I’ve had an interest in access control systems ever since my school district built a new high school in the early 2000s and they installed an access control system. I have no idea what system they used, but as a student worker for the technology department, I was granted my own HID keyfob with restricted hours so I could get around the building after-hours and use the elevator because we constantly moved computers via carts between floors. The next time I encountered an access control system was when I had my first office job. The access control system was to gain access to the floor our office was on via the elevator. During the weekend and after hours, the elevator locked out the office floors automatically. Then when we obtained another office in the same building, they bought a Honeywell access control system. It was only a single door, but it was my first hands-on experience. Then we got another office and the previous tenant had an access control system, so we decided to keep it. This was my first experience with a multi-panel, multi-door system. I learned a lot from the guy who provided the system. Then they added an access control system for our main office and our secondary office (on the same system so not only was it multi-panel, but multi-location!). So this is my venture into access control where I can do whatever I want, no one telling me how to set things up – and playing with features I just didn’t have access to, like wiring, readers with keypads, different technologies, etc.
Card Readers & Technology
The one portion of an access control system end users deal with are the cards (“credentials”) and the card readers. There are many different types, designs, and formats available on the market. Many systems can support a lot of them, some systems have vendor lock in which means if you buy an XYZ Panel, you have to buy and use XYZ Readers. Most systems I’ve encountered only care about the backend technology which is primarily Wiegand, which is based off the Wiegand effect discovered by John R. Wiegand, in 26-bit. 26 bits comes from 8 bits being set as the facility code and 16 bits set as the ID code, plus 1 bit for parity for a total of 26 bits. There’s also a 34-bit Wiegand protocol, though I don’t have anything in my lab that supports it.
Now let’s get into the cool part of access control: the readers! So in addition to Wiegand, which is just how the readers talk to the panels, there are various technologies of how the credentials talk to the readers. Prox readers usually operate on one or both frequencies of 125 kHz (low frequency) and 13.56 MHz (high frequency, typically used for smart cards). The way the readers work is they have a coil of copper wire which is used both for induction electric current (like how wireless charging works) and as an antenna. This coil is then connected to a circuit board which then processes the signal and relays it to the control board. The credentials work similarly. Inside the credential is a lot simpler though. You have a coil of copper wire, a capacitor, and a microchip burned with information. When you present the credential to the card reader, the induction signal meets with the card, and provides power to the capacitor which in turn powers the microchip and the microchip burps out its information which is transmitted through the antenna (also the copper coil) to the reader.
I previously mentioned there are different technologies. One of the most common and inexpensive is HID Proximity. This is a basic format that is low frequency and all the card does is burp its facility code and ID. HID compatible are typically 26-bit and it’s an open standard so you can generally mix and match hardware at this level. For example, you can use a generic 125 kHz 26-bit card with a name-brand panel, and a HID branded reader and it will all work in harmony.
Next, there are proprietary formats which up the level of security. For simplicity, I’m only going to talk about HID iCLASS. iCLASS uses encryption both on the credential and the reader. The reader and card perform a “handshake” and this handshake means that the data is encrypted from the card to the reader and the reader does some decryption. It also means that it’s more difficult to perform a replay attack as there won’t be a handshake. One of the data centers I use for colocation uses iCLASS because they exceed government requirements. When I got badged, they took my biometric information and also stored it on the card. In a nutshell, when I present my card to a biometric reader, it’s comparing the encrypted biometric information with what’s on the card and what the reader calculates from what I give it. Signature match? Access granted! iCLASS is typically found in areas where high security is required such as financial institutions, data centers, and high profile companies.
HID manufactures a model of reader called multiCLASS. This is one of the readers on the market that is capable of reading multiple formats. It can read standard 26-bit low frequency cards as well as the high frequency iCLASS cards. HID markets this reader for organizations that are transitioning. For example, if at one point you installed standard panels and standard prox readers but you want to start moving towards iCLASS for higher security, you can change out all your readers to multiCLASS readers and they’ll still function with prox cards and also allow people with iCLASS credentials.
Readers in my collection
I have a few different readers in my collection.
This is a genuine HID iCLASS reader I acquired in July 2015. It was my first reader and before I even had a board to connect it to. The company I was at was renovating an office building they recently purchased. Our security company had to replace this reader as we didn’t use iCLASS. I was able to take the reader since we didn’t have any use for it. I just kept it in storage/on my desk to study and figure out how these things hooked up to boards which I didn’t yet have.
This was an eBay find being sold for $19 directly from China. I ordered it in October 2018 and it didn’t arrive until November 2018. The eBay listing wasn’t too in-depth so I figured I was getting an HID compatible reader. I ordered it primarily because of the price tag and secondly because of the physical appearance. I absolutely love the look of HID iCLASS readers and think its a very modern design that blends in really well. A lot of readers out there are very unattractive and just look ugly in my opinion. They stand out too much and have tiny LEDs or even ugly designs for their LEDs. When I purchased a board and hooked this reader up, I found that none of my credentials would read. Upon further discovery and a closer inspection of the back, I noticed that this is an “ID” format reader. Googling “ID reader format” is too ambiguous and brings back generic RFID results so that’s no help. If you know what this format is, please get in touch!
