HAI RFID access system, how secure is it?

[Mr Spock]

Leaning toward an HAI system and thinking about access control. Their part number 75A00-1 RFID scanner is a 125kHz based system. After looking at the wiring diagram and reading a few general posts on this subject I'm concerned about how secure this system is. I would use this on 3 doors into the house; front entry door, garage entry door (from garage into the house), and garage side door (from outside into the garage).

In normal use the 12VDC to activate the door strike comes from the reader itself. So if someone can somehow get their hands on the backside of this scanner (depends on how securely its mounted) and knows the product they can open the door by simply jumpering two wires. Not good. So if I do go forward with this product I'll have the 12V to the door strike come from my HAI panels outputs (through a high current relay) and not from the reader. That seems an easy improvement, probably just have to add automation code to make it work. Another improvement is to mount the reader behind something (clear plastic cover?) to improve accessibility to the back side.

My questions are more about general quality of security of this 125kHz system to hacking. From the company info they state the data on the access cards are "fully encrypted".

1) Does anyone know this system well to give me some idea of the hack-ability/security?
2) Does card encryption really prevent card hacking? I know any encryption can be hacked given enough time and effort.
3) Generally speaking, how secure are 125kHz RFID systems? I know non-encrypted systems can be hacked by someone getting close to you with a high gain reader.

For door latches I'm leaning toward the Securitron UNL-12 Unlatch.

Thanks.

 

[gatchel]

Any reader system/keypad with the lock power switching on the back of the reader is not secure.

As far as the 125kHz systems, it depends on the card format. There are more secure F1000 systems that use a 35Bit system which is locked to the end user. Standard 26 bit bit cards are really more secure by using the security by obscurity method IMHO. There is a card number and a facility code. If you get them both anyone can buy a duplicate card to get in your door. As long as you don't advertise the facility code you should be fine. You can also carefully destroy the card number on the card or get cards with an offset so that the listed number is off x amount of digits front he listed card number.

The unlatch is a good strike to deal with "weather stripping pressure" or positive door pressure on the strike.

The reality is that if someone wants to get in they will, and probably without electronic "snooping" devices. Is the door going to have a deadbolt? Is it going to be used? How will you unlock the dealbolt? Will the wooden frame be reinforced with some sort of metal to strengthen it? Is there glass within reach of the internal unlocking components of the door hardware?There are plenty of mechanical things that can be done before ever thinking about adding electronic devices to a door to make it more secure.

I'm not trying to discourage any addition of devices to automate the entry in question. I am just trying to point out that there are some things that should be looked at before spending a bunch of money to only make it easier to break in if the install isn't done properly.


That being said, in 15 years I have never heard of someone breaking in to a building by using a "scanner" or some other device to duplicate the card information. Social engineering usually works much better than that.

 

[signal15]

Keep in mind that many of these cards can be cloned. We have one similar to this at work that we've used to "engineer" our way into client buildings during assessments:

http://www.dealextreme.com/p/rf-id-card-reader-and-rf-ic-card-writer-with-rfic-card-kit-usb-rs232-10695

It cannot clone the HID cards, but it works on most others. You just need to get close enough to someone with a valid card in their pocket to read it, go back to your car to clone it, and then you'll (most likely) get in. At least that works with ours, I don't know about the one I just linked to. But ours was from the same site.

Here's what I think about RFID readers on your house:
- People do not have sufficient motivation to get in to go the high tech route in bypassing them, unless you keep a large amount of valuables in your house and they find out about it.
- If you lose the card or tag or get mugged, and it's in your wallet with your address, then someone can easily drive to your house and use it.
- If you're going to do it, either get a reader that supports two-factor auth (where you use the card and then type a PIN), or only use it for opening doors and NOT disarming the alarm.

There are some readers on amazon called the iTouch. They are fingerprint readers and have a PIN pad on them also. I may go this route. They have a weigand chip on board, but last I checked, their firmware did not yet support it. Fingerprint scanners are also bypassable, it's fairly trivial in terms of difficulty, but it is time consuming. Bottom line is that it's smart to use a PIN in conjunction with whatever other access method is available.

