 This is Think Tech Hawaii, Community Matters here. Welcome to the Think Tech Hawaii studios. This is Andrew the security guy with another episode of Security Matters coming your way. Today we've got one of our favorite sort of convergence security engineering guys. Rodney Thayer is going to be with us. We're going to be talking about a lot of the programs that are happening inside the Security Industry Association, which is one of our favorite sort of lobbying bodies and really getting into standards development and see it does a lot of things. Rodney works really well inside that group. And Rodney, I really appreciate you taking the time to join us today. I wish you were in the studio where you've been before, but at least we've got you remote. How you doing? I'm doing okay. All right, it's good to see you, man. Hey, I tell you what, I try to get my guests to talk a little bit about the things from their perspective in the security industry that kind of keep them up at night, man. So what's going on for you these days? What keeps me up at night these days is worrying about people being able to make illicit copies of access control cards. You know, card coins you can buy online and that kind of stuff, which is easy to buy on Amazon and not necessarily well known in the electronic door lock community that stuff's available. That worries me. You know, we've demoed a little bit of that problem at Interop. I think you were the guy with the copy gun and it took you about 10 seconds to make a copy of a card. Yep. Go ahead. So that kind of technology is commonly available. And even though we know how to build things better and that are quite practical, that level of stuff is still being used a lot. So we're still trying to sort of make sure, you know, friends don't let friends use procs. It's kind of what we say. Yeah. You know, it concerns me that we've, you know, we've been talking about this for several years now, this problem with proximity cards. Even the problem with some of the higher level cards that can have a certificate that's not managed well or not managed properly or not implemented properly. A lot of that stuff can still be copied. So there's problems out there that it seems like I think the customers aren't aware of and they're not asking their integrators to fix those problems. Well, what's your take on that? Are you seeing that mostly at the government level? Is it getting down into healthcare and, you know, are there critical infrastructures? Is awareness growing? Or even HID's website tells you that like 90% of the industry is still using these unsecured procs cards for, you know, perimeter access control. And I think that's a problem. Maybe it's just all awareness. So there are customers are getting better and better about this. So it tends to be the bigger businesses that understand it. There's still a lot in the vendor community who, you know, they've been doing it that way for, you know, 30 years, 100 years, whatever it is, and they just keep doing it the same way because they're not interested in changing. The thing that concerns me is, you know, some kids are going to get online and buy one of these things on Amazon and then blow through a neighborhood and pop all the doors for all those brand new condos they put in downtown Oakland. Yeah. I do get the feeling that the level of problem, it's not really being addressed very well at all levels. I see, I just left an infragar meeting before we came here today to the studio and there's a, you know, there's a growing awareness up in the critical infrastructures and, you know, obviously in the NIP sector and DHS is working to spread the word about physical and, you know, cybersecurity, where we fit in that role and access control is such a big piece of that and the credential is the big, well, one of the big problems. We'll get into the transmission method a little bit later on today. But I'll tell you what, let's talk a little bit about what C is up to. You've got a great thing that is you're doing over there. You've got some sessions and I wasn't sure if they were monthly or weekly but you're allowing people to call in and I'm presuming these are CM members only or maybe the public but, and you're giving them some cybersecurity advice, kind of a Q&A from the top. Tell us about that, man. What's going on? So, so the, Don Erikson came up the, you know, head of C, I came up with this idea that the concept is for the vendors that are inside the C, the vendor security, you know, vendor community there. Okay. Trying to provide opportunities for them to ask questions that are, you know, sort of in general nature about how to improve the cybersecurity, the posture and technology and stuff inside their products. Because, you know, like I said, the customers are asking for more and more safe things. And so we're trying to help, you know, see as a vendor member association and so we're trying to help that community make things better. And, and, you know, we do, we talked about, you know, bad cards and this and that but there are a lot of vendors out there trying to get better and from doing a lot of progress on it. So, so there's definitely interest in this. And so, you know, they wanted to kind of, as part of their ongoing program to try to help the vendors improve their cybersecurity position. Yeah. Yeah. And is that, so is it sort of a one-on-one? Like they're just channeled into you or is it like a, I'm sorry, I haven't gotten to listen in yet. So I didn't know is it, are people embarrassed to say, hey, I don't know about this or how do you find that conversations go? They, they, they contact us over, over the, either the CIA has a vendor community