Download Identified and Authorized: Sneaking Past Edge-Based Access Control Devices
Trend Micro Research
Given the increasing use by enterprises of contactless security solutions, the security of the devices that themselves are meant to control access to premises should be of prime consideration. We analyzed several popular edge-based access control devices and found weaknesses that could put enterprises at risk.
Enterprises are increasingly deploying contactless security solutions to control access to their spaces, especially now in the midst of a pandemic. These solutions mostly rely on devices that use facial recognition to manage entry to enterprise premises in an effective and efficient manner. To allow for fluid movement in and out of the workplace, the devices need to process the image of a face quickly and act immediately to either allow or deny entry.
Because of the computational expense of image processing and facial recognition, some solutions rely on external services (hosted mostly on cloud servers) for authentication. The cameras have to send images to the services for analysis and processing. Unfortunately, there is often a lag between access request and authentication due to network latency between the cameras and the facial recognition services. Also, it takes substantial network traffic to send the pictures out of the premises.
To address these issues, the security solutions industry adopted edge computing and applied it to facial-recognition-based access control devices. Edge computing is a rising architectural paradigm for more advanced computational needs and data storage. In this type of design, compute nodes are positioned at the edge of the network, close to the devices or the sensors collecting data. In contrast to the more traditional setups, edge computing has much lower latency.
This has led to the growing popularity of a new class of smart camera devices that are able to perform facial recognition and authentication. These edge-based devices rely on external services solely for coordination purposes.
We tested four different models of access control devices that use facial recognition. We created an experiment setup in our lab that simulated how a regular enterprise user would deploy the devices. We put these devices and the server component (if applicable) in an isolated test network.
The setup has these components:
Access control device: This is the access control device being tested.
Man-in-the-middle (MitM) device: This device is used to transparently capture network packets between the access control device and the corresponding server component.
Management server: The access control device usually comes with a software suite that includes a server component. The server component is installed in this management server.
A diagram of the setup we used to evaluate the security of the access control devices
We tested the susceptibility of the devices to a variety of cyberthreats — from malicious HTTP requests to MitM attacks. We also looked into the possibilities of data leakage and user information theft. Access control devices usually collect and store employee images and names, so a vulnerable device could compromise the database that contains all this personal information.
Creating a new user
Creating a new administrator
Changing another user’s photo
Exposing user information
An overview of the device weaknesses we found
Securing access control devices
Many of the risks that arise from the use of these access control devices involve inherent weaknesses that can be addressed only by the makers of the devices. We therefore recommend that manufacturers implement guidelines such as the following so as to improve the default security of these devices:
Sensitive information must not be visible on devices.
Communication between devices and their servers must be encrypted and secured.
Software and hardware updates must be made available as often as necessary.
Devices must be physically secured with, for example, ruggedized cases.
However, users can also take steps to protect their devices. We recommend that those with vulnerable access control devices apply the following secure deployment guidelines to mitigate the risks involved in the use of these edge-based devices:
Ensure that the hardware is secure from tampering, physical access, manipulation, and sabotage.
Be aware of any software vulnerabilities, since the devices might be using outdated operating systems.
Encrypt communications, since most critical attacks on edge devices can be enabled by intercepting the network traffic.
Deploy a network monitoring solution to catch all cases where the aforementioned guidelines might be circumvented. Deep packet inspection products, such as the Trend MicroTM Deep DiscoveryTM Inspector appliance, can help prevent attacks where the attacker impersonates the edge device or the coordination server.
Access control devices that use facial recognition have become a critical part of the enterprise security infrastructure. But our research demonstrates the need to secure these devices themselves. A vulnerable device could lead to data leakage, asset theft, or even harm to employees on company premises. Enterprises should therefore be very critical of the devices they choose to deploy. They should assess these devices for any weaknesses and secure them against cyber as well as physical attacks.