HID Access Control: Controlled. A glance into the technology designed to keep you out! Table of Contents: :. Introduction & Warnings about AC tampering :. HID EntryProx AC (Access Control) system overview :. The Wiegand Protocol/Effect - A dirty primer :. Programming AC Keypad units and encoding proximity cards :. Conclusion .:::::::::::::::::. .: Introduction & Warnings about AC tampering :. Access Control measures are employed by many private and government organizations, big businesses and industrial facilities to identify and grant access to anyone who belongs within the area they attempt to access. These systems come in a wide array of shapes and sizes and since just about all HID systems look unique they can be identified by their physical design alone. This will give pertinent information about the security policies in place and the limitations and features of the unit in question. These HID systems are not only used to lock and unlock doors. They can be used to store personal information, charge personal accounts for things like lunch in a college cafeteria, turn on or off office lighting, grant access to computer networks via a reader built into a keyboard and allow the use of office equipment like copiers and fax machines and a lot more. These systems may use a contact card in which the card must be slid into or through the unit so it may read a small chip built into the card. They can also combine biometrics and card authentication by requiring a finger print and card to be presented for access. The leading company developing todays Access Control technology is the Hughes Identification Devices company called HID (referred to as H.I.D.). HID was formed in 1991 as a subsidiary of Hughes Aircraft and was acquired by ASSA ABLOY in 2000. The ASSA ABLOY Group claims to be the "world's leading manufacturer and supplier of locking solutions dedicated to satisfying end-user needs for security, safety and convenience." The ASSA ABLOY Group is 30,000 workers strong and rakes in about 3 Billion EUR annually. This article will focus on the HID EntryProx series of cards and readers. The unit is mounted on the wall next to an entryway to any secure area. A reader and a reader with a built-in keypad. This keypad will be what we are looking for in attempts to re/program the HID EntryProx unit. We will learn a little more about what happens when you punch in your five digit code or wave that magic Wiegand card. The following a generic log which will help you understand why the next paragraphs are important: 04/15/04 # Time Action 1 20:32 User 0015 Print 2 20:23 User 0011 ACCESS 3 20:22 User 0011 ACCESS 4 20:22 REX 5 20:22 Forced Door 6 20:21 User 0011 ACCESS 7 20:21 Forced Door 8 20:21 User 0011 ACCESS 9 20:20 Forced Door 0 20:20 User 0002 ACCESS 1 20:20 User 0002 ACCESS 2 20:19 User 0002 ACCESS 3 20:19 User 0003 ACCESS A few things to note for safe playing would be to keep in mind that the company or people monitoring these units will review access logs (see above). If they see that a unit entered program mode, changed or encoded a card, exited, followed by your code being entered to grant access only moments after - it's safe to say any well monitored system will end in your questioning. Play with codes, never use your own if you plan exploring. Most companies will have a rather strict format in their codes which will allow you to easily guess other codes. These found codes will aid in your anonymity if you plan on playing with AC units in your workplace. Your company will more than likely frown on this type of exploration and may end in revoked access or even termination from the company. There is a fine line these days between "terrorism" and information. It's a very scary thought. Just be safe and use common sense. .:::::::::::::::::. .: HID EntryProx AC (Access Control) system overview :. Though HID develops a wide array of AC systems in use today, we will be looking at the EntryProx (Model# 4045) reader equipped with a keypad. The EntryProx has a long list of features which makes it great for this article. Most of the features and programming meathods can be applied to other AC units as well. The EntryProx is pictured below. http://www.hidcorp.com/products/proximityproducts/entryprox.html The reader is black in color and usually mounted on the wall directly next to the secure area. The reader has a very impressive list of programmable features which we will review later in this article. The unit is is 5.25"x2.75"x1.625" in size and has a typical range of 1" to 3" (depending on the card used) and will auto delay one second between card reads to prevent the unit from reading the card more than once per swipe. These systems are equipped with an internal tamper switch which will activate an alarm if the unit is dismantled. The EntryProx can be mounted indoors or outside and will resist temperatures of -31 to 150 degrees Fahrenheit or -35 to 66 degrees Celsius. The standard format of code entries are 12345#. The * key may be used before entering a code to clear any pre buffered or incorrect codes before entering your code and pressing # (or essentially 'enter'). The unit in an active (non program) mode will store or buffer 10 keys (with parity, 11 without) before transferring the information over the wire. With all access codes being only five digits it is essential but not always necessary to be able to clear pre buffered keys by using the * key before starting. The system will delay 5 seconds before auto clearing any buffered key entries, so you must press each key within 5 seconds of each