forum through that or through email. Okay. They don't actually get, they're not actually questioned live on the air or anything that, you know, take the questions and we go, we explore how to answer that. So usually we do a segment like that and then some sort of small kind of lecture thing. So like the one going to do tomorrow is going to be, you know, sort of the general subject of what do you do to worry about backdoors and, you know, somebody might put a chip in your circuit board, things like that. And then we usually follow up with some sort of, some sort of a joke thing, a kind of, you know, try to be more humorous. So, you know, we've been riffing on the idea of we, we find some strange picture and ask how your facial recognition testing is going. Ah. So, you know, the last picture we found was a Google put up a challenge that if you take a parakeet and put it on a toy tricycle and put that in front of certain kinds of recognition systems, they think that's a truck. So that, you know, this kind of, you know, how's that facial recognition testing going because, you know, we all care about the false positive and negative. Yeah, I think I, you know, I see that, I see the words AI, which I'm not, I don't even believe exist yet. I've used all the time when it's really just machine learning and just like the analytics of old, machine learning has a long way to go, you know, and it's very quick in certain instances and very error prone in others, you know. And what, so if you're getting, if you get some questions about that, what are your, what's your thoughts on what you've seen and, you know, the industry adoption, is industry knowledge you think going up or, you know, are people just still scared? What's the feeling there? So the feeling I get is that the industry is feeling more pressure from their customers to be concerned about these sort of things. And so, you know, the optimal situation is that I get the phone call from the sales guy. He just tried to visit some big dot com company in the Silicon Valley area and he got scolded because his product didn't have the appropriate encryption features in it. Basically he got told he can't do the sales call if he doesn't get his act together. And they're putting their foot down at that level and, you know, you stop the sales guy from making a sale and that gets the customer's attention. It gets the vendor's attention, excuse me. So we're getting that kind of, you know, market pressure I believe is the term they've used. Yeah, it's interesting. And people are responding. Yeah, and we've had, well it's interesting, we've had products like BriefCam for many years now that's quite an amazing tool. And I think that end users get confused that all new tools will just automatically work. You know, I think BriefCam's maybe been around a decade. So it's quite mature in its functionality today and the things that it can do. It rolled out the gate pretty well, but it's taking it time to get better and faster and all those sort of things. And I get the feeling that the customers see stuff either on YouTube or I don't know if it gets emailed to them from a vendor or they read some list of hot technology that they follow or ZDNet, whatever it may be. And then they expect their, you know, integrator to be able to deliver this stuff for them, oh we can take advantage of that right away. And so what you're feeling is that the vendors are then trying to figure out maybe from the expertise that you have, is it really viable yet or what are my options? Is that what they're coming to you for? Well, they're coming to you if they figured out they haven't secured the thing. They'll get these shiny new technology, they'll install it, it'll be easy to install in quote marks, but easy doesn't necessarily mean secure. So it's sort of they have to go through kind of an enlightenment process. First you have to get them to understand to use the new technology and then you've got to worry about, you know, sort of setting all the knobs and dials to the secure position. And that has implication. It's more work, somebody has to get more training. The job site takes more, you know, more minutes per door or whatever camera. So it has business implications doing things more secure and they're working their way through these kind of issues. So are they, do you find people getting more knowledgeable about tools? I'm wondering who, sort of, who calls you. Are you getting sales guys? Are you getting owners? Are you getting engineers? You know, guys are, are they scanning their networks with tools like InMap, which I've talked about, which you've talked about and finding out, wow, we've got all these open ports. How do we close them? Or are they using the tools that are out there yet? Or what kind of, do you get questions that are about? I get questions like that. Yeah. Okay. The classic example is the vendor, you know, says to me, okay, so we ran a scan on our product and we discovered we had all these ports open we didn't know about and the really bad one is that they do a scan on a live system to go and then we figured out there were all these connections to, you know, a certain name of other country here and they're going, oh, and so, you know, the sweet spot, unfortunately, is when the vendor themselves figured out that their product is compromised in the field and they really ought to fix that. So, I mean, and people seeing things like that, you know, a better place to be is that they get some feedback that the scans failed because of like big enterprises, even not so big enterprises are running these scanning services and tools on the inside and you can't hide the physical security stuff from