Living in an interconnected world leaves us vulnerable and exposed to cybercrime, and with the advancements over the years in physical security products these too have become open to cyber threats, resulting in monetary and safety damages to the extent that many countries are now enforcing personal data protection laws.
Five major security points can be identified, namely; credentials, data in the edge device, communication between device and server, data in the server, and the communication between the server and the client.
The biggest threat in credential security is RF card cloning and fake biometrics. Among the major two types of RF cards, 125 KHz cards are easily cloned, and depending on the 13.56 Mhz cards and their usage, these can be cloned as well.
No protection is applied in 125 Khz RF cards, which only support wiegand formats. But, it is possible to duplicate the card including format data. Mifare cards (13.56 Mhz) have IC chips and support encrypted data but, when it comes to CSN and Mifare Classic, they are vulnerable to card cloning.
First of all, it’s necessary to choose the right cards that support strong encryption methods. After choosing the right type of card, it is necessary to use a data area on the card that is protected by the encryption method. BioStar 2 supports smart cards that feature secure credential and access on card. Only a device with a matched key can access the data on the card.
The second major security point to consider is data protection in the edge device: how safe is the personal data in the device, and what if a hacker removes a device from a wall to gain access to the data on the device?
To address these threats, Suprema encrypts all personal data on the device including the name, pin, finger and face biometrics. User ID and card ID are categorised as system data and are therefore not encrypted. If a device is removed off of a wall, all user data and logs can be deleted at such a tamper event, however it must be stated that this is an optional setting available in device settings on devices loaded with compliant device firmware versions and is supported from BioStar version 2.6 onwards.
The new CoreStation intelligent controller offers further security, with no need to store user credentials on edge devices. The CoreStation is based on a centralised topology, where the intelligence, including fingerprint matching, is done on the controller, all data storage and RS485 communication to edge devices is encrypted according to the latest international standards, with no need to have a network access point available to hackers outside of your building.
Then there are the concerns surrounding communication between the device and the server/controller. Here one needs to consider device hijacking or data snipping/snooping for both network and serial communication.
In TCP/IP connections Suprema offers the highest level of communication protection via optional TLS 1.2, which is widely used in the financial industry. Secure communication for RS485 is through OSDP v2 Key. Keep in mind that Wiegand can be hacked because of its low end protocol method which is without key change encryption and therefore controllers only supporting Wiegand pose security threats.
When addressing the protection of personal data in the server in the event of server data leakage or hacking, BioStar 2 server efficiently encrypts all personal data including email, login password, pin and fingerprint template.
Suprema also supports encryption key value for your own key value management in BioStar versions 2.6 onwards. “Right to be forgotten” functionality is provided and allows log data to be automatically deleted after a designated period.
The final risk point raises the question of the possibility of communication between the server and the client being hacked. BioStar 2 versions 2.5 onwards supports HTTPS as a default, plus TLS version 1.0 and higher to secure communication from poodle/man-in-the-middle attack.
There are also additional personal data management methods to consider. Suprema’s BioStar caters for access on cards (AoC) for both physical cards and mobile cards, taking away the need to store credentials and personal data on the device, controller or BioStar 2 server. From version 2.6 upwards, optional functionality is available to automatically delete credential and personal data upon issuing AoC cards for both physical RF and mobile cards.
In summary, Suprema’s BioStar 2 cyber security protection features and data management options that help prevent cyber-crime and comply with data protection regulations include enhanced security through encrypted communication including HTTPS encryption between the server and the client and 256 bit AES encryption of communication between the server and devices. Improved security offered through centralised, secure storage of biometric and access group data. There is no Ethernet connection to edge devices and no data is stored on edge devices. Communication is secured via TLS 1.2 and AES-256 encryption.