End2End Security

Are pdqSMART Mobile Credentials Secure?

by Travis Willis Chief Evangelist Smart Building and Access Solutions

YES. We get this question all the time. Early versions of Bluetooth were not secure by design. The benefit of Bluetooth was its ability to quickly recognize and connect devices and allow them to work together. As Bluetooth migrated from consumer electronics into business class devices it was recognized that security needed to be enhanced. The Bluetooth Special Interest Group or SIG is responsible for setting the standards for Bluetooth and defining its capabilities.

With the establishment of the Bluetooth Low Energy (BLE) standards and the release of those products in 2010 as BLE4.0, the security capabilities were elevated beyond the original Bluetooth standards. These security measures, however, relied upon conventional End-Point and Bluetooth specific security methods. While this was a step in the right direction, we felt it wasn’t sufficient for security and access control applications in a robust future IoT environment.

End 2 End Security (E2E)

To ensure the utmost levels of security, pdqSMART opted not to use the conventional End-Point and Bluetooth security methods because of their relative inherent vulnerabilities. Instead, we chose to engineer a more comprehensive set of technologies and best-of-class practices comprising cryptography, encryption, and communication security protocols as part of an integrated system solution. This is accomplished by using a combination of AES128 bit encryptions and Cypher Block Chaining (CBC) which creates a more secure asymmetrical encrypted structure. Unlike the state-of-the market encryption where the communication is encrypted/decrypted at multiple end-points in-between the message originator and the message recipient devices, the pdqSMART SecuRemote communication is encrypted by the originating device and decrypted only by the intended recipient device, hence flowing encrypted communications throughout all other end-points. This provides us End-To-End (E2E) Security, starting with the cloud server and flowing through the wireless mesh network and user devices to the endpoint locking devices.

pdqSMART uses secure communications messages to operate devices in conjunction with encrypted Unique Identities (UID). Traditional systems just rely upon the Unique Identity (UID) numeric streams which are checked against a database of identities and rules. This was initially accomplished using magnetic stripe technology. The magnetic stripe solution which can still be found in many Hotel applications is not secure because the information in the magnetic stripe is easily read and copied. The industry moved on from magnetic stripe technology to Low Frequency 125 KHz Proximity based solutions but still failed to protect the data. Almost 70% of installed access control systems in America use un-encrypted unsecure Proximity data cards. The UID’s for proximity cards can be a Card Serial Number or CSN which sometimes is even found printed on the card!

Secure Credentials

Contactless Smart cards operate at a higher frequency of 13.56 MHz and utilize Near Field Communication or NFC technology. These cards contain a UID or CSN as well as a re-writable chip. The chip allows for encrypted data to be included in the cards providing a more secure credential. pdqSMART uses NXP’s Mifare technology for our 13.56 credentials but true to form we add our own AES CBC encryption on top of NXP’s. This ensures our cards cannot be copied or cloned and used to gain unauthorized access.

Other manufacturers “Mobile Credentials” typically still operate in a traditional UID fashion. There the mobile phone is nothing more than an expensive way to deliver a key to the reader albeit in an encrypted way. These solutions rely on direct powered readers and are not yet capable of communicating to low power battery-operated devices which is the hallmark of pdqSMART’s abilities. pdqSMART’s utilization of System on Chip (SoC) solutions in our locks differentiates us from the other mobile-enabled systems on the market today.

Mobile OS

The Android OS and the Apple iOS are open platforms with well-defined APIs and hardware specifications that allow the proliferation of personal user-authentication Apps from fingerprint to face recognition. This eliminates the need for separate such devices and more importantly keeps the user credentials secure and in the user’s possession, which greatly reduces the risk of loss or abuse. Other BLE-related technologies such as beacons, smart cards, and the pending NFC adoption are creating open standards for multi-factor authentication (MFA). In short, the smartphone is becoming a multi-credential and multi-authentication factor device and pdqSMART is uniquely positioned to leverage these capabilities in an efficient manner.

In closing, the security structure emplaced by pdqSMART SecuRemote makes it highly resilient to “man in the middle”, “replay” and even “parallel brute force attacks”. The natural tendency we have to not lose our phones or hand them out makes credential sharing a lot less common than with traditional RFID credentials. The additional use of personal identity numbers (PINs), fingerprint or facial recognition tools within our mobile devices provides and even higher level of dual authentication ensuring that only authorized person’s are gaining access to secure locations.

Contact us today to learn more about pdqSMART solutions and how they can provide you with greater security and operational efficiency https://www.pdqlocks.com/pdqsmart/.

Simple, Secure, Flexible, Smart.