Whitepaper: Access Control System Technology Overview for 2019The Vast Majority of Installed Access Systems in North America Lack Modern Security Measures Between Cards, Readers, and Access Panels
Most access control systems dealers and end users are familiar with proximity cards, card readers and Wiegand access control panels. These commercial security systems and components have been the preferred industry standard since the mid 1990’s when they started to displace proprietary panels and old card technologies like mag stripe and barium ferrite. Integrators and end users were fascinated by these new readers that “beeped” when you held a “prox” card “near” or in “proximity” to a reader. Proximity (RFID) technology became cool and its access control use grew like wildfire.
Beginning in the early to mid 90’s 125 kHz proximity cards became the standard for cards and readers used in access control systems. And during the 1990’s and early 2000’s the 26bit card format dominated the market. This was because the vast majority of access control panels could handle the 26bit format and so it became a “de facto” standard for cards, readers and panels. However, the 26bit proximity card format is limited to just 256 facility codes (0-255) and a card ID range of 0 thru 65,535. The available number range is quite limited when you think of how many doors and systems were, and are, in use. Because of the limited combinations, card duplication was, and still is, rampant today.
Imagine back to the early days of card access system installations, in the early 90’s, when the concept was new to installers just like it was to end users, an installer would call customer service at the leading card manufacturer to place an order for cards. The installer would say “I need to order some of the Proximity cards” and the Card Manufacturer would say “what facility code and starting badge ID do you need?”…to which the Installer would say “I don’t really know, not sure about all that”…or maybe they would just say “how about facility code 1 or 3 or something? And lets start with Badge ID 1000”….well you can imagine as system installations grew by the hundreds and then by the 1000’s the number of companies using the same facility codes and the same Badge ID ranges started to have serious duplication. On top of this, nobody (at least very very few) was even tracking what Badge ID numbers had been used. (And one other important note is that many access systems employ a function called “degraded mode” which causes a system, in certain instances, to totally ignore the facility code.)
As more and more systems were deployed, and proximity cards and badge use grew rapidly, the manufacturers of the access control software and panels (OEM’s) started thinking they should have their own card formats, to differentiate from 26 bit. The reasons were, better control over their own users and supply of cards (exclusivity), combined with more number combinations available in formats with higher combinations (for example, 36bit Simplex®or 37bit AMAG®). This served a dual purpose, making the system more proprietary to the OEM, forcing the customer to come back to the OEM for cards, and also giving the OEM a story that because the card supply was more “restricted”, it somehow implied “more security” and would prevent number duplication. More restricted is good, but that does not mean the technology is more secure. In the early 2000’s there was also the advent of the 35 bit Corporate 1000®format, a format designed for large end users that wanted better assurance of no number duplication and that wanted to better control their card sourcing.
The fatal flaw in the second reason is the fact that virtually all of the 125 KHz proximity systems deployed had (and still to this day have) ZERO security in the RF transmission between the card and reader. Essentially the readers broadcast an ID number totally “in the clear” meaning even a freshman engineer at a University could capture and replicate ID numbers or “clone” proximity cards. Many folks today are aware of the weakness of proximity cards but a great many still think the products are “secure”, or they simply fail to address the issue. Card cloners have struck fear into many large end users and many have now started to upgrade their cards and readers to true security. Ask yourself this question, do you know your cards are authentic and have only been issued by a trusted source? Is there any corporate risk related to cards that may have been cloned?
One glaring example of exposure and lost revenue risk is the Gym or health club industry. Many gyms use keyfobs or cards for access control of members. Unfortunately, most of these still utilize 26bit proximity. What they Gym owners do not realize is that members can go down to a local grocery store or jump online and order duplicate keyfobs or cards. Then, unannounced, an unscrupulous member is handing out membership tokens to non-paying customers. In this one example, bad actors can affect the safety of gym memberships and the revenue for the Gym.
Back to the growth of proximity and in the early 2000’s, more and more OEM’s deployed their own “proprietary” card formats to maintain control of their customer base. Some of these format types include the following: ADT®37 bit A901058A, AMAG A10701 32 bit, AMAG S10401 37 bit, AWID 26 bit, CASI Rusco (GE CASI) C10106 40 bit, Continental C10202 36 bit, DSX D10202 33 bit, Honeywell® Quadrakey 32 bit, JCI C10001 Johnson Controls 34 bit, LENEL 36 bit, Northern Computer N10002 34 bit, Simplex S12906 36 bit, and many more.
These all sound impressive with many different bit (26, 33, 35, etc) lengths and fancy names, but in fact, other than having lots of number ranges to choose from, they are really no more secure than the basic 26 bit format because the number is typically still broadcast “in the clear” and can be cloned or copied (grocery store kiosks offer retail cloning nationwide and there are other similar retail products). This is further exacerbated by the vast number of resellers of many proximity card formats (exclusivity is gone), further increasing the risk of duplication and putting downward price pressure on the cards – all of which hurt the integrator, and of course mostly the lack of security which hurts the end user, and our reputations as “security” professionals.