other or start over. The unit will contain three main LEDs. A Bi-Color (Red/Green) and Amber LED to serve as our display and also an Infrared which can be used to communicate with an optional palm printer. The unit also has an audio feature to beep when keys are pressed or in program mode to give audio conformation of a correct of incorrect code or command. The status of these LEDs will be reviewed in the "Programming HID AC Keypad units and encoding proximity cards" section of this article. As a good rule of thumb though, green means open, red means locked, amber means you are in programming mode. The keypad is arranged like any standard telephone keypad. The reader will output each key as an ASCII hexadecimal digit which is sent to the host system. The host system will be running software which will monitor and deploy entry and user codes to specified door numbers in which a user will be given access. So by the rather bland list above we see the important features these systems have. We know we can gain access by entering our preprogrammed five digit code or simply by waving our encoded card in front of the unit itself. In the next section we'll find out what happens when we use a Proximity or Wiegand card and how it works. .:::::::::::::::::. .: The Wiegand Protocol/Effect - A dirty primer :. If you have ever looked up information about access control you have without a doubt heard about the Wiegand Protocol. The only problem is, you never really see or read about how this Wiegand Protocol works. So let's check it out. First of all it's good to know that the Wiegand Protocol is also known as the Wiegand Effect and that it was discovered by John R. Wiegand and took nearly 40 years of research to develop. This sensor technology was first used in access control systems developed by HID and is now a standard for most of todays AC systems. A lot of the magic involved with the Wiegand Effect is in the underlying wiring of the card itself. Yes, these Wiegand cards have actual Wiegand wire right inside. Take this 'simple' explanation of the Weigand Effect: "Wiegand Effect technology employs unique magnetic properties of specially processed, small diameter ferromagnetic wire. By causing the magnetic field of this wire to suddenly reverse, a sharp, uniform voltage pulse is generated. This pulse is referred to as a Wiegand Pulse." OK let's be honest, you probably have no clue what ferromagnetic means so just to make sure you understand this, here it is: fer·ro·mag·net·ic - adj. Of or characteristic of substances such as iron, nickel, or cobalt and various alloys that exhibit extremely high magnetic permeability, a characteristic saturation point, and magnetic hysteresis. Have you ever looked at the definition of a word, then had to look up a word found in that definition? Well now you have. hys·ter·e·sis - n. The lagging of an effect behind its cause, as when the change in magnetism of a body lags behind changes in the magnetic field. OK, let's make sure we not only read this, but comprehend it as well. We see now that the card will have this ferromagnetic Wiegand wire coiled right inside of the card itself. This wring has special magnetic properties which are created by the actual twisting and coiling process used to make these wires. The EntryProx wall unit has a sensor built in that will trigger when a Wiegand wire (which is in the card) is presented. This happens in the very simplest of terms by changing polarity referred to as the Wiegand Pulse. This pulse or jump in voltage is essentially what triggers the unit to unlock the door. The exact amplitude of the Wiegand Pulse can vary depending on the sensor and card but the pulse will generally stay the same allowing it to trigger the wall unit. Now when you read this you might be wondering if any Wiegand card will open or activate any sensor/reader. The answer is yes and no. These cards can be encoded, or rather the Wiegand wire can be processed to create a card which will handle up to 84bits which can actually create up to 137 billion unique codes, very impressive! The standard Wiegand card will be 26bits however and will handle a total of 65,535 unique codes. Due to the cost many, some what smaller companies will probably use this. HID will resell these same cards to various companies. Which does mean yes, if you have a 24bit Wiegand card, there is another reader out there that will accept your unique Wiegand pulse for entry! Don't get too excited though this is a very slim chance. A cool thing about it though is once you finger hack a five digit code (aka PIN) on the keypad to grant access, you can program a card to have it's Wiegand pulse associated with your five digit PIN. Meaning you absolutely can make your very own ProxCard, though you will need a working PIN first and a ProxCard to encode. Okay before we move on here it is to be understood that the above is a very dirty primer to this technology. I assure you Mr. Wiegand himself would slap me across the face for taking 40 years of his research and presenting it in such a dumbed down way. However for those interested I will be listing a few of documents in which I have studied to create this article. Please, take the time to read these if this interests you, the science, mathematics and technology behind this is very interesting and will no doubt excite you. First up is the "Introduction to Magnetochemistry" by David Young. This article is packed with great information on study of magnetochemistry. Second is "Theoretical Analysis of the Influence of Different Microstructure on Barkhausen