In recent years, multinational corporations such as Cathay Pacific, Facebook, Uber and numerous others have been heavily fined due to security and data protection violations. This period has seen data protection laws increase as more and more information is gathered and shared online. As such, it becomes crucial to account for security capabilities when choosing an embedded device that touches potentially sensitive data.

RFID readers very much belong to the ecosystem wherein personal or user identification data is transmitted either to a host system such as a PC or to an endpoint such as a Human Machine Interface (HMI). A passive RFID transponder, soft credential such as a mobile phone app using BLE/NFC or smart cards and other contact-based credentials all can carry sensitive data or personal information. In the case of smart card or contact-based credentials, the storage of personal information such as name, address or date of birth is more prevalent compared to contactless credential where an identification number may be used.

Security as a concept

RFID media may directly lead to a compromise in your intended application’s security

In general, security as a concept is always related to the entire system that includes RFID media (contact/contactless credentials), RFID reader, the host system and any database or cloud server. While accounting for security across a system is needed it is more important to consider the application or use case that is in question. One should carefully evaluate the consequences of any security breaches and if there is any sensitive information being exchanged from the RFID media to the host. As an example, the simple choice of RFID media may directly lead to a compromise in your intended application’s security. There are numerous references on security vulnerabilities related to Low Frequency (125KHz) contactless transponder types. The references focus on using interceptors to access unprotected static card information. The adversaries may then clone this credential that may be used for triggering action such as granting access to a facility or unlocking a computer. Some references also highlight vulnerabilities in the Wiegand interface about intercepting the data signals to capture card value.

Therefore, some older RFID transponders and communication interfaces that may be based on the aforementioned technology or have been subject to vulnerability hacks are now considered fundamentally compromised.

As mentioned previously, the overall security depends on every component of the system that includes the RFID reader. This article will mainly focus on some of the basic security considerations that need to be accounted for when choosing an RFID reader but also whether or not your application requires these abilities. Some of the key security considerations are as follows:

Does your application require encryption capabilities? If so, does the reader have the capability to execute cryptographic algorithms? 

In every application where RFID technologies are involved, there is a need to first assess whether encryption is required and if so, determine the exact channel where this needs to be enforced. It could be that the host interface requires the exchange of encrypted data or the air interface needs to transfer protected data. Once the requirements are established, one may then evaluate the strength of this security.

Furthermore, many types of contactless transponders can store data within their memory segments and encrypt or lock these segments with cryptographic keys. An apt card reader is one that can not only decrypt the memory segments and access the data but also provides an easy means for the end-user to carry out this operation. In many instances, the end-users have their own customized cryptographic keys for their credentials and are unwilling to share these keys with the card reader provider. Therefore, having the capability to load custom keys by someone other than the card reader manufacturer becomes essential. This can be facilitated in multiple ways, such as implementing high-level APIs and allowing the user to write applications for the card reader, or it could be enabling the customer with agraphical user interface to enter keys used to access data sectors.

Many types of contactless transponders can store data within their memory segments

Do you require encrypted data exchange? If so, where and can the card reader support this?

In a typical scenario, the card reader behaves as a medium to facilitate data collection and transfer between the contactless or contact-based transponder and the host system. The host system can either be an endpoint that locally validates the credential presented to it or it can be a microcontroller that sends data over the network to the cloud or a database for validation and authentication.  As mentioned previously, assessing whether the need for encryption is between the RFID media and the reader or from the reader to the host is important. If the former, the appropriate credentials are required. Depending on this factor you may then consider choosing an appropriate RFID reader.