But there was a movement afoot by the mid 2000’s. Many more proximity card companies started offering similar “compatible” technologies. In addition, European security influence started making its way to the US market in the way of 13.56 MHz contactless technologies which provided higher data rates and secure or encrypted transaction capability. Today these products are known as contactless smart cards and include such technology or product names as MIFARE®, MIFARE DESFire®, iCLASS®, and LEGIC®. These are all similar technologies that rely on mutual authentication and encryption methods to provide a more secure transaction than traditional proximity. While there are differences and uniqueness to each of these contactless technologies, as long as they are used in a secure mode, they are much better than traditional proximity. Today it is estimated that approximately 20-25% of systems utilize secure contactless cards, a strikingly low percentage. This means there is a massive migration opportunity, as much as 80% of the overall installed base ready for leading companies to upgrade.
Anyone installing a new system today should be using a contactless smart card product, that employs security measures. Any dealer that continues offering the 30 year old proximity technology for new and add on installs, is doing a serious disservice to their customer and really should not consider themselves a “security company”, perhaps just an “integrator”.
For savvy companies that want to take a leading position, 3millID would advocate that any installations of readers should now at least read the existing proximity cards but also provide an upgrade or migration path to the latest secure technologies that provide encrypted data protection on the card, in the transmission to the reader and between the reader and access control panel. This simply provides end to end security from card to reader to panel. Why would we be offering anything less to our customers as the standard? If they want to downgrade for cost reasons (which are marginal anyway), they can make that choice, but as security professionals we should not be leading or offering unsecure technologies without thorough explanation as experienced security consultants. Moreover, if they have the budget, true security conscious end users should rip and replace their infrastructure and eliminate the use of traditional proximity cards and readers. Simply upgrading the reader is not sufficient if legacy cards are still in use.
In addition to proximity and contactless smart card technologies, there is another critical piece of the access control system that is ripe for migration. 3millID is a leader in Contactless Smart Cards, Bluetooth Mobile Credentials and Readers that provide compatibility with the new Security Industry Association standard OSDP (Open Supervised Device Protocol), and the traditional Wiegand technology. OSDP was created by SIA (the Security Industry Association) to provide a new standards based communication protocol capable of providing true security between card readers and access panels. This standard is expected to supplant the Wiegand communication that is responsible for an estimated 98% of all installed commercial access systems in use in North America today. And, you guessed it, just like traditional proximity cards, Wiegand (estimated at 95- 98% of all installs in the past 20+ years) provides no security and savvy tech guys can “sniff” the Wiegand lines due to the lack of security. Because SIA has created an industry standard with the OSDP specifications (in the past year or so), there is already wide adoption of the standard by panel manufacturers and it is the new preferred “secure” communication between cards and readers, finally upgrading the decades old Wiegand standard.
And yet one additional opportunity exists. Incidentally, security industry research groups project Bluetooth Mobile credentials are expected to make up 20% of the access credential market within 4 years and an expected 44 million Mobile Credentials will be in use by 2021. 3millID utilizes encrypted proven Bluetooth technology with an industry leading 10 million plus transactions.
Again, savvy security users that are using the technology of today and tomorrow deploy solutions utilizing OSDP (which can provide encryption of the data passed from the card reader to the access panel), secure Mobile BTLE Credentials and Secure Envelope DESFire credentials. Most of the leading OEM’s now offer, or soon will offer, panels capable of supporting OSDP reader technology. The security industry’s leading access control software company, LENEL®, already offers a complete end to end security solution of BlueDiamond™Card Readers, DESFire EV2 cards, BlueDiamond Mobile Credentials and OSDP compliant panels. 3millID is a technology partner with UTC on the LENEL BlueDiamond offering.
However, 3millID also manufactures its own readers that are system agnostic and will work on virtually any installed base of Wiegand access systems and provide compatibility for future upgrade with industry compliant SIA standard OSDP panels providing the perfect migration reader for virtually any installation of existing proximity cards and readers to Secure DESFire or Secure Bluetooth Mobile Credentials.
In consulting with leading OEM’s, security integrators, and end customers, 3millID advocates employing products that are based on industry standards for system compatibility while also providing secure cards, readers and panels to end customers.
3millID are experts at offering tailored product and training programs for those that want to take a leading position in offering more secure cards and readers. We do this with industry best lead times, competitive pricing and outstanding customer service. 3millID looks forward to the opportunity to assist your company just as we already do with many of the leading global companies.
Any trademarks referenced in the above content are property of their respective owners.