New Standards Mitigate Cybersecurity Threats in Access Control Systems
If you want to see someone’s eyes glaze over, just start talking to them about cybersecurity. Despite how important our online passwords are, most of us spend very little time thinking about how to keep them safe online. Reports show that nearly 1 in 4 individuals were affected by a data breach in the last 18 months. Of the 24 billion credentials compromised in 2022, only 6.7 billion of them were unique pairings of usernames and passwords. We are told over and over to use unique passwords that are composed of numbers and words that would not be easy to guess, but our cybersecurity needs often don’t outweigh our desire for convenience.
While it can be costly and time-consuming, cybersecurity breaches are not usually seen as “life and death” occurrences. But when it comes to access control, they can be. Small cybersecurity flaws in a connected access control device can render them incapable of doing the very thing they were designed to do: keep unauthorized people out of an area.
For commercial and multifamily building owners, cybersecurity problems within access control devices can have serious repercussions. Unauthorized access due to compromised security systems can lead to theft and property damage and endanger the safety of tenants and employees. Ensuring robust cybersecurity measures in these devices is critical for protecting both physical and financial assets.
Earlier this year, a security flaw was reported about a smart door lock provider called Chirp. A man by the name of Matt Brown found the problem. Brown is a senior system development engineer at Amazon Web Services, and he caught the flaw when he inspected the app before downloading it. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and, after decompiling, found that they were storing passwords and private key strings in a file,” Brown said.
The problem, according to a report from America’s Cyber Defense Agency, was that the app contained a hardcoded password used by the door locks: BEACON_PASSWORD. Luckily, this password was only used to change settings for the door lock’s Bluetooth beacons and did not allow remote users with the password to change any settings or unlock the door. But, the fact that a new smart door lock could be designed with a security flaw like this highlights the lack of oversight and standards for the access control industry.
The potential threats from cybersecurity flaws in access control systems like Chirp highlight the need for improved regulatory standards. Commercial and multifamily building owners are especially at risk, as breaches can result in unauthorized access, jeopardizing the safety of occupants and causing significant liability issues for the owners.
This year, the European Union passed the EU Cyber Resilience Act, which created security standards for manufacturers of hardware and software. The act not only mandates a certain level of cybersecurity built into IoT devices like smart locks, but it also requires manufacturers to continue providing security updates and patch vulnerabilities for a minimum of five years after the device is sold. It also creates a directive that makes manufacturers liable for any security flaws that their products might have.
The United States does not have a single mandatory cybersecurity law. Instead, there are a number of industry-led standards and voluntary initiatives. But, even though the U.S. doesn’t have its own standards, the Cyber Resilience Act is already pushing manufacturers to design their products differently. “When the standards go live in a couple of years, all software will have to go through an attestation test, and that will change how software everywhere is sold and supported,” said Matthew Bohne, Chief Product Security Officer at Honeywell.
While the U.S. has not adopted these standards, there is a growing movement for them to follow the EU example. “The government is really worried about industry pushback of any new standard,” said Bohne. “So we are engaging with them to help them understand that an agreed-upon standard will actually help them gain adoption.”
As impactful as the new European standards have been, they only go so far. The ever-evolving cybersecurity landscape means that no single law will keep us safe forever. “Cybersecurity knowledge is like milk,” Bohne said. “Whether you use it or not, it is going to go bad eventually.” To prevent any cybersecurity breaches in access control devices that could turn into potentially dangerous problems, manufacturers, regulators, and operators will have to continue to engage each other. There are already forums, trade groups, and conferences for cybersecurity professionals, but in the future, these will need to be extended to anyone involved with the deployment and management of access control devices.