the network team anymore. They used to do that, but, you know, that doesn't work very well anymore. I mean, if it's a network and it's got switch ports and things like that, it needs to be taken care of. It's not about what network it's plugged into. It's if it's, you know, on the property and part of the business is equipment. Yeah, there's, I still see, or I hear a lot of people talking about just, well, if I completely isolate that network, then I don't have to worry about the customer's network. And then I said, well, how do you get updates to it or does it just sit there for years running on its own without ever getting updated and you're not updating drivers or firmware or scanning it to find out what's going on with it just because it's sitting there doesn't mean someone's not compromised it or taking something that's really bad from it and walked like across that air gap to the corporate WAN with some USB drive that's got a video clip on it that you took out of the system that's, you know, supposedly isolated. It's very hard to keep the network air gapped. The data flows in and out all the time for various reasons, sometimes on purpose, sometimes unintentional. So they'll hit this kind of stuff. And that's just the classical network paths. I mean, then there's all the extra things, you know, people walk in the room with a mobile phone on their body, you know, and they think things are still air gapped. So we, you know, the world is more connected, more and more connected, and that makes the air gap things sort of, you know, not real anymore. Sort of moot. Okay, gotcha, gotcha. What's the most popular sort of, have you guys built a Q&A? What's the most popular sort of a request that you're seeing on that program? So we've only got a few of them, sort of the general pattern is people asking about cryptography questions. Oh, okay. Because, you know, my joke description is, you know, they're all retired law enforcement. They know 27 different kinds of ammunition, but they have no idea what a TLS Cypher Suite is. Sure. And yet that's a critical thing to worry about because you have to have your encryption capabilities set properly. Okay, good. So we're trying to sort of, helping with getting the demystifying the crypto, which is, you know, a challenge for everybody. Yeah, including me. So I'll tell you what we'll do. We'll talk about a good place where we're using crypto that we didn't even have a few years ago when we come back. We'll take a break and pay some bills, and we'll be right back with Rodney Thayer in about a minute. This is Think Tech Hawaii, raising public awareness. If you're not in control of how you see yourself, then who is? Live above the influence. When I was growing up, I was among the one in six American kids who struggled with hunger. But with the power of breakfast, the kids in your neighborhood can think big and be more. Go to hungarees.org to make breakfast happen for kids in your neighborhood. Hello. My name is Stephanie Mock, and I'm one of three hosts of Think Tech Hawaii's Hawaii Food and Farmer series. Our other hosts are Matt Johnson and Pamai Weigert. And we talk to those who are in the fields and behind the scenes of our local food system. We talk to farmers, chefs, restaurant tours, and more to learn more about what goes into sustainable agriculture here in Hawaii. We are on a Thursdays at 4 p.m., and we hope we'll see you next time. Hey, Lohan. Welcome back to the Think Tech Hawaii studios. We're with Rodney Thayer today. And we're talking now about cryptography and sort of this problem. He gets a lot of questions about this on a sort of a forum that they run, the Security Industry Association runs that Rodney consults on for our vendor partners out there who are concerned about cryptography. Let's talk about OSDP, which is another standard that was built with the Security Industry Association and others to replace the aging Wagon protocol. For my viewers out there, Wagon is the protocol we used for years to talk downstream from a card reader to the other equipment. It was very insecure. It's subject to replay attacks and all kinds of other problems. It could not be secured. So we've now built a new protocol called OSDP, which Rodney was a part of. So let's just talk a little bit. Give us the evolution of OSDP. I sort of know why, because Wagon was broken. So tell us how you got involved with getting that started. So OSDP has been around for several years. There was a thing called OSP version one, which was done about 10 years ago, maybe more by Linnell and HID and Mercury and some of the folks. I showed up relatively recently, like five, six years ago to the process and they were doing OSDP version two, which is where they were, that was where they added the encryption capabilities to it and they took it from being, it was originally a handful of vendors working together, cooperating, yay. And then they decided that they wanted to take the standard further. So they migrated over to being a CIA project. And so I have a background in software development. So I showed up at one of the meetings and I made the obvious comment in the mid 2000s, which is, so who did the open source version? And first I got silence and then they said, well, we've got budget, would you like to do that? And so, you know, never ask for something unless you're ready to handle it. So I now have the, so I'm the one who built the open source implementation and the GitHub repository and all that stuff. Awesome. Thank you for sharing. So what happened was, sure, yeah, I mean, that's the way we do things on the internet. That's right. So with Wigan, Wigan is so primitive, it's a question to call it