Yet another eBay find, this is a genuine HID multiCLASS reader with a keypad. I purchased this one because first, the price was a deal of a lifetime at $15 plus free shipping. Most HID multiCLASS readers on eBay sell for $50 to $400 depending on condition. So getting a genuine HID reader for less than what I paid for a generic Chinese knock off was a steal. I hooked this reader up to my test board and found that it works perfectly as expected with my HID compatible, HID prox, and iCLASS credentials. My board however did not appreciate the format in which this reader transmits the PIN. While I could see the correct PIN being transmitted, it was being prefixed and there was no way for me to get the prefix into the access control system.
Access Control Board
To actually make the readers do something, you need to have an access control board. There are a ton of options here. You can find a lot of different panels on eBay and Amazon and they’re from various companies which means the pricing also varies wildly along with feature sets and software. In my experience, a lot of the more “professional” boards are licensed in crazy ways. One of the most common I’ve seen is the control software (this is the software that talks to the boards and how you program boards and how to centrally gather logs and manage users) will lock itself to the system it’s installed on, the system’s MAC address, and the system’s IP address. If any one or a combination of those values change, the software cries piracy and locks itself down not allowing any changes to be made. Because of this, and because a lot of this software is ancient and runs only on Windows XP or older, I tried to find a cheap board that would let me do different things.
So I found this board from a Chinese company, UHPPOTE on Amazon. I paid $56 for a 4-door board. This company is a mix mash of madness. First, the software they ship isn’t for this particular board. I had to hunt in the reviews and Q&A section to find the proper download. Second, the digital manuals cover another type of board that I only recently found on eBay, and the software for that board which I installed is also a bit of a mess. The proper software for this board is also a bit of a mess, too, which is why I’m looking for a new board. The correct software silently installs itself as a trial, but after enough confusion on Amazon, the company now ships you the code you need to register (it’s a static key). I was also curious and finding out that this software is written in Visual C# .NET 2.5, I was able to use a decompiler and see what’s going on behind the scenes.
I found out that the company doesn’t disclose that when you register, the software actually emails the registration to a free Chinese email account. After learning that, when I did register it I put in a bogus email address. I don’t think the hard coded email is valid though, as they were also dumb enough to hard code in the login credentials and and after decrypting them (yay, reversible encryption!), they didn’t seem valid anymore. Thank you, unknown hacker who probably put an end to this spyware!
One of the main problems I have with this board is that it has just the basic terminals available to readers: +12v, ground, D0, D1, and LED. What this means is that some of the functions I wanted like having the green LED always on when a door was unlocked wasn’t possible. So I’m looking at replacing this board with a slightly more expensive, but much more reputable, board from Visionis.
The Visionis board has two extra terminals available for readers. It has OK, ERR, BEEP, W1, W0, 12V, and G which translates to Green LED, Red LED, Beeper, DATA1, DATA0, +12 V D/C, and Ground. So I can only assume this means that if a door is unlocked, the green LED stays lit on the reader instead of the standard quick flash of the green LED when a credential is present, valid or not. The error terminal, I assume, means that if an invalid credential is present, the reader will flash and alternate between red and green rapidly. The beep terminal, I don’t think I’ve ever seen anyone use this.
When it comes to access control systems being done in a commercial environment, you have a lot of local, state, and national laws you have to deal with and local laws can be some of the craziest. However, in a lab environment, fire code doesn’t exactly apply because my system runs on a test bench. There are a few lock options you can get, but I am a fan of electromagnetic locks or mag locks. Why mag locks? Well, they’re easy to demonstrate unlike strikes, they’re usually inexpensive (I have two mag locks – one of them, a tiny 100 lb only ran me $20 on Amazon), and there are no moving parts so they’re extremely reliable and rarely ever fail.
I opted for a Visonis mag lock for two reasons: 1) it’s fairly cheap. 2) it includes a door sensor built right in. The second feature alone eliminated the need to buy some door contacts. A third feature which sold me on this lock for even commercial use is the door status indicator LED. It’s absolutely brilliant. Mag locks work by applying power (usually less than what it takes to operate a standard LED bulb) and creates a magnetic field which the strike plate mounted to the door is attracted to. Well this lock has a cool feature where it has a status LED on the bottom. When power is applied to the lock and the strike plate is firmly attached, the LED is red. When the lock has power but the strike plate isn’t properly mounted or maybe someone put something on the lock to keep the door from locking, the status LED is green. It’s really bright so it lets you see from a distance whether or not the door is secure. Absolutely brilliant!