Access control done right the first time - Tim Clevenger

all right uh good morning my name is Tim cler this is Access Control done right the first time just a little bit about me by day I'm a cyber security engineer uh for Saleo in Austin um but in the previous life I was lenel S2 certified in both access control and video and I did a half CIS admin half fieldtech job where I got to get in the truck and out of the dark server room and go visit sites and do repairs and upgrades and modifications on access control and video systems throughout Southern California uh so getting to see a lot of newer systems installed by other companies as well as the company I worked for and kind of a lot of older

systems I learned some tips and tricks I think that'll help if you're planning an access control system you're moving into a new building maybe you need to upgrade or replace the system that you have in place now or if you just want to have a a more secure and reliable system I am uh on on the physical security Village Discord as well as DC 512 and a couple of other ones my handle NSFW I didn't choose it it was assigned to me I'm not going to say why a little bit about this this talk so like I said I'm going to present some tips and tricks here at the end of this presentation I'll have a QR code that

will take you to a GitHub repo that I created where later this evening I'll have an RFP that will have essentially everything that I've talked about here that you could give to your legal team and your uh procurement team to give to an access control vendor and just make sure that they're not going to cut any corners on you during your installation uh many vendors will sell what I call a minimal viable product it functions it it beeps when you badge in and it unlocks the door but it may not be the best system for your risk profile or for maintainability in the future so I'll start with choosing a system the systems that I worked on were

largely uh powered by Boards from a company called Mercury security they're one of the largest vendors I have no connection with them other than I've used their equipment and I like it uh they have local storage on them so if you're Facebook and you accidentally blow up your DNS you don't have to pry openen your server room doors to fix your servers uh they have multiple vendor support and they can be reflashed with different firmware so if you decide that you know Vigilant or lenel is not for you and you want to switch to a different vendor often you can keep all of the same equipment reflash all the boards and go with another vendor so

it's a little more uh useful in that P perspective as well uh so we'll have some layout considerations I'll give you a couple of examples here uh the way that these systems typically work is there's a more expensive more powerful board that I call an access panel that's going to store a copy of all of your card holders and card numbers it's going to store logs and return them back to the server that runs your software uh those are typically connected with ethernet so you'll have an Ethernet drop somewhere with one of these boards and then you'll daisy chain additional boards to that with a wonderful protocol called rs485 anybody here in Access Control at

all no you haven't you haven't enjoyed the wonder that is two pairs of wire with a foil Shield uh this wire is basically allows you to daisy chain up to 31 devices off of your access panel for a total of 64 doors being controlled and it can go up to 4,000 ft please do not do this it will not work for you you will be so unhappy uh what happens with rs485 is you have a Communications problem somewhere in that 4,000 ft and you're now having to start disconnecting devices to figure out where in the chain the mice chewed through the wires or the foil broke or somebody installed an electrical Transformer on the other side

of the wall and it's just wiped out your Communications but there are cases when you're going to want that uh another thing to consider is your distance to your door so uh certain types of locks like magnetic door locks use a lot of power so if you have all of your Access Equipment at one of the building and you have this door all the way at the other end that's a magnetic block you're going to have to consider having a power supply all the way down there um uh along with all of the kind of additional issues that power supplies uh entail and we'll talk about it that as well something else to consider when you're

placing your access control equipment is the rim that you're placing it in is it going to be too hot too cold again is there going to be um you know a Transformer or a large motor on the other side of the wall is there a wall of concrete or cinder block that you're going to have to drill through to get to all of the doors on this side uh just things to consider I can't tell you how many times I had to go to a an H Way's pool house to fix the gate access control system and the thing is just rusted solid because they stuck it in the same room as the saltwater pool

water conditioning equipment so just think about that kind of stuff because your warranty is only going to get you so far so let's talk first about something simple like a a dock so you have 70 80 dock doors in a warehouse It's probably 7 or 800 ft that's probably going to be too long for you to run ethernet to the end of without fiber and media converters and much other stuff you don't want to deal with so this is a perfect situation for rs485 you know every 10 dock doors I've got this little this little person door right here that you know somebody's going to be going in out of and you want to badge uh access to that so what you