a protocol because you put a card next to a card reader and some electrical signals come out of the wire and go to the other end. End of discussion. There's no two-way conversation. There's no concept of acknowledgments or anything. It's so old, it had two parity bits, one on the front and one on the back. So if you're not into the electricity of that sort of thing, that's about a 1970s era way of building things. And if you don't buy it properly, it will not work. It's got all kinds of problems. Yeah, so we're running electrical characteristics just barely beyond what Thomas used to do. He was an integrator, you know. We actually had door lock sensors and stuff he sold. Wow. So the OSDP runs over RS-45, which is a serial protocol similar to RS-232, which people may have heard of. And so since it's a bidirectional protocol, you can send messages back and forth. And so OSDP was built on top of that. And now we've got the classic kind of technology, where there's messages back and forth. There's acknowledgments. Messages can have a cyclic redundancy check, a CRC on them, so you can have very strong error correction and then there's a bunch of other capabilities to it. So that's sort of where it went to. It went from vegan hardware to 45 hardware, which is easily available today and very robust. And then we could build this technology on top of it. Yeah, and it seems like in a lot of cases, I find that the reader specification was an 18-gauge cable. And in many cases, you need to change the board hardware and the reader hardware to use an OSDP-compatible reader. But we are able to use the existing cabling infrastructure in many cases. So there is some cost savings there from that forklift perspective that every end user is afraid of that kind of expense, right? Right. Now, I agree with what you said about the 18-gauge cable, but people used to do crazy things with weakened cables. Yeah. So you can't assume every single cable in the wall is valid. So people really should use it. And there are tools to do this, these cable certification devices. And what they're doing is they'll measure capacitance of the wire, capacitance of the wire, and things like that. Yeah, there's a lot of T-taps. Yeah, there's those, well, they're invisible until you go looking for them T-taps all over the place that cause capacitance and inductance issues with those lines downstream. And you may not get OSDP capability overall cabling. So yeah, it should not be presumed. Yeah, you paid the kid to run that wire and there's 15 different twist-on handgun connections up in the ceiling and nobody ever saw them before. And they've been sitting there resting for the last 15 years. And now you're on a run RS-45 over that at 100,000 bits per second and you wonder why you get errors. Yeah, and the wagon would work fine on that wire, by the way, but this protocol will not. So we gain, you talk a little bit about the two way and so from our audience, this means we can actually send maybe text messages out to a card reader to let someone know that they need to do something. We can send a different type of color to the reader, for example, to indicate something. We can also finally upgrade the reader remotely, like push a firmware update out to the reader. So this is something we've never had the capability to do in our industry. How do you see that developing? I know that's fairly, you know, at the front edge of what we're doing today, but is that going to be something that we can reasonably expect our manufacturing community to support? Yeah, so what we get is that when we start to have a real communication protocol, that's what the S is for supervised. So what that means is when it's supervised as an old physical security term, it means the thing at the other end of the wire, if it died, you know it died. So in the protocol world, we call those acknowledgements. We have since the 80s, but that's a whole IT versus physical security thing. So anyway, so you know the line, you know the thing at the other end didn't die and you have acknowledged messages and you're sending control messages back and forth which command the reader to do things. So in the old days, you had to wire up an extra wire to make sure the LED lit up. With OSTP, as you said, you send a command. You want to read LED? You tell it to blink for whatever you want. But it's commands. It's all over the OSTP one pair of wires. So we can send more rich messages back and forth. We can use more fancy cards. Like in the federal environment, they're using PIV cards, for example, which have a more complicated dialogue back and forth over the wire. And yeah, we can send text messages. You can do beeping. You can do LED controls. And there can be manufacturer-specific commands. There's some reader that's made in Sweden that has a ring around the outside of the reader and we call it a mood ring. Apparently they use it on doors at conference rooms. So things start glowing when it's the end of your conference. End of your time in the conference room. That's awesome. So you can innovate things like that. And this is sort of, I mean, if you look at it from the point of view of the IoT world, this is kind of normal IoT stuff. I mean, you can do firmware updates over the air. You can send commands down to the device. But the device is, I mean, it's the same thing. You know, the device is a computer with some kind of smarts in it that's engaging this dialogue with the head-end equipment. And you get all the benefits of that kind of an arrangement. Yeah, and we get encryption. So let's talk a little bit. Give us the primer on TLS. And this is the latest version. TLS 1.2 has now been proven to work over