On February 8th 2016, our CTO Carl Pfeiffer and VP Engineering Thomas Koehn gave a NFC security focused look behind the curtain of our new proximity reader in the Kisi Pro Reader line (shop link here). We’ll go through the main topics of the webinar below. Let us know if you have any questions – email@example.com
Security vs Usability
When building security critical products or features, security has to be built in from the start. Rather than having having your toaster hacked, bake the security in from the very start. When companies realize too late that they need to add security, some less than perfect trade offs usually have to be made. Carl explained it’s much easier – if you have the chance – to bake security in already in a whiteboard stage.
One of the most important design objectives for building secure products is to have an update strategy built in. As it is nearly impossible to build products that don’t have any (unknown) security issues, having the option to patch devices and firmware Over The Air (OTA) is an absolute must.
Even Over The Air updates need to be secure. Depending on the determination of an attacker, patches can be used to automatically reverse engineer the loopholes they intended to close. Kisi’s hardware platform not only encrypts, but also deploys firmware updates within a few seconds to all connected devices.
Being oblivious about IoT security applications can lead do dramatic consequences, as the Mirai botnet proved by taking parts of the internet down in a DDoS attack just a few months ago. Just go one step further and imagine electric windows and fireplaces – you don’t want to suffocate if someone remotely closes your windows while your fireplace is on.
Confidentiality, Integrity, Availability
The initials of these three security objectives by pure coincidence end up in the acronym CIA. No pun intended, although we find it a bit amusing. But what do these objectives actually mean?
- Confidentiality means that third parties cannot gain access to information. This is usually achieved by encrypting information.
- Integrity means that information is not altered, and if it is, such modifications can be detected. For example, integrity can ensure that information received was identical to the information that was sent by a communication partner.
- Availability means that access to information and services is ensured. Not having access to services due to attacks is one example of denying access to services.
What is Kisi doing to ensure we’re meeting these security objectives?
Kisi Pro Reader
Carl and Thomas’s concern was ranging mainly around “How is the hardware protected?”
With regard to confidentiality and integrity Kisi Pro reader uses SSL and HTTPs (forward secrecy) connections with any subsystem. However, since Kisi is a hardware company it does not stop there. Using OTA (over-the-air) signed firmware updates on secure boot chips means only verified software may run on devices. Debug traces and pins have all been physically disabled, and the MCU executes code from on-die memory only. External memory is encrypted.
Regarding availability: Kisi Pro proximity reader provide offline capabilities with staged rollouts where we’ll add more features on the go to the reader based on the secure storage. Kisi is able to keep an access history alive on the devices locally. As soon as everything goes online again, Kisi can push it to the cloud and make it available on the kisi events stream. The Kisi pro reader will communicate through the local network to be able to communicate offline.
Kisi Pro Reader Passes
A new concept Kisi introduced is the card based credentials: The Kisi proximity reader pass (EAL4+ certified). Every card has PSK, which the reader uses to authenticate on the handshake. Regarding the communication between reader and cards, it is fully encrypted, and it is not possible to feasibly decrypt any intercepted communication. In case there is any breach, if one card is hacked, nothing else will be compromised (here are a couple of examples why – hack HID, Wiegand Protocol, cloning HID prox cards, hack HID reader). Our choice of cards is instrumental and decisive factor in how easy it is for hackers. Cards are often the weakest link that hackers try to attack. All the security mechanisms that we have on the Kisi Pass make it infeasible to clone it.
Smartphone interaction with Kisi proximity reader
Increased security for iBeacon based solution where we’ll start use OTP rolling token authentication to prevent replay attacks. You can only detect the iBeacon when you are very close to the reader with a low power that allows shorter ranges. We’ll also be rolling out direct phone to reader communication, making unlocks faster because phone not depending on local internet. The communication is AES encrypted and there is a BLE/NFC security handshake upon connections between app and reader. That allows the use of a secure channel, so e.g. hackers can not just upload a new firmware, not relying on the security of the BLE chip.
Benefits for the user: Communication goes directly through the reader to make the unlock faster – instead of using the smartphones’ internet connectivity.
Hack your office
Our tech team says: Hacking the office is mostly easy unless you have a very good security system. Kisi offers a device that let’s you copy your key fob which you can use to detect how secure / insecure your fobs or cards are and to get a feeling how easy it is for others to get into your system.