There are use cases wherein personal information such as name, address, date of birth or biometric data can be stored within the credential, eg: smart cards or passports as credentials. Therefore, encrypting the exchange of such data both between the credential and the reader as well as the reader and the host becomes critical. Moreover, encryption algorithm engines such as AES, DES, 3DES, or the capability to implement custom algorithms, need to be present on the card reader as this enables ease of integration. In cases where smartcards or contact-based credentials are used, the host system typically drives the communication in its entirety. So, the card reader must also have:

  • Software capabilities such as Personal Computer Smart Card (PCSC) or Chip Card Interface Device (CCID) mode of communication. The availability of drivers to facilitate communication with the host also enables easy software integration.
  • Hardware support for communication standards such as ISO7816 and the presence of Secure Access Modules(SAM) slots and other contact-based interfaces.

Does your application require MUTUAL authentication with Secure Access Modules (SAM) and RFID media? If so, does the reader support This?

A Secure Access Module is a type of smart card that follows a contact-based communication standard to interact with a card reader. These modules ensure the protection of security keys as well as facilitate cryptographic operations. Typically, SAMs are used to generate application keys based on a specific master key or to generate session keys. They also enable secure messaging between the RFID media, the reader and the host system.

Many contactless credentials hold memory segments/applications that are encrypted with cryptographic keys. These keys are often stored in SAMs and supplied to card reader manufacturers. This not only ensures the security of the keys but adds a step in the authentication process. The card reader in this case should first perform authentication operations with the SAM and then carry out a series of cryptographic and bit manipulation operations between the contactless card and the SAM. This can be further secured by adding a key diversification step. The card reader must be able to support such a scenario both in the hardware as well as in the software. Many end-users require the card reader to natively support such a scenario and have the ability to provide high-level API’s to help in their implementation. In addition to this, high-security applications demand the transfer of data in an encrypted format. One can ensure end-to-end encryption/security with the help of SAMs. In such an architecture, the reader facilitates mutual authentication with the RFID media and the SAM, thus transferring protected data over a Radio-Link and also ensuring the security of encryption keys. The reader can also transfer data encrypted by the SAM to the host system maintaining a high level of security across the system.

Appropriate precautions are to be put in place to improve the overall security

Note that the safety of distributing SAMs as well as administering the installation process within the reader should be treated as a separate issue and tackled accordingly. There is also an issue of the readers being stolen or the SAM modules being dismounted from the reader. The security considerations here do not indulge in these topics and appropriate precautions are to be put in place to improve the overall security of the system. 

Does the card reader have communication interfaces other than Wiegand such as RS485 or RS232?

The Wiegand card as well as the Wiegand interface for data transmission is a 40-year old technology that originates from the Wiegand effect discovered by John R. Wiegand in the early 1970s. While the Wiegand cards are still in production, they have been largely replaced by newer and cheaper forms of access cards. However, these cards are still based on the Wiegand data format that is susceptible to interception as the data are available in plain text. Also, the Wiegand interface introduced in the 1980s remains prevalent across the logical access as well as the physical access control industry despite various security vulnerabilities. This technology no longer conforms to the current security standards. It is therefore important for integrators to choose a communication interface that can offer higher security from interception and support encrypted data exchange.

Do you require tamper detection technologies? If so, can the reader meet this requirement?

The need for tamper detection largely varies from one application to another so it is more important to consider whether this level of security is suitable for your respective use case. As an example, card readers attached to multi-function printers (MFPs) for releasing print jobs in an enterprise environment can be considered less critical since tampering with the reader can ultimately lead to the downtime of the printers but will not compromise the safety of your documents. Typically, in such scenarios, the card reader works hand in hand with the MFP and a print management solution that ensures the release of print jobs. Therefore, if the card reader is sabotaged or tampered with, the MFP or the solution simply prevents the release of any information.

On the other hand, high-security environments such as data centers certainly need greater protection. One must thoroughly evaluate the consequences of any attempts directed towards compromising the device integrity or the data associated with the device. These topics need to be considered separately and are outside the scope of this article. In conclusion, depending on the application, the credentials involved as well as the data that is being exchanged with the card reader and eventually the host, tamper detection technologies can improve the security of the device. There are several technologies in the market such as mechanical and optical tamper detectors that can be embedded directly on the card reader for superior protection against threats. 