Noise" by Li Qiang of the College of Mechanical and electric Engineering, Beijing. This delves into Barkhausen Noise which occurs in the Wiegand effect. This was not covered to limit the complexity of this article. Third would be "The Science of Hysteresis" by Gianfranco Durin and Stefano Zapperi. If you get a change to read some of the amazing things these two have written you will see why this all goes far beyond the scope of this article. Now that you have a basic idea of what happens in the Wiegand Effect lets go ahead and get to some of the fun stuff. .:::::::::::::::::. .: Programming AC Keypad units and encoding proximity cards :. Yeah that's right these babies are programmable! We can enter a program mode to do some pretty neat things once inside. The only thing is, well need a master code. Now this master code is thankfully only four digits long and will in most cases, be very generic. The default master code on these units is 1234*. Pretty funny right? Well what's more is that in HID documentation and installation manuals they suggest changing this right away, but never say something ultra uncommon like say 7246*. HID actually makes reference to changing this code to 4321*. Now any moron will know this isn't any more secure than 1234* but in big business people lose jobs, they come and go and policies are changed. Many companies will want a very easy to remember code such as the address, or part of the companies main telephone number. Keep these things in mind when hunting for the master code. Were not looking for the master code of the installer himself, we looking for the master code of the company which uses these systems. If your company forgets this master code, a service call from HID is their only hope. Most companies want to stay away from this expense. Once we know the master code the system will, with correct number sequence, obey our every command. Let's go ahead and take a look at what we can do once inside. \\\\ Master Code: Default to 1234* This master code allows for just about anything. Programming new codes, erasing old ones. Etc. You'll see as you read. Self test mode: 7890#123456* This will light the LEDs and make sure all keys are functioning. //// Program Commands: Enter program mode: 99 # (Master Code) * :: If things are kept default this would be 99#1234* :: If successful the Amber light will slowly blink, and you will now be in program mode. Changing the Master Code: 1 # (new master code) * (new master code again) * :: In many of the technical manuals available they suggest changing the master code right away. Too bad they suggest a new master code like 4321*. Obviously this is just an example given by them, but I'm sure there are quite a few companies using this code believing it's more secure. Obviously changing this code will piss a few people off once they find out and may end your programming fun by means of increased logging and security measures. Setting the main relay time: 11#tt#0#** :: tt = 1-99 seconds and uses a two digit format. Setting AUX relay output: 15#output#0#** :: Output = 0/Disabled, 1/Shunt, 2/Forced door, 3/Propped door. Deleting Users: user-location#** :: Facility location codes. Print a transaction log: 70#0#0#** :: This might freak some of the monitoring staff out when you print this up. Setting or clearing standard options: 30#option#set/clear#** :: Option is a value from 1 to 13. Set/clear is either 0 or 1 (off or on respectively) these options and values are listed below: 0. Audio Key press (key beep) // 0=OFF, 1=ON // On by Default 1. Visual Key press (LED light up on key press) // 0=OFF, 1=ON // On by default 2. Auto Entry Enable // 0=OFF, 1=ON // Off by default 3. Standalone/Wiedand mode (Turn on/off ProxCard access) // 0=Standalone, 1=Wiegand // Standalone by default. 4. Facility Code Access // 0=OFF, 1=ON // Off by default 5. Forced Door Alert (Kick the door open and the system is notified) // 0=OFF, 1=ON // On by default. 6. Propped Door Alert (Keep the door open and the unit will beep) // 0=OFF, 1=ON // On by default. 7. Internal rex switch (Request Exit switch) // 0=OFF, 1=ON // Varies by model. 8. US/EU Date Format // 0=OFF, 1=ON // 0=US, 1=European // US (0) by default. 9. Wiegand red LED enable (Flash red LED when ProxCard cannot access) // 0=OFF, 1=ON // On by default. 10. Wiegand red LED active state // 0=LOW, 1=HIGH // Low by default. 11. Wiegand green LED enable (Flash green on access) // 0=OFF, 1=ON // On by default. 12. Wiegand green LED active // 0=LOW, 1=HIGH // High by default. 13. Daylight Savings time (set DST support) // 0=OFF, 1=ON // On by default. Print a programmed user list: 25#0#0#** :: This will print all users & their corresponding codes which are programmed for access. Print a programmed user list starting with a certain user: 25#0#starting user#** Change Wiegand Parameters: 32#parameter#value#** :: See below for parameters and their values. Parameter: 0 = Wiegand pulse count :: Value = 1-255 1 = Wiegand interpulse :: Value = 1-255 2 = Facility code :: Value 0-255 :: Default is set to 0. Set system time: 41#hhmm#0#** :: Keep in mind the system uses the 24 hour time format. Set system date: 42#mmddyy#dow#** :: dow stands for day of week. 1 = Sunday, 2 = Monday, 3 = Tuesday, etc... Set door number: 43#nnnn#0#** :: nnnn equals the corresponding doors number, in a four digit format. Set propped door timer: (Set to 30 sec. & alarm will sound after 30 seconds.) 