the CSG team and we’ll book it in.
Review old proximity systems
In light of their obvious risks, it’s definitely worth reviewing legacy proximity access control systems — particularly key fobs and cards.
These systems may be using outdated, one-way, unencrypted Wiegand communication protocols. Given that this was invented in 1974, it’s laughably easy for criminals to intercept or copy the codes. Moreover, if cybercriminals steal the means of access, the system’s one-way communication protocols leave you in the dark. You won’t know that it’s happened.
By contrast, modern systems use encrypted bi-directional communication. This makes life harder for cybercriminals and, if there’s an attempt at tampering, the system can issue an alert. It allows your security staff to take action before the situation escalates.
Plan the upgrade strategically
The best way to upgrade an outdated access control system is to plan it strategically. Do you need a full replacement, or would a retrofit solution work better?
The right solution will vary from one business to another depending on the operational logistics, vulnerabilities and overall security goals. For example, you might want to switch to a cloud-based system for flexibility, and adopt systems such as smartphone access or biometrics.
Typically, a phased approach to installation is less disruptive than replacing everything at once. Do seek professional advice, and always make sure that certified technicians carry out the physical installation.
Carry out firmware updates
Access control systems need regular firmware updates. The longer they go without them, the more vulnerable they become to cyberattacks.
Firmware updates fix bugs and patch any vulnerabilities which could put your security at risk. They improve usability and guard against emerging threats by introducing new features. Regular updates also make sure the system remains compatible with other hardware or software — smartphone credentials or video surveillance systems, for example.
Modern systems usually receive these updates as part of the software maintenance agreement. Unfortunately, that’s not necessarily true of legacy systems. Because many of them are no longer supported by the manufacturer, they may not have received an update in years.
Conclusion
Security protocols are only as strong as the weakest link. If that weakness lies with access control, the whole business becomes vulnerable — from opening the front door to criminals to revealing personal, financial and customer data stored internally.
As cybercriminals search for new ways to gain access, legacy systems simply aren’t strong enough to provide a defence.
To book a risk assessment and receive advice on robust, modern access control options, please get in touch with the CSG team. We’d be happy to help.
Related Posts
