Enterprises are increasingly deploying contactless security solutions to control access to their spaces, especially now in the midst of a pandemic. These solutions mostly rely on devices that use facial recognition to manage entry to enterprise premises in an effective and efficient manner. To allow for fluid movement in and out of the workplace, the devices need to process the image of a face quickly and act immediately to either allow or deny entry.
Because of the computational expense of image processing and facial recognition, some solutions rely on external services (hosted mostly on cloud servers) for authentication. The cameras have to send images to the services for analysis and processing. Unfortunately, there is often a lag between access request and authentication due to network latency between the cameras and the facial recognition services. Also, it takes substantial network traffic to send the pictures out of the premises.
To address these issues, the security solutions industry adopted edge computing and applied it to facial-recognition-based access control devices. Edge computing is a rising architectural paradigm for more advanced computational needs and data storage. In this type of design, compute nodes are positioned at the edge of the network, close to the devices or the sensors collecting data. In contrast to the more traditional setups, edge computing has much lower latency.
This has led to the growing popularity of a new class of smart camera devices that are able to perform facial recognition and authentication. These edge-based devices rely on external services solely for coordination purposes.
Considering that these access control devices are quite literally the first line of defense for employees and assets on enterprise premises, we set out to test the security of the devices themselves and to find out whether they are susceptible to cyber as well as physical attacks. Our research paper “Identified and Authorized: Sneaking Past Edge-Based Access Control Devices” dives into the specific weaknesses of four different devices and provides security recommendations for manufacturers and enterprise users of this new generation of access control devices.
We tested four different models of access control devices that use facial recognition. We created an experiment setup in our lab that simulated how a regular enterprise user would deploy the devices. We put these devices and the server component (if applicable) in an isolated test network.
The setup has these components:
A diagram of the setup we used to evaluate the security of the access control devices
We tested the susceptibility of the devices to a variety of cyberthreats — from malicious HTTP requests to MitM attacks. We also looked into the possibilities of data leakage and user information theft. Access control devices usually collect and store employee images and names, so a vulnerable device could compromise the database that contains all this personal information.
An overview of the device weaknesses we found
Many of the risks that arise from the use of these access control devices involve inherent weaknesses that can be addressed only by the makers of the devices. We therefore recommend that manufacturers implement guidelines such as the following so as to improve the default security of these devices:
However, users can also take steps to protect their devices. We recommend that those with vulnerable access control devices apply the following secure deployment guidelines to mitigate the risks involved in the use of these edge-based devices:
Access control devices that use facial recognition have become a critical part of the enterprise security infrastructure. But our research demonstrates the need to secure these devices themselves. A vulnerable device could lead to data leakage, asset theft, or even harm to employees on company premises. Enterprises should therefore be very critical of the devices they choose to deploy. They should assess these devices for any weaknesses and secure them against cyber as well as physical attacks.
The full details of our analysis, findings, and recommendations can be found in our research paper “Identified and Authorized: Sneaking Past Edge-Based Access Control Devices.”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.