OSDP. So there's different... So the other thing about OSDP is because it's a protocol, it's done with the OSI model. That kind of a view. So the original stuff ran over RS-45. And because the equipment was a little primitive, they used AES encryption in a fairly simple way that was similar to what the smart card industry had done. A group called Global Platform had created a mechanism. Then as readers have become more and more complicated, more sophisticated, it's not complex. In fact, they have bigger computers in them. So we're still getting... We're still smaller than a cell phone here if you think about how much computing power there is. So once they go to network capabilities, then they can start doing TLS or transport layer security. And so you can do OSDP over 45 cable. You can do it over TLS. You can do it over TCP. That's the three cases that have been built so far. And yes, if they use TLS, they can use the latest stuff, which is TLS 1.3. And there's a published standard for 1.3. And it's done, it's in the field. Facebook uses it, FB.com uses it. So it's definitely out there. And so this is an example of you should be using the latest-gray encryption. You should be using a product that is capable of being updated. You should run the latest stuff. Now this is the broken record where I'm saying the sort of standard security advice we give people. And we can start to apply all those good rules to the physical security door lock world with OSDP. Yeah. Can you give us, because I know you're a cryptographer, can you give us the order of magnitude stronger that TLS 1.3 is versus TLS 1.2, maybe versus TLS 1.1, which is now, I guess, expired or no longer in use? Deprecated is the term. Deprecated, sorry, thank you. We really try to avoid using it if we can. So 1.3, they made the protocol more robust. They added some extra capability so you can avoid spoofing of things because it was possible. It's a complex protocol, so it was possible for there to be issues around setting up a session. So an adversary could get in the middle and do stuff. And they've been doing improvements like that. They also added some more crypto options that weren't there in the older stuff. So now we can use elliptic curve. And so when you use RSA, if you're using the RSA algorithm, you can use a more stronger format for digital signatures. I see. Because the way this works is as the state of the art advances and the state of the attack art advances, people have found issues. So the digital signature mechanism we did basically came from the late 90s that we've been using for years with TLS. They finally switched that. So it's using RSA, SSS, PSA, PSA, SSS. This is one of these things. The new buzzwords are only six months old. I can't just rattle them off. But the good thing is we're getting better. And the really important thing is that the physical security industry is able to leverage this. We're starting to adopt the sort of IT standards that we've always needed that we didn't have. Yeah. And we're realizing the physical security world is a target. And I'm talking about network targets. All the physical security people know that somebody might throw a rock through the window of your storefront. But we also have to worry about, they might try to track your door lock system or your cameras or something else about your infrastructure. Because your infrastructure's network is a target. So who do you think needs to be taken advantage of this right way? My brain always goes, critical infrastructure. Oh my gosh. They know the power companies. And is this something that the integrers need to talk about to everybody? Joe's car garage up the street. Is this something we just need to bring awareness up and get everybody up to speed? Well, so the fact is the standard means that you can have multiple implementations that work the same. And so you have options. You have more options, more diversity. I mean, last time I checked, there was probably 50 different implementations and most of them are card readers and some panels kind of stuff. So you have many different options now that you didn't have before in terms of what you can design into a system. So it gives you more choices because of being able to leverage standardization and you get the security. And so it's still applicable even if you're not doing one of those Navy facilities you hang out at. Sure. But certainly for something very high security level, it facilitates doing the more robust kind of a door lock system you want to do there. This is awesome stuff coming from the Security Industry Association. Rodney, coming from you, we really appreciate the help because the whole industry needs to come up. And I've been on that soap box for a while with a little pushing from Rodney right there on the screen. We are not seeing a lot of requests in Hawaii for that. We've done a little bit inside critical infrastructure. So there's definitely some of this more advanced access control work going on. But I sure hope that it continues to get pushed out and everybody continues to work on it. We will get Rodney back in here maybe every quarter or every few months if we can to get an update from him on what's going on. He's kind of got his finger on the pulse, especially with those queries coming in to see you. So see you members. If you've got some questions about what you're doing, definitely call into that session and get some help. The rest of Hawaii, if you need something, reach out to us. We'll try to get you into the right information. We really appreciate you tuning in today. Rodney, thank you so much for joining me. And we'll see you next week, Wednesday 1 o'clock because security matters.