can do is you can put your ethernet powered access panel at one end by door number one and then just run rs45 which is relatively cheap all the way down and do drops where you need those doors so that's a situation where having that cheaper but maybe not quite as reliable wiring is going to be helpful for you on the other hand you have an office building where there's not a lot of uh you know you have a lot of square footage uh but you probably could get away with doing just a you know a little room right here with an access panel and you just hang all of your other door controllers right after that and then

have those go out to the individual doors for an office space like that something else to consider is uh this is a you know like a Class A building it's got elevators it's essentially two mirrored half floors here well if something happens like I don't know a pandemic and work atome situation that causes all of your real estate to be underutilized maybe you're going to want to sublease half of a floor in the future so it's good to think about that kind of thing now in your situation and maybe think I'll do an access panel over here somewhere with all the doors powered off of that and then an access panel over here with all

the doors powered off that and that way if they decide to suas half of my space I can just close off this door close off this door disconnect it from my system and then whoever Subway can deal with it so it's just again something to think about typically a vendor will give you a a project manager that you can work you can work with so just kind of keep that in mind when you're working on stuff like this the really important thing from my perspective is a lot of vendors will say well you've got three floors we have 4,000 ft to work with so we'll just do all all of them hanging off of one

board down on the first floor and run 4,000 ft of continuous wire all the way up to the top again please don't do this you're going to be really unhappy when your uh access vendor is having to tear out drywall to reach some wiring because they decided to cheap out this is a a typical board layout that I would do in a in a typical office environment so this is a an enclosure with a power supply the power supplies are right here and what I'll do is have my access board right here and then I'll have individual door controllers hanging off of that with that rs485 connection this particular enclosure I like because all of this stuff is pre-wired by the

manufacturer so all the RS 485s and the relays and everything all just plug in the only wire that you have to run to this is the wiring that goes actually to the doors themselves a little bit about wiring to the door so you have a bunch of wires that you're going to have to run from your board to the door or gate or whatever it is that your powering so you'll have power for the door hardware that unlocks and locks the door if you have a motion sensor you'll have to run power to that as well you'll have shielded cabling to the badge reader itself there's two different ways to wire the badges and we'll talk about

that in a second and then you have your door contact in your request to exit wiring so the contacts that tell the system the status of the door and then a tamper switch for your badge reader so somebody can't just pull it off the wall and any auxiliary inputs and outputs the wrong way and I've seen this happen this particular image I got off the internet but it I've seen stuff very similar to that is uh undersized uh Power conductors to your door lock Hardware either undersized because they went undersized or undersized because they decided to try to take an existing wire and go way too far with it and the voltage drop causes the door to not

unlock uh reliably or a magnetic lock to not lock sufficiently where you can just pull the door open even though it's locked um of course fire hazard is an issue there when they decide to just twist together additional wires to make a thicker wire that's never good to have up in a ceiling that you can't see what's going on for your Communications wire typically unshielded or spliced cable I can't tell you how many times I saw unshielded cat 3 telephone cable being run to badge readers it's not going to work you're not going to like the the situation and what happens is you get unreliable communication to the badge reader and sometimes the badge reader crashes and stops working and you

got to go in and actually unug plug it at the board to reset it uh and then no wiring for your tamper or your auxiliary inputs or outputs the worst that can happen there is if somebody can pull the badge reader off the wall they can attach a device in there and capture badge numbers as they flow from the badge reader to your system um the least worst thing that could happen is by not adding auxiliary inputs and outputs you have limited expand abilities you know they want to put a buzzer in there or something and you have to run new wire just for that so having those extra pairs there also as a spare in case you

know a wire gets cut or or fails in some way you can do that without having to start again tearing out dry wall this is the right way this is slightly more expensive than running all these individual conductors but it's such a cleaner installation it's called composite access control cable so all of your power cables all of your Communications cables which are properly properly shielded because this is made specifically for Access Control Systems uh and has a thick exterior jacket so if they're pulling it through a drop ceiling and they scrape it along the sharp piece of metal it's less likely to damage the interior uh wire the most important part for this in my opinion is

if they've pulled this cable you know they've pulled proper cable because you're not going to find this in a an unshielded you know kind of junk cable so I always recommend this whenever you're doing either in a new system or you're adding to an existing system a little bit about your power supplies and closure so uh the power supply will typically take your 110 volts and it'll output a 12 or 24 volts DC to power the board the card reader the motion detector and the hardware that unlocks the door so what you want to do is make sure that you have something that is sufficient amperage for the load that you're going to give it and the