So then why not just use a PIN? I'll tell you. It's reasonable to assume that 90%+ of PIN pads are expecting a 4 digit PIN. If you look closely at a PIN pad next time you see one on a house or business, look closely. If the same code is being used repeatedly, you can usually tell which buttons are being pressed most frequently. Sometimes you'll have to look a little closer, or even blow fingerprinting powder on the pad to see. But if I see 4 buttons that are the most used on a 10-digit pad, that means I only need to try 24 different codes to find the one that gets me in. I have PIN pads for door locks and garage doors, but everyone who accesses them has a completely different code that I assigned so as to use every button on my keypads and make it more difficult for someone to figure out a code. A well used keypad usually only takes me about 5 minutes to crack, sometimes way less.

 

[Del91574]

The HAI design isn't entirely secure in it's implementation, especially if you follow their input/output scheme for a REX, DPS, and lock relay. I believe they were also making the unit obsolete and discontinuing it, but it's been a while since I looked for one.

I think the likelyhood of someone either cloning a card or hacking their way in on a typical 26 bit weigand with a site ID and card #, while it can be done, isn't that great when doing such takes time and also a whole lot of effort when a typical break in is more likely to be a smash and grab. I haven't seen a case where a card was spoofed and cloned in almost 20 years.

Honestly, while it's slightly more money, but given the design of the HAI unit, I'd rather get a standalone weigand reader/controller, even a prox/pin based unit, and then wire it into the HAI and fire automation over the HAI unit.

Fingerprint readers are notoriously known in the industry for false positive reads, which is why they have been basically abandoned compared to other technologies (iris, veinous pattern, geometry, etc.)

 

[Mr Spock]

Humm. I'm not seeing any signs (yet) of it going obsolete. I've got a year to see what happens while I figure this out.

I don't want a separate access control system. But I'm guessing there are no 3rd party readers that "seamlessly" interface to the HAI OPII panel, right? The 75A00-1 is RS-485. If so please make some recommendations.

Thanks.

 

[Del91574]

You can bend data from 26 bit weigand into 485 as long as you know the appropriate protocol for speed, parity and stop bits. Really a non-issue.

Plenty of manufacturers out there, we use Cypress CVX-1300's all the time for things like this.

 

[signal15]

I think the likelyhood of someone either cloning a card or hacking their way in on a typical 26 bit weigand with a site ID and card #, while it can be done, isn't that great when doing such takes time and also a whole lot of effort when a typical break in is more likely to be a smash and grab. I haven't seen a case where a card was spoofed and cloned in almost 20 years.

No one is going to clone a card for residential. But you would be surprised what happens in business environments. When we do assessments, we use every trick in the book. But, they are all tricks that have been used for real actual attacks. Plus, cloning a card for residential is hard, because you need to identify your target and get close enough to them (almost touching). Businesses are easy because you can hang out in the smoking area outside, and get close to anyone.

Fingerprint readers are notoriously known in the industry for false positive reads, which is why they have been basically abandoned compared to other technologies (iris, veinous pattern, geometry, etc.)

Not only are they known for false positives, but you can lift prints using powder and tape, and then make a raised mold of the print using gelatin and a circuit board etching kit. It's easy to do, but it takes an hour or two to complete the mold. You can buy all the stuff for $10 and do a ton of prints with it. Where I have access to client environments via fingerprint, if it's the type where you press your finger on it instead of swiping, I always wipe off my prints after I'm done. If they are two factor with keypad and fingerprint, I press the buttons for the PIN with my knuckle.

Bottom line is, most of this stuff is bypassable somehow. It's just a matter of estimating the maximum amount of effort someone will put into trying to thwart your security measures, or finding an easier way which doesn't involve them at all. There should always be multiple layers to your security (like making sure your card readers only open the door, and a code is still required to disarm the alarm instead of doing both with just the card).

