Smartkey

Most networked access control doors employ RFID proximity card readers. The user presents an RFID card to the reader which transmits is unique ID via RF (Radio Frequency) broadcast. The reader then reports the card’s unique ID o the control panel and, if the code corresponds with a valid permission, the control panel unlocks the door. This unique ID is almost always broadcast in plain text from the card to the reader, not encrypted, to anyone who asks for it. Anyone can query the card and get the unique ID, then program it into a new card and have a perfect copy. See our video on this very topic.


Even if less physically secure, I think we can all agree that these RFID technologies enjoy improved convenience over traditional locks and keys (see epilogue below for their converse decrease in security). Metal keys are easy to copy and they’re hard to recover when you want to take them away from someone, even if they didn’t make any copies. Also keys can’t work on a schedule or do things like automatically enabling or disabling alarm systems or uniquely identify which of the many copies of a key were used to unlock a door.


With Cloudastructure, you can use your Smartphone as your key. We provide a shortcut to instantly unlock any door. You can save shortcuts to your most used doors to your home-screen and then you can unlock any door with a single click from your smartphone.


Not only using standard web security from phone to cloud more secure than RFID from card to reader (see epilogue below), but it has other security benefits as well. If you lose your card at a bar at 5pm on Friday night, you'll know about it at 8am Monday morning when you show up for work. If you lose your smartphone at a bar at 5pm at Friday night, if you're like most people, you'll know about it by about 5:10pm.


Cloudastructure also allows for the integration of alarm to the access control system. When assigning alarm codes there are two ways to go: 1) give everyone the same code: convenient, or

2) give everyone a different code: so inconvenient that it is virtually never done, as the installer would need to make a service call for each new hire/fire.


With Cloudastructure a single swipe of a valid card will disarm the alarm. Conversely a double-swipe will arm the alarm. For this application we recommend a second reader on the inside of the door next to the alarm keypad. In the end, though, when you fire someone and turn off their card, they are automatically locked out of the alarm system as well.


In any case, if you want the most advanced physical security, you want to purchase it from a company with digital security experience.



Epilogue: physical security companies have little in the way of clues when it comes to digital security.


The largest manufacture of cards and card readers decided to fix the problem above by transmitting the unique ID over an encrypted channel. Like most encryption, they used a key-pair: one public and one private. The card transmits its public key and the reader uses its private key to decode the transmission. If anyone had the private key they too could decode the transmission. Unfortunately, physical security companies lack the sophistication of digital companies. They stored the data at rest w/o encryption (encrypting data at rest is a basic tenet of digital security). It wasn't long before someone put a probe on the circuit board of a reader and read the private key -- now they could read any card again.


everyone else encrypts data at rest

Vexed, the company improved their architecture by encrypting the data at rest and putting epoxy over the chip that stored the data. However, they had a problem. If they put in a new private key then the existing cards they had already shipped wouldn't work with the new readers so ... wait for it ... they put in the old (already leaked) key in the new readers! Now, if you want to read the encrypted transmission between card and reader, you only need to google around for 5min to find an old post of the private key.


Compare this to the security of an ordinary browser session. The server has its public SSL/TLS key published and the browser makes a secure connection to it. The webserver is never in anyone's hands, unlike a reader, so no one can look inside to get access to the private key. Even if they could, any first year programmer in the digital security space knows to encrypt data at rest and the key would be unreadable. HTTPS is more secure than any RFID key will ever be. Period.

0 views