temperature range these are really heavily they have good heat sinks on them so they're designed to run sealed in a metal box up on the wall in an unair conditioned room if you're going to put it in a hot room or steamy room or something like that you're going to want to make sure that it's rated for the temperatures that you're going to throw at it also make sure you get a power supply that has a built in charger uh it's really unfortunate when the power goes out and you can't get in the building to turn the power back on because there were no batteries attached to your access control system uh so make sure that that is specified the

enclosures themselves are typically um built in with the power supplies like that that image that we saw earlier um again just make sure you get something with that has a capability to charge batteries they're in multiple sizes um depending on whether you have one or two panels or you have a big one like that one that I showed um you can do DIY or pre-wired make sure that they have a key lock and a tamper switch the tamper switch you can wire to your panel and if somebody prize open the door you'll get a a notification so it anytime especially in a place where maybe it's in a closet that has a key or uh you

know cleaning supplies or something like that just make sure you have those tampers set up you can also get these in a waterproof uh form factor I generally don't like doing waterproof exterior I'd prefer to put it in a shack but sometimes you've got that gate all the way at the other end of the parking lot and there's no place for you to mount it so a waterproof enclosure will help you in that regard and a little talk about batteries these are standard gelaw batteries they're the same ones that you get for UPS's um they're very cheap you get them from the Home Depot for 20 bucks so there's not really any reason to not

replace them regularly I recommend writing the install data on the batteries with a permanent marker and then replacing them every 3 to five years every 3 years if they're in a hot room with you know no air conditioning if they're in a server room you can generally replace them about every five years the way you can tell is if you pick up the battery you shake it and it rattles it means that the electrolytes all dried out and it's time to replace it again same thing make sure that you have that uh checked and remote power supplies the folks that work for the company I work for might notice this from the lunchroom this picture uh when you have power hungry

locks like magnetic locks and motorized crash bars uh what'll happen is often they'll have to put a a second power supply just to power the the door hardware itself what they'll often do is they won't tell you about this they'll figure it out after they've done the wire and they'll just stick one up in the ceiling above the door or maybe above a conference room or maybe above something else and you'll never know about it until the power goes out and again they've used the cheapest power supply possible and haven't got batteries in it so make sure that you work with your project manager when you're laying this out and if there's a magnetic lock down a long hallway or a

motorized lock ask them is this going to require power supply if so I'm going to want a tamper switch I'm going to want AC fail and Battery fail connections and I'm going to want batteries in that thing a little bit about fire safety so there's two ways that a door can fail when the power goes out fail safe or fail secure fail safe means that you can exit the building and open the door and if the power goes out that is the way that you should do doors in any place other than very specific secure doors that need to uh need to be fail secure but if you do a fail secure door which means the door stays locked if the power

goes out make sure anybody who's in there has a way to get out whether it's some kind of Bypass or uh you know specify the lock Hardware so you can still turn the handle and exit out of the place uh when you're putting your system in you're going to want to make sure you follow local code obviously and your ahj your Authority having jurisdiction that could be uh Fire Marshall it could be building inspector but there are laws regarding again what you could do fail safe what you could do fail secure sometimes for instance if you have a badge reader to exit the building you need to have like a a handle with a tear off cover that you

could pull the handle to unlock the door to get out so that you're not trapped in the building so very important to uh have that uh taken care of as well as a any building that you have that has a fire alarm uh depending on the age and the size of the building and your jurisdiction sometimes they're being they're required to tie in the fire alarm to your access control system with these relays so that if uh there's a fire it will will automatically unlock doors that allow people to

escape all right uh so there's a few different types of door hardware I'm not going to go over all of these I will mention magnetic locks in particular um again they're going to need more power than the standard lock and your power supply may not be able to provide that so you may have to do an additional power supply for that and a magnetic lock of course always fails safe because it's an electromagnet and when the electro goes away the magnet uh your door hardware has two different contacts that tells the system what condition your door is in there's the door contact which is the status is my door open or is my door closed and

that's typically either a read switch that's attached on the door frame or it's integrated into the hardware somewhere and then you have something called the request to exit or rex that is what allows the door to open from the secure side or the inside without triggering a warning that the door has been forced open this is how you tell the system I'm opening this door legitimately from the inside nobody's prying it open from the outside those are typically a button a buzzer from the reception desk a motion detector or a micro switch that's integrated into the handle itself for these two contacts you need supervision this is the thing that is left out of every access control system