MIFARE classic card hack – mostly you get those cards on eBay and they allow you to get sector 0 – block 0 cards so you can write anything on those cards and fully clone your MIFARE cards.
There’s alibaba devices that allow you to write the sector or also very recommended the Blackhat MIFARE classic talk link
Hack NYC MTA tickets: uses ultralight version of cards, you were able to just reset your fare link
That’s why you need to constantly upgrade your system without manual intervention on a seamless upgrade path. Update your firmware without user intervention.
It’s what we at Kisi tech call “Securityonomics” – a formula between a perfectly secure system and an actually usable system:
- Perfectly secure system: Let’s build a wall and let no one in. Doesn’t make sense because either it will be broken or people will just leave the door open.
- Perfectly usable system that doesn’t burden the user that let’s everyone in. Like a nice dog that is nice to everyone.
The important thing here is to strike the balance because technology hasn’t come far enough to be smarter than the trade-off.
Example: 2FA is awesome but many don’t get it because it’s something they are not used to. Given that computer systems can be quite complicated so rolling out 2FA authentication in your organization will get quite some pushback.
Advances in technology like in AI will deliver new balances of security vs convenience. Until then we’ll have to balance.
What we’ll never do is compromise on platform security. We will give office managers the freedom to choose from a set of predefined security levels. How we do this on the software side: time restrictions, proximity restrictions, device restrictions and credential restrictions.
PIN code security
Kisi Pro reader does not support PINs because they are a poor man’s password. The main reason is key management. If it’s too short it’s not secure. If the PIN is getting too long, probably they have to write it down, so you can just use a smartphone or card.
Hacking pin pads is one of the easiest things to do and we don’t want to be vulnerable from that side. We allow cards during office hours and then have to use smartphones in off-hours maybe on top fingerprint. We call that two-step verification rather than 2FA.
– Firmware updates: At most take 5 seconds, if someone tries to access the space at exactly that time, they will have to try again. We’ll plan to publish scheduled release times.
– The range on the iBeacon will be as close as possible, we’ll not make it a hands-free unlock. We require similar behavior as with cards, 2-10cms tops.
– Does the reader have to be wired back to the controller: Only for offline capability
– Emulated NFC security cards on Android: Phone gets close to the reader, a OTP is exchanged. The other case would be to fully emulate the NFC security card but separate set of credentials between cards and app. Currently you have to unlock your phone, when you emulate
– If the phone can be offline, does the mobile app store any credentials on the phone itself? Yes, will store credentials
– Will Kisi work with my 13.56MHz cards when I transition since I have 10.000 cards on my system. Needs a reasonable migration path – currently we don’t support any other formats. Using MIFARE Classic EV1 cards. You can run both systems in parallel and have a rolling migration for people in batches.
– Active Directory: We’d rather integrate with SSO Oauth with Google Apps which is on the roadmap this year to facilitate on-and off boarding.
– Spoofing or sniffing of cards prevented by secure handshake of card and reader which creates a secure channel between those two. IT has been tested and is EAL4+ certified. The communication afterwards is encrypted.
– Sniffing of beacon signals: Beacons in the market mostly have static values. We integrated our own beacon functionality into the reader, so we can rotate these values frequently enough that security can be ensured. E.g. if beacon is advertising in front of the door, the phone will take the value from the reader, check which lock this belongs to. UUID is static but major and minor are dynamic. The OTP it generates is checked on the backend because reader and API have a shared secret.
– Can Kisi be used with secure printers? We don’t see a reason why we should not be compatible, so we are open to your requests.
– Can a mobile device hold multiple Kisi credentials – technically nothing speaks against it.
– Is it a problem to use a BYOD device? Please let us know the exact attach scenario. You should use cards. To prevent on the phones we tie the phones to a specific phone. If you are looking into MDM solutions or signed company devices, let’s chat! However we want to support BYOD moving forward. But would it be a viable option to lock out all android users.
– Biometrics: we didn’t integrate fingerprint because a lot of users weren’t comfortable with storing their fingerprint. we believe it might be an option going forward e.g. using Microsoft’s face recognition API.
Thanks for reading our post around NFC security more so than BLE security in the Kisi Pro Reader! As said, any questions around security please ping our tech team via firstname.lastname@example.org
In the NFC security context also interesting:
- 7 myths about mobile NFC
- Security concerns with NFC security
- NFC security: 3 ways to avoid being hacked
- How secure is NFC tech?
- Is NFC Still a Vulnerable Technology?