Do you require the reader's ronfiguration or firmware to be securely shared or loaded on the card reader?  If so, can the reader meet this requirement?

We are all aware of system and application software updates as at some point our phones have received security patches or app upgrades over the network. In the case of card readers, the process is quite similar except here the software or configuration updates might require encryption based on your use case.  For example, if an end customer is reading static card numbers from an RFID media or isn’t using data protected by encryption keys this does not require the firmware or the configuration to be encryption for a simple reason that these files do not carry any sensitive information. The need to encrypt configuration/firmware files arises if the data that is being read by the reader contains any personal information or is part of a proprietary corporate format that is confidential, or should a customer wish to move to a higher security credential encrypted with keys. This means that either their existing card readers or new card readers must have a configuration that holds these keys.

Configuration or firmware must also be encrypted since it holds sensitive information

In such a scenario, the configuration or firmware must also be encrypted since it holds sensitive information. If the configuration or the firmware is encrypted, the file will no longer pose a security risk and can be shared with customers to perform updates to the existing readers or with the card reader manufacturers to load new readers with the configuration of firmware updates. This not only secures the sharing process but also the update process since the reader is now receiving an already encrypted file.

After all, it is essential to choose a card reader that can carry out the aforementioned security considerations but more importantly the security features that are chosen need to be appropriate to the requirement of the customer. Any integrator first and foremost should thoroughly evaluate the respective application. They should work with subject matter experts in the field and establish requirements and objectives. After developing the concept, system architecture, data flow as well as various secure channels, only then can one begin to account for the security features needed. This process not only helps cement the end system’s overall security view but also elucidates the exact security requirements that correspond to the resulting application.

In conclusion, choosing an RFID product that not only has the above security features but also has a flexible system design capable of accommodating future adaptions will prove to be the right choice for OEM’s and system integrators.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Kiran Vasishta Field Application Engineer, ELATEC USA

In case you missed it

The Importance of a Secure Perimeter in Safeguarding our Schools
The Importance of a Secure Perimeter in Safeguarding our Schools