Of course, as DEL pointed out, most residential burglaries are going to be smash and grab, so having layered security probably doesn't matter so much... unless it involves a big scary dog that likes how people taste.

 

[Mr Spock]

I checked out the Cypress CVX-1300. Interesting "data bender", but costly at $250 to $300 each (I would need 3, plus the readers themselves).

So this would give me seamless bidirectional control to/from the reader to an HAI panel? I'm wondering if there are weird compatibility issues (some commands don't work, some variables don't update, ect.).

Has anyone used one of these these data benders with an HAI panel? Which readers do you recommend in this scenario?

 

[Del91574]

The other option, as I mentioned, would be to integrate a small, standalone access product, most likely using 26 bit weigand, then drive a set of inputs/outputs on the HAI.

The positive aspect is no matter what happens, the reader, power and similar are completely isolated from the HAI board.

 

[signal15]

The other option, as I mentioned, would be to integrate a small, standalone access product, most likely using 26 bit weigand, then drive a set of inputs/outputs on the HAI.

The positive aspect is no matter what happens, the reader, power and similar are completely isolated from the HAI board.

This would work:

http://xceltronix.com/itouch.asp

They are cheap, and the actual box that grants the access it mounted on the other side of the wall or remotely. So people can't just pull your keypad off and then bridge some wires. The thing just simulates a press of your garage door button, so you'd just wire it to an input on the HAI.

This thing does have a 26-bit Weigand chip in it, but when I spoke with them a year or two ago, it was not yet supported in their firmware.

 

[kamikazekarl]

LOL data hacking.
 I wouldn't sweat any data hacking vulnerablity, I've installed Commercial Access control systems for 15 years and haven't seen it yet. The Card Duplication issue does bother me though. All in all nobody is that determined to steal your stuff, when cutting a phone/cable coax.... and a rock through the window will do just as well.
 
I think the reader is a good product, it just needs a few installation modifications to be secure.
Suggestion #1
Install a mechanical pushbutton tamper switch to the backside, tie this to the door contact in series.
Suggestion #2
Isolate the strike power with a relay and a separate supply.
 
It would be really really really nice if HAI made a Wiegand interface that would accept a variety of card reader data formats and bit lengths. And a Form C Relay. Most Installation companies usually prefer to homerun all their devices back to a control room. 125khz, 13.56mhz, indalla.... 26bit, 37bit....
 
Here is a good reference to understanding the tech.
http://www.hidglobal.com/sites/hidglobal.com/files/hid-understanding_card_data_formats-wp-en.pdf

 

[kamikazekarl]

I checked out the Cypress CVX-1300. Interesting "data bender", but costly at $250 to $300 each (I would need 3, plus the readers themselves).

So this would give me seamless bidirectional control to/from the reader to an HAI panel? I'm wondering if there are weird compatibility issues (some commands don't work, some variables don't update, ect.).

Has anyone used one of these these data benders with an HAI panel? Which readers do you recommend in this scenario?

Your post is intriguing.
What do you plan on using the Data Bender for?
The HAI Readers all connected in "parallel" to the same serial port. 
The only thing I can think of is decrypting the rs-485 data for integrating another system into the Omni.

 

[ano]

Many new card systems out there can't be duplicated. I don't think HAI uses such a system, though.  These systems transmit a code to the card, the card takes this code and using a private key, transmits a reply to the reader.  Even if someone monitors this transmission, and sends back the same reply, it won't work.  The reply changes based on what the lock initially sent out.  For all practical purposes, these systems are hacker proof.  There have been attempts by hackers to open the card (assuming they had it) so they could determine the encryption, but doing so usually destroys the circuit making them worthless.

 

[rsw686]

I am not a fan of the HAI design with the door strike connecting to the relay on the card reader. I would prefer the door strike to be home run to the panel so the wires were not accessible if the reader was unscrewed from the wall. I have a feeling HAI went this way to allow easier installation.