Product

What to do about OSDP vulnerabilities for access control

Heard about the OSDP vulnerabilities and wondering how to mitigate risks? Read this blog to find out how to harden your access control system.

There’s been a lot of talk recently about the Open Supervised Device Protocol (OSDP) vulnerabilities.

These access control vulnerabilities were first presented at the Black Hat Security Conference this year by a security firm, Bishop Fox. Soon after, a blog by Ars Technica expanded on the five exploitable OSDP risks mentioned in the talk.

Since then, the physical security industry has been ablaze with questions and concerns about the OSDP protocol. With threat actors ready to capitalize on system weaknesses, organizations need to know the impacts of OSDP vulnerabilities and how to defend against OSDP-related threats.

Keep reading to learn about all the resources available to help you harden your Security Center system against this OSDP vulnerability.

 
Visit the Genetec Technical Assistance Portal
 

What is the OSDP protocol?

OSDP stands for Open Supervised Device Protocol. It’s a common access control communication protocol today, providing a secure and flexible framework to link up various components of an access control system.

More specifically, OSDP connects card readers and other access control peripherals to controllers. This ensures that the control panels can verify credentials against the cardholder database and grant or deny access to doors or areas.

OSDP was created by the Security Industry Association (SIA) as the next-generation access control protocol to improve interoperability between access control products. OSDP also supports 128-bit AES encryption, smartcard technology, and other advanced functionality. Because of this, OSDP has been considered the more secure option for access control installations over the long-standing Wiegand protocol. In 2020, OSDP was also approved as an international standard by the International Electrotechnical Commission.

What is the OSDP hack? And how can we defend against OSDP risks?

The OSDP hack was presented by Dan Petro and David Vargas from Bishop Fox at this year’s Black Hat conference. The two security researchers shared how they were able to hack an access control system using OSDP protocol vulnerabilities. They also detailed their findings and recommendations in a blog titled ‘Badge of Shame–Breaking into Security Facilities with OSDP.’

Here’s a quick summary of the five key OSDP security vulnerabilities they presented and the best ways you can mitigate these risks today.

Top 5 OSDP vulnerabilities to look out for

 

  Optional encryption for OSDP

OSDP supports encryption, but it’s up to you to enable that feature in each device. When you do not enable the Secure Channel encryption during device installation, or if you implement devices that do not support all the security features available within the OSDP protocol (like encryption), this could leave you vulnerable to cybercriminals.

What can you do to mitigate this risk?

  Enable Secure Channel 

This is something that should be done when installing and configuring your access control devices. In our Security Center Hardening Guide, you’ll find recommendations to use the OSDPv2 protocol with the Secure Channel mode enabled. You can also follow step-by-step instructions to enable secure reader connections from the Config Tool in Security Center.

  Follow OSDP-related installation instructions

If you’re using the Synergis™ Cloud Link, make sure to follow all OSDP-related recommendations in the Synergis Cloud Link Installation Guide and the Synergis Cloud Link Administrator Guide. Here are a few specific sections from the Administrator Guide that cover the OSDP standards and how to best implement your OSDP devices:

 

If you’re looking for guidance on OSDP devices from specific access control vendors that connect to Synergis Cloud Link, you can search through our guides here.

If you’re looking for OSDP-related guidance for the Synergis Cloud Link Roadrunner™, check out these resources:

 

  Monitor your Security Score

Within Security Center, the Security Score widget monitors the security of your system in real time and compares that against a set of best practices. It then gives you a score and offers recommendations to improve your cybersecurity. One of the recommendations for access control is to ‘use secure reader connections’. If you haven’t enabled Secure Channel yet, the Security Score will warn you about that potential risk and recommend that you secure your access control device connections to improve your cybersecurity score.

  Downgrade attacks on hardware

When a reader first comes online, it transmits a list of capabilities to the controller including whether it supports encryption. But supporting Secure Channel encryption and enforcing it are two very different things.

So even if your access control readers and controllers support Secure Channel encryption and you’ve enabled it, will the devices still accept non-encrypted data exchange?

The researchers found that by connecting a hacking device to a specific reader’s wiring, they could intercept the communication from the reader to the controller. They could then tell the controller that the reader doesn’t support encrypted communication. This downgraded the communication protocol and helped them gain access to credential information.

What can you do to mitigate this risk?

  Choose secure devices

It’s important to know that this vulnerability is hardware-specific. Certain access control device manufacturers have ‘Secure Channel Required’ capabilities. This means the device will refuse any communication that isn’t secure.

  Check your OSDP configurations

You can verify the OSDP configuration for your controller. Each device will be different, so speak with your access control hardware vendors to learn more about this setting and make sure your controllers refuse non-encrypted communication. If you need guidance on Genetec specific devices, reach out to our support team.

  Install-mode attack

When setting up new readers and controllers, some OSDP-supported devices will automatically switch on 'Install Mode'. During that setup process, the reader asks the controller for a generic base key. Once the connection is established and the device is online, encrypted communication will resume. However, the researchers found that if Install Mode is not switched off, then threat actors can intercept and act on behalf of a device to request a new key. They could then gain access to your system and data.

What can you do to mitigate this risk?

  Learn how Genetec, Mercury, and Axis products are secure

Not all OSDP devices have Install Mode switched on by default during setup. Genetec products such as Synergis Cloud Link or Roadrunner as well as the latest Mercury and Axis devices require installers to actively turn on Install Mode through a configuration card or app. Once a reader is added, these controllers will also automatically exit the Installer Mode. This negates this vulnerability and keeps your system and data secure.

