Examining the Cyber Security of a Real World Access Control Implementation

Julian Jørgensen Teule; Marius Frilund Hensel; Victor Büttner; Jonathan Velgaard Sørensen; Magnus Melgaard; Rasmus Løvenstein Olsen

doi:10.1109/CyberSA49311.2020.9139617

Examining the Cyber Security of a Real World Access Control Implementation

Julian Jørgensen Teule, Marius Frilund Hensel, Victor Büttner, Jonathan Velgaard Sørensen, Magnus Melgaard, Rasmus Løvenstein Olsen

Publikation: Bidrag til bog/antologi/rapport/konference proceeding › Konferenceartikel i proceeding › Forskning › peer review

1 Citationer (Scopus)

Abstract

As smart cards have become increasingly prevalent in electronic access control systems, this paper investigates an implementation at a national institution, which uses a smart card with publicly known weaknesses. The main outcome is a set of recommendations which can be used for securing electronic access control systems against the discovered flaws of this work: The implementation did not
follow guidelines from the manufacturer of the cards, the content of the restricted sector was printed onto each card, and in-house services with inherent security flaws were built around the cards, but not maintained. These flaws meant that the civil registration number of any employee at the institution could be revealed. Additionally, the flaws allowed for changing the PIN code of any card in the system.

Originalsprog	Engelsk
Titel	2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)
Antal sider	3
Forlag	IEEE
Publikationsdato	14 jul. 2020
Artikelnummer	9139617
ISBN (Trykt)	978-1-7281-6691-9
ISBN (Elektronisk)	978-1-7281-6690-2
DOI	https://doi.org/10.1109/CyberSA49311.2020.9139617
Status	Udgivet - 14 jul. 2020
Begivenhed	2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA) - Dublin, Irland Varighed: 15 jun. 2020 → 19 jun. 2020

Konference

Konference	2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)
Land/Område	Irland
By	Dublin
Periode	15/06/2020 → 19/06/2020

Navn	International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)

Adgang til dokumentet

10.1109/CyberSA49311.2020.9139617

AUB Link

Søg efter materialet i Aalborg Universitetsbiblioteks søgemaskine

Andre filer og links

19gr352artikel

http://www.scopus.com/inward/record.url?scp=85089225446&partnerID=8YFLogxK

Citationsformater

Teule, Julian Jørgensen ; Frilund Hensel, Marius ; Büttner, Victor et al. / Examining the Cyber Security of a Real World Access Control Implementation. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). IEEE, 2020. (International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)).

@inproceedings{3b220ec71b4b4b8f900aee9fb2a0e9fd,

title = "Examining the Cyber Security of a Real World Access Control Implementation",

abstract = "As smart cards have become increasingly prevalent in electronic access control systems, this paper investigates an implementation at a national institution, which uses a smart card with publicly known weaknesses. The main outcome is a set of recommendations which can be used for securing electronic access control systems against the discovered flaws of this work: The implementation did notfollow guidelines from the manufacturer of the cards, the content of the restricted sector was printed onto each card, and in-house services with inherent security flaws were built around the cards, but not maintained. These flaws meant that the civil registration number of any employee at the institution could be revealed. Additionally, the flaws allowed for changing the PIN code of any card in the system.",

keywords = "Crypto1, Electronic Access Control, MIFARE Classic 1K, Smart Cards",

author = "Teule, {Julian J{\o}rgensen} and {Frilund Hensel}, Marius and Victor B{\"u}ttner and {Velgaard S{\o}rensen}, Jonathan and Magnus Melgaard and Olsen, {Rasmus L{\o}venstein}",

year = "2020",

month = jul,

day = "14",

doi = "10.1109/CyberSA49311.2020.9139617",

language = "English",

isbn = "978-1-7281-6691-9",

series = "International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)",

publisher = "IEEE",

booktitle = "2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)",

address = "United States",

note = "2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA) ; Conference date: 15-06-2020 Through 19-06-2020",

}

Teule, JJ, Frilund Hensel, M, Büttner, V, Velgaard Sørensen, J, Melgaard, M & Olsen, RL 2020, Examining the Cyber Security of a Real World Access Control Implementation. i 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)., 9139617, IEEE, International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA), 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Dublin, Irland, 15/06/2020. https://doi.org/10.1109/CyberSA49311.2020.9139617

Examining the Cyber Security of a Real World Access Control Implementation. / Teule, Julian Jørgensen; Frilund Hensel, Marius; Büttner, Victor et al.
2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). IEEE, 2020. 9139617 (International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)).

Publikation: Bidrag til bog/antologi/rapport/konference proceeding › Konferenceartikel i proceeding › Forskning › peer review

TY - GEN

T1 - Examining the Cyber Security of a Real World Access Control Implementation

AU - Teule, Julian Jørgensen

AU - Frilund Hensel, Marius

AU - Büttner, Victor

AU - Velgaard Sørensen, Jonathan

AU - Melgaard, Magnus

AU - Olsen, Rasmus Løvenstein

PY - 2020/7/14

Y1 - 2020/7/14

N2 - As smart cards have become increasingly prevalent in electronic access control systems, this paper investigates an implementation at a national institution, which uses a smart card with publicly known weaknesses. The main outcome is a set of recommendations which can be used for securing electronic access control systems against the discovered flaws of this work: The implementation did notfollow guidelines from the manufacturer of the cards, the content of the restricted sector was printed onto each card, and in-house services with inherent security flaws were built around the cards, but not maintained. These flaws meant that the civil registration number of any employee at the institution could be revealed. Additionally, the flaws allowed for changing the PIN code of any card in the system.

AB - As smart cards have become increasingly prevalent in electronic access control systems, this paper investigates an implementation at a national institution, which uses a smart card with publicly known weaknesses. The main outcome is a set of recommendations which can be used for securing electronic access control systems against the discovered flaws of this work: The implementation did notfollow guidelines from the manufacturer of the cards, the content of the restricted sector was printed onto each card, and in-house services with inherent security flaws were built around the cards, but not maintained. These flaws meant that the civil registration number of any employee at the institution could be revealed. Additionally, the flaws allowed for changing the PIN code of any card in the system.

KW - Crypto1

KW - Electronic Access Control

KW - MIFARE Classic 1K

KW - Smart Cards

UR - http://www.scopus.com/inward/record.url?scp=85089225446&partnerID=8YFLogxK

U2 - 10.1109/CyberSA49311.2020.9139617

DO - 10.1109/CyberSA49311.2020.9139617

M3 - Article in proceeding

SN - 978-1-7281-6691-9

T3 - International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)

BT - 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)

PB - IEEE

T2 - 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)

Y2 - 15 June 2020 through 19 June 2020

ER -

Teule JJ, Frilund Hensel M, Büttner V, Velgaard Sørensen J, Melgaard M, Olsen RL. Examining the Cyber Security of a Real World Access Control Implementation. I 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). IEEE. 2020. 9139617. (International Conference on Cyber Situational Awareness, Data Analytics and Assessment Proceedings. (cyberSA)). doi: 10.1109/CyberSA49311.2020.9139617