Vulnerabilities and Challenges of Legacy Systems

In the early 1980s, as more and more companies began to shift from traditional lock-and-key access control to a more centralized approach, Chief Security Officers (CSOs) looked for ways to protect their premises from outside threats. Clock-and-Data and Wiegand protocols were widely adopted as the de facto standard as they enabled interoperability between access control readers and physical access controllers. Those protocols were later formalized and adopted into industry standards by the Security Industry Association in the 1990s.

Clock-and-Data

Magstripe card readers used the Clock-and-Data signaling method, which utilizes two wires called "clock" and "data". The data line sends all the binary data to the panel, while the clock line is used to tell the panel when to sample the data line. Each time a bit of data is sent down the data line, a pulse is sent down the clock line, which instructs the panel to take a "sample" of the data line and record that bit. Magstripe signaling is supported by many of the new access control panels, as well as older, Wiegand systems. However, this outdated communication protocol is insecure and magstripe cards can be cloned easily. It also allows the upgrade of readers and credentials without a complete overhaul of the back-end system of controllers and software.

Wiegand

More than 90 percent of the PACS installed today use the Wiegand protocol, making it the most common communication method used by access control devices to send information from the card reader to the controller. This means that the potential vulnerabilities that this protocol exposes can have a significant effect on the safety of transmitted data as it continues to be widely used. 

The Wiegand standard was not designed to keep pace with the security demands of today's enterprise organizations and the increasingly complex threats that are emerging, exposing far more challenges for these organizations to keep data transmission secure. 

At its core, Wiegand lacks the security that is essential for today's access control systems, because it:

  • Is unencrypted
  • Offers limited distance options
  • Is operationally inefficient in preventing controllers from communicating with readers for firmware upgrades, configuration changes, state changes, and other critical updates
  • Can easily be exploited by anyone who can learn the Wiegand protocol language or procure one of the readily available off-the-shelf hacking devices

These vulnerabilities can create significant security issues for the organization it is tasked to protect.

Although widespread in use, Wiegand vulnerabilties are known to most end users. In a survey of IT professionals, facility managers and physical security leaders conducted by HID Global, respondents said they were aware (39 percent) or somewhat aware (36 percent) of the security risks associated with the Wiegand protocol, yet continue to utilize, while the remaining respondents (25 percent) reported being completely unaware of the security risks. 

The Weak Links

Several weaknesses for these early PACS exist:

  • Lack of encryption protocol to protect from "man in the middle" attacks and vulnerabilities from reader to controller
  • Retrofit installations to expand a legacy system are complicated for integrators and expensive for organizations
    • Most readers require dedicated home-run wiring
    • Extensive wiring on a large-scale project, such as a school or corporate campus, results in considerable — and at times, prohibitive — costs