Schools play a key role in shaping our future. Following the reopening of classrooms up and down the country, young minds are returning to some normality. Once again they're being inspired, learning useful skills, and forging new interests to ensure our country's continued prosperity. Schools need a comprehensive security infrastructure to protect the children who attend them. Most notably, secure perimeters that keep unwanted people out, but also ensure visitors, parents, and students alike can access their shared community space without feeling segregated or unwelcome. Robust boundary fencing  However, although safety is often the primary concern of parents, with tighter budgetary constraints and funds prioritised to make schools COVID safe, it can be all too easy to let important perimeter replacement or improvement programmes slip. The purpose of boundary fencing is to restrict unauthorized entry and exit The purpose of boundary fencing is to restrict unauthorized entry and exit from school grounds, and should be specifically designed to be fit for purpose. Opting for fencing with a welded pale-through-rail construction and concealed anti-tamper connectors between  fence panels and posts delivers a robust boundary that's virtually impossible to break through. This style of fencing also gives a better finish with no visible joints or unsightly bolts. Attractive and practical solutions Unlike generic riveted palisade fencing, this solution is both attractive and practical, more so now that LPS 1175 SR1 certified and Secured by Design versions are available. The style of fencing should meet a school's desired security and safety requirements, simultaneously, it should not compromise on aesthetic considerations. As part of the public face of the school, it should be attractive as well as functional, helping overcome any concerns of creating a prison-like environment and promote a sense of well-being. It's recommended that perimeter fencing should be: a minimum of two metres high, vandal-resistant and sturdy, grounded on a hard surface, challenging to scale, and have an anti-climb topping, much the same as a high-security option. Access all areas Each educational site must consider the number of necessary entrances A perimeter fence requires secure access points and gates. Each educational site must consider the number of necessary entrances. These should be kept to a minimum, to make it easier to maintain control of visitor movement. However, in larger schools this is not always possible and additional entrances may be required to prevent potentially dangerous congestion at the start and end of the school day. Furthermore, separate gates must be installed for vehicles and pedestrians to ensure they are kept at a safe distance, and avoid unnecessary openings of large, double leaf gates. All access points should be locked during the day to keep students on-site and prevent intruders from gaining access to school grounds. Gates should ideally be matched in  design, height and construction to the fencing,  to prevent creating vulnerable areas and compromising security. Automatic vs manual While automatic gates offer more control, manual gates shouldn't be overlooked. Not only are they easier to install and usually cheaper than automated gates, but they also don't rely on power, so if your site's supply is cut off, they provide a hassle-free exit. Furthermore, gates that are only used at the start and end of the day can be easily locked manually by staff. However, automated gates do offer welcome flexibility, as they include access control devices such as remote controls, keypads and card readers, which will also increase the school's security. They're also robust and heavy, meaning it's incredibly difficult to force them open. Electric gates offer additional versatility with a choice of either full automation, or a hybrid of manned and automatic security, with staff able to allow visitors access via intercom or video system. Securing outdoor facilities It’s also essential to consider outdoor areas when it comes to specifying security options for educational environments. Specialist security fencing should be specified where recreational areas double up as the school’s boundary fencing. The security of the site's sports facilities will also need to be considered. Commonly known as MUGAs (Multi-Use Games Areas), enclosures can be designed with specialist mesh systems to allow multiple sports to be played in the same location while providing safety to participants, spectators and buildings. When it comes to play areas in nurseries and junior schools, installing RoSPA approved and BS EN 1176 compliant fencing and gates is recommended. These are available in both timber and steel options and tested for their ability to provide a safe fencing and gate solution - designed to reduce the risk of limb entrapment. Acoustic fencing is also worth considering for these environments, particularly in urban areas or where housing is close to school play areas. It can help reduce incoming ambient noise from neighbouring busy roads, railway lines, or construction sites, and contain the school noise within its boundary. Offering sufficient protection Focus on learning unimpeded by threat The current generation of children deserve an environment where they can focus on learning unimpeded by threat. Schools need robust perimeter solutions that welcome pupils, offer peace of mind to parents, and provide them with sufficient protection against intruders. Ultimately, it's the responsibility of the head teachers to engage in dialogue with knowledgeable security professionals to get the most appropriate and effective security solutions for their school, staff and students.

Can 5G Boost Innovation in the Smart Home Market?
Can 5G Boost Innovation in the Smart Home Market?

We still have some way to go before we see 5G service rolled out as a UK-wide service, but we can discuss future implications of 5G, and how it can improve device capabilities once its widely accessible.  The impact of 5G lies within the increase in the amount of data that can be transferred between smart home devices through a cloud-based system. By utilising the cloud’s mass computing power and its ability to process data in larger capacities, we are able to receive more in-depth analytics that can help improve smart home devices by making them faster, more informed and intelligent.  Will  5G  boost innovation in the smart home market, if so, how?  Innovation using 5G can be shown with current smart home CCTV systemsAn example of innovation using 5G can be shown with current smart home CCTV systems. Products at present allow you to use functionalities such as motion detection. As it stands, this is a basic form of monitoring that monitors changes in picture and notifies the owner when something unusual has happened.   Once 5G comes into play, the video data captured can be sent off to the cloud, interpreted in more detail, and can allow the system to conclude whether the movement is from a human, object or animal. Facial recognition could also come into play here, providing a more seamless service when reporting incidents to the police.  Similarly, you can use data from various different devices within your home to toughen security measures. A video camera used in conjunction with a presence or heat detector can eliminate small errors by providing the ‘bigger picture’ with more data points to work with - an amalgamation of all smart devices used in tandem.  We can’t solely rely on smart devices to make decisions for us, but what we can do is improve device processing so that by the time we step in, we already have all the necessary information to assess the appropriate call to action.  What will 5G enable homeowners to do within their homes?  Smart homes using 4G currently operate in a fragmented fashion, incorporating Wi-Fi, Bluetooth, and other network protocols. Unlike 4G, 5G will work with low-power devices, making it useful for a broader array of connected products. This means that all devices we will be able to connect any internet connected product in order to allow integrated communication between all devices.   Can be connected to work together in conjunction with your home system Your fridge and other kitchen appliances, for example, can be connected to work together in conjunction with your home system to create an entirely automated home. If your freezer is internet connected, you may get a notification if it loses power, but as everything else is also connected within your home, you will be able to determine whether it is a power fault or product fault straight away. Faster connectivity means that users can quickly take advantage of the data their smart devices provide, such as water use sensors which can monitor levels and allow for behavior changes to curb water usage The same can be applied with vehicles. Cars in future will be autonomous and include an integrated dashcam which can then be connected to your security system to provide added security on-site in the peripheral of your home, alerting you to potential intruders before they reach your front door. 