  • It’s always recommended to enable the Install Mode only when you can control or trust the whole channel.
  • Another mitigation tip is to provision the keys separately on the reader and controller. If the reader is not in installing mode, the controller won't send the key over OSDP. Once Secure Channel was enabled, the controller will try to connect securely using the key. Note: Not all devices support this capability.
 

  Know what to do if your devices enable Install Mode by default

As mentioned above, Genetec Synergis Cloud Link or Roadrunner as well as Mercury and Axis devices don't fall in this category. With all these controllers, Install Mode must be manually turned on. Once your reader is set up, the device will automatically exit Install Mode. But if you have other devices where Install Mode is enabled by default, here are a few tips to consider:

  • Focus on secure implementation. After your device is installed, make sure to switch Install Mode from ON to OFF for all your OSDP devices.
  • Some of these other device manufacturers may have the capability to automatically turn off Install Mode after a certain time period. They might also offer reporting features that tell you which devices have been left with Install Mode ON to quickly identify vulnerable devices.
  • If you have a device that automatically goes into Install Mode, reach out to your access control vendor to identify other built-in safeguards that may help you ensure Install Mode is never left on.

  Weak encryption keys

Though it’s rare, some device manufacturers might use weak encryption keys for communication sessions. This speculation was made by the researchers after they found a generic hardcoded key in an open-source OSDP library. And since these keys usually comprise familiar and simple compilations, they were able to generate 768 possible hardcoded keys. The threat? Cybercriminals could do the same, using these weak keys to launch brute-force attacks and try to gain access to your system.

What can you do to mitigate this risk?

  Swap out the hardcoded keys during installation

This vulnerability is all about effective device implementation again. If you do have devices that uses generic, hardcoded keys, you’ll need to change them out for unique and randomized keys.

  Choose OSDP verified devices

These products have been tested and verified by SIA to meet the OSDP standards. They come with many security features such as supporting unique and randomly generated AES-128 keys for your OSDP device. Make sure to check with your vendor to know whether this feature is enabled by default or something you need to set up manually.

  Know about Genetec devices

Our solutions never use hardcoded keys. Whether you have the Synergis Cloud Link or Synergis Cloud Link Roadrunner, you’ll either receive randomly generated AES-128 keys for each device or have the ability to configure your own secure keys.

  Force-back Install Mode

The last vulnerability involves getting a device back into Install Mode. The researchers explained how hackers could install a covert listening device on the RS485 wiring of an existing access control reader and tamper with the device to the point that it needs replacing. When the new reader comes online, the listening device would then be able to capture the encryption key during Install Mode. Hackers could then mimic the reader to steal critical information. 

What can you do to mitigate this risk?

  Take device alarms seriously

Should a device fall offline or continuously cause issues, stay diligent in your assessment and assume the possibility of a threat. You can also check device status reports in Security Center to review alarms from a specific device. This can help you identify suspicious events or patterns, which may reveal an attempted breach.

  Use a temporary cable during installation

If a listening device has been installed on your RS485 wiring, using a temporary connection cable from the new reader to the controller during device pairing will mitigate this risk. This will allow you to safely initiate the device connection and proceed with encrypted communication to finish the installation.

A checklist for OSDP hardening and what’s to come from Genetec

Cybersecurity threats are always evolving. And these OSDP vulnerabilities show how important it is to not only choose the most cybersecure devices, but also follow recommended best practices to defend against threats.

Here’s a quick checklist of the best ways to defend against OSDP threats today:

  1. Choose OSDP-verified devices
  2. Enable Secure Channel mode for all your devices
  3. Follow OSDP recommendations in hardening and installation guides
  4. Configure non-trivial encryption keys for your devices
  5. Only enable Install Mode when you can trust the whole channel
  6. If Install Mode is enabled by default on your device, get out of Install Mode following device installation (device-specific recommendation)
  7. Install new readers using a direct connection to the controller
  8. Check your Security Score and follow best practices
  9. Check device alarms and pull reports to identify bigger concerns
  10.  Lean on vendors that you trust for additional support and guidance
 

Sharing these tips with you is just the beginning. At Genetec, we’re also proactively working with our access control technology partners to identify and list OSDP-related device capabilities.

We’re also looking at new ways to help you defend against these OSDP vulnerabilities within our Security Center platform. We’ll share more information as soon as it’s available. But in the meantime, if you have any questions or need additional guidance, contact our support team.

 
Share
Return to Blog

Related content

Using Security Center Synergis™ to enhance your access control system and defend against cyber threats
Risks of a legacy access control system

Is your access control system putting your security infrastructure at risk? Learn about the impact of legacy access control systems and find out how to protect your organization.

Read more
Non-proprietary vs. proprietary access control systems; what’s the difference?
Proprietary vs. non-proprietary access control systems

Learn about the differences between a proprietary and a non-proprietary access control system and how open architecture gives you the flexibility to adapt as your organization's needs change.

Read more
Enhance your security with Synergis Cloud Link

Built on a new innovative hardware platform, Synergis Cloud Link has flexible deployment options for on-premises, hybrid, and full cloud architectures.

Read more
More related content
Partners
Company
Resources
Products
Connect with us
© 2013-2024 Genetec Inc. All rights reserved.
Privacy policy | Terms of use | Legal | Secure communications | Corporate social responsibility | Cookie & email preferences | Your privacy choices
More…