The problem with current 'smart' access control systems
There’s been an explosion in products that promise to make our facilities, assets, networks and cloud resources "smarter", more secure and safe, but do they?
With control system hacks on the rise and traditional lock/entrance manufacturers like Honeywell, Assa Abloy and Stanley developing more intelligent lock systems, it’s clear that enterprises in hospitality, healthcare and government are looking for a more granular access control that increases security.
These smart access control systems frequently use an RFID, keypad entry, sensors or radio receivers for remotes or smartphones to grant access. To switch over to these systems, there’s usually a very large upfront cost as infrastructure of the network and power must be installed to all controlled access doors, the door hardware must be replaced, and a central system established. Additionally, these systems require backup power options in case of a power loss, and cards and badges must be issued to each employee.
But what happens if your employee loses an access card? There’s a chance it could get into the wrong hands.
This is certainly an issue for concern, but the true root of the problem with current smart access control systems isn’t simple human error. It’s that most of these current systems are connected to facilities’ business networks, like Z-Wave, NFC or WiFi, making the switches, gates and locks being controlled remotely accessible. This might sound convenient, but it’s actually making these smart access control systems accessible for remote attacks because of how easy their frequencies can be scanned and hacked into. It’s as simple as searching on YouTube to find "how-to" videos on hacking physical access control systems.
Whether it’s a malicious attacker or disgruntled employee, if the attacker was to gain access into a server room or an office building they could put your whole organization at risk. Attackers could steal easy-to-grab devices with sensitive information on them, delete and alter information, disrupt normal business operations, hack into a system and cause a data breach or worse -- physically harm your employees.
So is there an alternative? Biometric security in smart access control systems have significant advantages over all other forms of identification, authentication and verification. It’s fast and easy to use; it doesn’t need a token or fob. And unlike a key code password, which requires memorization and is easily replicable, an individual’s fingerprints, irises, facial constructs and other biological traits should be impossible to duplicate.
However, companies need end-to-end security frameworks that encrypt and protect biometric information to ensure the proper level of authentication and verification -- limiting access to a physical location. After all, the threats to data are everywhere. For instance, many companies believe that because their location is controlled remotely by their phone or computer, the data inside is safe. To the contrary, thieves can install malware into the device and gain access into a location without direct contact. Data breaches have been similarly achieved through email, apps and the interception of a Wi-Fi connection.
Standards also matter when dealing with biometric-based access control systems. Without having proper standardization in place to clearly secure and authenticate someone’s identity in a comprehensive manner, information is left open to attack.
For biometrics, the Institute of Electrical and Electronics Engineers (IEEE) has created the Biometric Open Protocol Standard (BOPS) or as it’s called, 2410. With this, organizations can create and use biometric-based technologies that allow people to safely and effectively authenticate access into secure locations without the need of key cards and passwords.
In the coming years, biometrics have the potential to be the leading security metric for smart access control systems, but a single ultra-hack could derail this progression permanently. It’s up to today’s companies to recognize the importance of protecting biometric data, as this is vital step for protecting its assets in the future.
Hector Hoyos is the founder and CEO at Hoyos Labs, one of the leading innovative biometrics, authentication and identification technology companies. He’s been in the biometrics and IT fields since the mid-1980s as the founder and president of various cutting-edge companies.