AI Deployed To Safeguard Cities: How, Where And What
AI Deployed To Safeguard Cities: How, Where And What

The threat landscape we operate in today is changing all the time. Around the world, pressures on law enforcement bodies remain incredibly high as they face the challenge of rising international threat levels and a backdrop of intense political, social and economic uncertainty. It is a challenge that demands a considered, proactive and dynamic response. It’s clear that new technologies, such as Artificial Intelligence (AI), can dramatically improve the effectiveness of today’s physical and cyber security systems and help us to better defend against a wide-spectrum of threats. Finding the balance Specifically speaking, for physical security systems to be effective, they must have the full support of the public. Airport-style environments where security checkpoint processes are implemented are both time consuming and obstructive, and feels, at times, they are in no one’s best interest. Oppressive, fortress-like environments are likely to quickly lose the backing of the public, who want to be able to go about their daily lives without being delayed or obstructed by cumbersome security checkpoints and procedures. For physical security systems to be effective, they must have the full support of the public However, after a large-scale security threat or attack occurs, it is often these more overt systems that we gravitate towards, often fueled by a proven track record of both deterrence and detection. It’s the antithesis of ‘out of site, out of mind’ security. Having these large, bulky overt security systems offer reassurance to people and create a greater sense of security. But what if we could instill this sense of security without monstrous overt systems? What if today’s physical security systems could allow for seamless people flow while creating safe environments, all done in a covert manner without interrupting peoples’ way of life? This is exactly what can be achieved with the some of the new physical security applications that incorporate AI. Security solutions with AI: how, what, where? Today, security solutions driven by AI technologies are being developed and can be covertly deployed across a range of physical environments to protect our global citizenry. These new AI-driven technologies are taking multiple different forms, depending on the locations they are designed to protect. Video management surveillance systems (commonly referred to as VMS systems) are being enhanced by AI/computer vision technology to identify objects. These enhanced VMS systems can be deployed both inside and outside of buildings to identify and flag forbidden objects, such as visible guns, knives or aggressive people, in a wide range of public spaces, such as schools, hospitals, sport stadiums, event venues and transportation hubs. Recognized threat objects in hand or suspicious behaviours can be identified and flagged instantaneously for onsite security to further investigate. In addition, targeted magnetic and radar sensor technologies, concealed in everyday objects like planter boxes or inside walls, can now scan individuals and bags entering a building for concealed threat objects. Using AI/machine learning, these two sensor solutions combined can identify metal content on body and bag and match the item to a catalog of threat items, such as guns, rifles, knives and bombs with metal shrapnel. Without this advanced multi-sensor solution, it becomes nearly impossible to discover a weapon on a person's body before it appears in an assailant’s hands. This multi-sensor solution allows for a touchless, unobtrusive access to a building, but allows for immediate notification to onsite security when a concealed threat is detected. The hidden technology thus empowers security staff to intercept threats before they evolve into a wider scale attack, while also maintaining the privacy and civil liberties of the public, unless, of course, they are carrying a concealed weapon or pose a physical threat. AI-powered solutions proactively help onsite security to effectively safeguard the public Unlike many large, fixed detection security systems, AI-powered solutions proactively help onsite security to effectively safeguard the public without causing mass obstruction and disruption. Soft target hardening        Hardening a facility against physical attacks and threats can be expensive, as well as maintaining and running large fixed detection equipment. It may also result in the threat shifting to ‘softer’, less secure targets, for example schools, music venues and places of worship, all locations we’ve see active attacks in the past decade. Around the world, we have seen the devastation to communities and the aftermath impact of these attacks. In the USA, for example, in February 2018, a 19-year-old gunman walked into Marjory Stoneman Douglas High School in Florida, and opened fire, killing 17 students and faculty members. And in the UK in May 2017, a suicide bomber attacked a concert venue in Manchester, tragically killed 22 people.  