How to make ACS really safe, even from the most trained hacker?

How to make ACS really safe, even from the most trained hacker?

The question of data protection in access control systems remains relevant, despite the cryptographic protection algorithms and other modern technologies. Moreover, in the security industry in a whole, "security" is developing more slowly than in other areas.

Most of the communication channels in such systems still remain "transparent": they are not encrypted and do not have tools to prevent the "interception" of data. It does not often even require any specific knowledge and skills, which is an additional motivation for forgery of the system by cybercriminals.

The basis of any access control system is a control device - a controller, as well as readers and identifiers from which the system receives all the necessary information.

Today there are three most popular types of identifiers: cards, biometrics and smartphones. This is the first security vulnerability. Almost any identifier, such as a card, can be copied, and the face recognition system can be fooled with a photograph.

From proximity cards to biometrics

The most popular card format in Russia is EM Marine, which has absolutely no protection. Having received such a card, you can make a copy of it for $1 in any of many services specializing in the manufacturing of keys. Or, spending about the same amount, make duplicates yourself using card cloning devices that are freely available on Alibaba and similar sites.


RFID card copier

In order to avoid such a situation, it is required to use modern card standards that allow using encryption to ensure the security of information on the card itself. For example, when a reader not only receives the public UID of the card, but also accesses to a certain encrypted place on it and makes sure that it contains the necessary "key" (password) for further work.

Returning to cards’ formats, it is worth noting that some vendors develop their own unique identifier formats, while others support open and well-known ones, for example Mifare. Such cards are widely used as transport cards in Troika or Podorozhnik systems, as a Ski-pass at most ski resorts, or as a pass at some fitness centers, for example World Class.

In addition, some bank cards with a contactless chip (MasterCard PayPass, Visa PayWave) are able to act as a Mifare identifier: it allows to combine several functions within one card. This approach is often used in campus projects, where for a student this card is both a financial instrument and an ordinary bank card for which he receives a scholarship, and a pass to a dormitory or laboratory, as well as a library card, etc.


Examples of known identifiers of the Mifare format

If to speak about the Mifare format, you can also approach the encryption method for these cards in different ways. Some vendors provide an opportunity for the user on his side to transfer cards to encrypted mode, and some themselves are engaged in encryption and storage of keys, sending ready-made cards to customers.

It is important that the vendor's solutions are able to work with identifiers that have copy protection tools. What is more, the manufacturer must also take care that for the direct user of the system working with such cards from the point of view of administration is not difficult.

Recently, smartphones are increasingly used as identifiers. In this case data transmission can be carried out using two technologies - NFC and Bluetooth. Both technologies have come from the IT industry, are widespread and available on most devices.

Learn more

Communicaton interfaces

Let's speak about the second possible vulnerability in the system. After the reader has received information from the identifier, it must transmit it to the controller. There are many communication interfaces between the reader and the controller that are used by ACS manufacturers around the world. The most common are Touch Memory, Wiegand and OSDP.

Each vendor chooses an interface for himself based on market’s demands. Some vendors make their own communication protocols that are less public. At the same time, the system becomes less flexible, which is partly done also for binding to a supplier (Vendor Lock) - installing further equipment only from a certain manufacturer.

Function iButton Wiegand OSDP
of feedback
One-way communication One-way communication Two-way communication
Traffic encryption no no yes
Expansion of functionality no no Possibly
Line range Up to 1 meter Up to 150 meters Up to 1200 meters

Comparison of communication interface standards
between a reader and a controller

Such interfaces as Wiegand and Touch Memory (also often referred to as iButton) do not support encryption of transmitted data, authentication of the parties or control of the communication line’s integrity. Data transfer through them occurs by means of short pulses from the reader, which the controller fixes on its side and understands what information has been transmitted. This information can be easily intercepted by observing voltage fluctuations on the line wires. Of course, getting to the wires themselves is a more difficult task, but the vulnerability itself does not lose its relevance.

The OSDP interface is modern, unified and secure, but not widespread enough yet. A very important aspect of the standard is the ability to use cryptography in the exchange of data between peripheral devices and the controller.

Today OSDP is still a niche solution for customers who prioritize security (such as banking or oil and gas companies). But this is only for now: the standard is gaining more and more popularity - and not only due to its uniformity and security, but also due to its ease of configuration and use. Security is great, but it's not the only thing users need.

So, for example, a native OSDP feature is tracking the state of communication with devices, and also, unlike Wiegand, there is no need to lay additional communications - several readers can work on the same line.

Although the OSDP (Open Supervised Device Protocol) interface is a standard, it does not limit the possibilities for expanding its functions in any way. If the manufacturer wants, the same interface can be used to update the indication settings of readers, device firmware, set up modes of operation with cards that have copy protection tools, and other.

Watch the video

Communication interfaces. Part 2

The third vulnerability in access control systems is the communication between the controller and the server, which is carried out in different ways. The most common interfaces are RS485 and Ethernet.

When the server interacts with the controller, various information can be transmitted - data for employee’s access (card numbers, access rules) and the reverse procedure is also carried out - sending information about events occurring at the access points to the server. All this happens through the channel, which must also be encrypted.

As access control systems are now increasingly integrated into the IT ecosystem of companies, the use of the Ethernet interface looks more advantageous due to the convenience of connection, administration and the achieved level of security.

For example, during the data transmission there is a native ability to protect it by encryption using standard TLS and DTLS protocols, which are widely used in many applications that everyone is familiar with today: web browsers, email clients, messengers or IP telephony (VoIP) applications.

Data storage

The issue of data storage on the server itself is also very important: personal data of employees, client bases and other confidential information. There are specialized programs for protecting data from copying and transferring for this, means for encrypting information on hard drives and many other tools.


However, even using them, do not forget the basic rules, the implementation of which is the key to the reliability of data storage. Among them we can note the timely updating of the system, the installation of strong passwords, their regular change and the elaboration of access policies, the included firewall and others.

Nevertheless the main source of security threats is not equipment, but the person himself. The stability of the system can be calculated and risks foreseen, but as a result, the human factor remains the weakest point in security systems. For example, a security officer in a business center can sell parking cards to residents of neighboring houses, and an ordinary employee can correct his working hours if the operator forgets to exit the program. There are many similar examples.


The problem of information security is now more than relevant, especially in security systems. In this sense "end-to-end data protection", starting with the identifier and ending with the system’s server, is a mandatory component of modern access control systems, in addition to which the manufacturer should take care of the ease of use and administration of the entire system.

In conditions of convergence with the IT segment, strict adherence to standards that have been tested over several years and are successfully applied everywhere, not only guarantees a sufficient level of information protection in the access control system, but also makes the system more understandable and predictable for IT specialists, who are increasingly involved in the selection and administration of such systems.