installation that I've seen unless specifically requested by the customer supervision is a pair of resistors that are wired in line with your door contact or your Rex and basically splits the signal into four different signals so right now if I cut this wire the system doesn't know did I cut the wire or did the door switch Open up The Connection by using these supervision resistors as close to the contact as possible and some contacts have them integrated so you don't even need them externally you've now got four different readings of ohms depending on whether the wire was shorted or cut or if the door is open or closed so very important these are very cheap there's it's pure

laziness that this is not done regularly uh motion detectors are uh another are an attack Vector for people getting into buildings um these are often used for your request to exit um on some doors like a magnetic door it'll also trigger the door unlock so if you can get the motion detector to read from outside the door you can open the door without having to use a badge so if you have that situation I'm not going to go into it too much there's attacks all over YouTube myar balloons Frozen spray from Air dusters there's some mitigations here that you can use to uh uh help reduce the attack Vector on that one along with that door

handle attacks you know regener with a wire and pull the handle down um again very common there are some mitigations here as well uh so Badges and readers badge readers come in different sizes and types they handle you know fobs badges smart cards if you're from the 80s they handle magnetic stripe cards um additional factors Biometrics and pin entry um there are four main kind of types of badges that I've worked with regularly the first two are are fairly broken and easy to clone those the ones you most companies still use um there's uh the Myer desire and cosos which are not officially broken but they have some weaknesses that some people have been able to exploit specific circumstances

but still way better than the little card at Walmart that says call us and we can duplicate your your fob for you um a little bit about the badge formats it's an old 26-bit format it's from the 80s it's easy to clone you can read it right off the wires behind the card reader which is why we put a tamper on our card readers to make sure that if somebody pulls it Off the Wall we know there's also uh you know people can put them in a suitcase with a battery and just walk past your badge and read it um this format is uh pretty well known the solution there is a custom format so uh

the one that I'm familiar with is called corporate 1000 again I have no you know no I don't get paid by any of these people but the it's a CO's card so it's a little more secure you get a dedicated facility code so uh nobody can duplicate your your facility code because hiid manufactures the cards and ships them directly to you with the facility code that they've assigned you um to make sure that there's no bypass on that you have to reprogram all of your readers to not accept the older 26-bit cards and you could do that with a stack of configuration cards if they get Avil uh I only got a couple minutes left

so I'm kind of rushing here um so badge readers themselves they use again this old protocol from 1975 called wegan it's trivial to capture uh card information with these and you can just buy a badge reader off of eBay and start capturing cards essentially the solution to that is called osdp um it uses different wiring it uses the same rs485 that we use to connect boards together uh and it's not perfect there if you Google osdp bypasses on YouTube you'll find a couple of videos again it's not it's not trivial by any means but it is possible so your mitigation there again read or tamper switches make sure that that's on your list all right oh I missed it did I no I

didn't okay so what's the takeaway here work closely with your project manager um you know now things like longdistance uh doors away from what you're doing if you have again that gate at the outside of the parking lot work with them figure out what they're going to do to get those wired correctly and securely you're going to set expectations if they say oh hey we ran out of that composite access cable so we just ran a bunch of crap that we have on the truck don't accept it make sure that they know ahead of time that you're going to be checking on this and spot check so if they're pulling cable look through make sure

it's the right cable make sure that there's enough wires there check when they're doing those door switches and make sure that there's resistors on there ask questions um document so I put a little sticker on the bottom of each reader with a door number and I put that system and that door number in my access control system so if somebody says hey this door isn't working I could say look at the number on the bottom and tell me what it is and I know exactly which door is the problem do your regular maintenance battery replacement is the thing that is done the least on these systems I've opened these things up and they've swollen to almost round and uh

you don't want them leaking acid out of your Access Control cabinets um and then the other thing is visit the physical security Village uh they have a ton of videos on YouTube uh they're at a bunch of different conferences including Defcon I'll actually be um volunteering there so I can answer any questions there as well and I'll be giving a similar talk to this there as well and that's it for me so I have an U QR code right here this is to my uh reposit I don't have anything there now but by the end of the day I will have an r that RFP that I've created that I give to any access control vendor when we're going

to install the system and as well as a copy of the slide de so thank you so much I really appreciate it I actually have five [Applause]