It is a global priority to make these soft target public gathering places more secure. But in doing so we cannot turn them into fortresses. The security industry, public sector and national and local government must collaborate to deploy intelligent systems with technology at their core to not only protect lives, but also preserve a way of life. Integrated systems and behavioral detection One of the biggest advantages of using AI technology is that it’s possible to integrate this intelligent software into building smarter, safer communities and cities. Essentially, this means developing a layered system that connects multiple sensors for the detection of visible and invisible threats. Integrated systems mean that threats can be detected and tracked, with onsite and law enforcement notified faster, and possibly before an assault begins to take place. In many ways, it’s the equivalent of a neighborhood watch program made far more intelligent through the use of AI. Using technology in this way means that thousands of people can be screened seamlessly and quickly, without invading their civil liberties or privacy. It’s not only knives, guns and explosives that intelligent systems can detect. They can also be trained to detect behavior and potential invisible biological threats, such as viral threats currently facing our world today. This does not mean profiling individuals.    Instead, using AI that is deployed on existing CCTV or thermal camera systems, it looks for indicators that may identify a physical altercation and disturbance, an elevated body temperature, indicative of viral fever, or lack of a face mask for health safety compliance. When integrated, these solutions can provide onsite security with up-to-the-minute information to allow greater protection of the properties they serve. By using these intelligent, non-intrusive technologies, today’s security personnel are now more capable of detecting a wide range of threats. This is the future of public safety and security, and we should expect to see these new technologies becoming more common over the coming years, as cities around the world strive to create smart, safer communities. The human element While technology can make a significant impact to existing security systems, it would be wrong to position it as the end-all, be all to preventing future attacks. Technology is only part of the solution. Well trained security personnel are also required; individuals who know how to use new technologies and the data they provide, and then make informed decisions about how to engage a potential bad actor or threat. Not only will a properly trained security staff member help to prevent an attack from happening, but the extra insight provides by these intelligent systems can potentially interrupt an attacker in planning and walk through stages, or even before a weapon is drawn. This alone has many benefits beyond just preventing an attack. It means that authorities can help these individuals, some of whom may be suffering from mental health issues, to get the help they need from professional healthcare workers. By security personnel working with local authorities and healthcare professionals, potential attackers can get the support they need, from de-radicalisation programmes to specialized counseling, helping them return to being a healthy, productive member of society. These intelligent systems can potentially interrupt an attacker in planning AI for safer communities AI’s ability to detect visible or invisible threats or behavioral anomalies will prove enormously valuable to many sectors across our global economy. Perhaps none more so, though, than to institutes of education, where we have seen many violent attacks over the course of the last few years. Specifically, the application of AI for detecting odd behavioral activity could be used to identify potential active shooter attacks, or even students who may be depressed and prone to committing suicide. Both tragedies we see weekly around the world. One thing is clear, cross-sector collaboration and the application of integrated, intelligent AI technology that puts data and ultimate control into a human’s hands can be key to making our communities safer places to live.