44#ttt#0#** :: ttt = Time in Values of 10's, Valid entries are 10-990 :: Default is 30 seconds. Set forced door timer: (Alarm will sound xx seconds after door was forced open.) 45#ttt#0#** :: ttt = Time in Values of 10's, Valid entries are 10-990 :: Default is 10 seconds. Delete memory/Restore system defaults: (Note: This will not delete the user list.) 40#00000#00000#** Delete all memory & Restore defaults: (Note: I believe this will delete the use list.) 46#00000#00000#** Program user: (This will program the a new code only) 50#user-type#userlocation#code*repeatcode* :: Se below for values. User type = 0/Toggle latch door strike, 1/Normal access, 2/Log Dump, 3/Lockout. User Location = This may be set to 0 in most cases as this is referring to the facility code. Code = New 5 digit user code. Repeat code = Enter the 5 digit code again. Program user & Card: (This will program a user & encode a ProxCard card.) 50#user-type#userlocation#code*repeatcode* :: On , hold the proxcard to the unit. Program card only: (This will take a current user code and program it to a card) 50#usertype#userlocation#** :: On , hold the proxcard to the unit. Program card user manually: (Use this to enter a precoded ProxCard into the system 26-bit Cards only) 51#usertype#userlocation#card PIN*card PIN* :: The card PIN will appear on the ProxCard, the facility code must be entered first. Program User: (Code or a Card.) 52#usertype#userlocation#code*repeatcode* Program codes in batch: (Program xx amount of cards at once.) 56#totalusers#userlocation#card PIN*card PIN* :: (I understand why the format is easy to guess now ;P) Print Transaction Log via IR port. (You can print out an entire days worth of access logs) 70#0#0** :: This will print the access log but not the PINs. Printing a programmed user list:(You can print out an entire days worth of access logs complete with access times and PIN numbers! This log differs from the one found in the intro section in that it is more detailed.) 25#0#0#** :: Imagine printing a log of coming and going users & their codes from the unit to a small IR printer in a backpack, talk about access. Note that the IR sensor must be placed in line of sight to the wall unit and must be held very close. Set transaction log mask: (set or clear event logging :: 1=set, 2=clear) 73#event#set/clear#** :: (events listed below) Event: 01 = Access Denied 02 = Program Denied 03 = Program Mode 04 = REX (Request to Exit) 05 = Door Ajar 06 = Door Closed 07 = Forced Door 08 = Log Erased 09 = Facility Access 16 = Print 17 = Access 20 = Toggle ON 21 = Toggle OFF 24 = Lockout ON 25 = Lockout OFF 27 = Mismatch Reset/Erase transaction log: 76#00000#00000#** Exit Program Mode: *(after final command) :: Amber light will stop flashing. \\\\ As you can see these Access Control units have quite a few features available to them straight from the keypad. It also helps to know that what we are doing is either working or not. Beeps and LEDs will be your guide. //// LED Status and meanings. The Amber LED: Slow blink = Unit is in program mode. Rapid Blink = Verify mode is active. Steady (always on) = Program error. To clear simply press * Very rapid blink = Memory (EEPROM) erase is in progress. The Red & Green LEDs: Steady red = Door strike is locked. Steady green = Strike is energized (timed open and will auto lock in xx amount of time) Solid green w/red flicker = Door strike is locked and the user has activated the lockout sequence. Red/Green alternating = Waiting for second PIN during the card and code access attempt. Red blink = User lockout is active and strike is locked. Sounder (Beeps): Short beep = Propped door is active 1/2 sec on, 1/2 off = Forced door is active. 3 rapid beeps after code or card is presented = Code or card is not found. 3 Slow beeps then a single beep = Self test is finished. 1 single beep = Valid card access \\\\ Now another cool and very scary note is that a ASSA ABLOY company called Sargent makes a line of electro-mechanical keypad units for home use. Yeah, people are installing these on their front doors for easy access without a key. The only problem is, they can be programmed very easily (see above section, it does apply to these aswell). If you get a chance you can head down to your local hardware store and see these on display - you can play with them without doing much harm. .:::::::::::::::::. .: Conclusion :. As we now know access control is the art of physical authentication to access secure areas. This form of security by no means ends here, there is a world of information out there just waiting to be uncovered about these clever little systems. It is also important to note that since HID is the company developing this technology a lot of other access control system developers are following suit in the way their units are programmed. Which yes, means these program codes can be used in systems and applications from HID, Paxton Access, Inter- national Electronics Inc. (IEI), IB Technology, Impro and others! These systems can be found anywhere from your home or office, even candy machines. Seriously, if you score some candy hook me up! I encourage anyone who is inspired by access control security to contribute information about biometrics or even time clocking using this technology. This is merely a scratch on the surface of access control and I hope all who read it feel it was worth their time. Ignorance is not a form of security so read, contribute and help others understand that the things we do are not with malicious intent. Use this information to your liking but remember, like guns the information we have can be used to protect or harm, everything has its rewards and consequences. Sleep well. - GLHeX (11/23/04)