If you want to see someone's eyes glaze over, start talking about cybersecurity. Despite how important online passwords are, most of us spend little time thinking about how to keep them safe online. According to the report, in the past 18 months, nearly 1 in 4 people were affected by a data breach. Of her 24 billion credentials compromised in 2022, only his 6.7 billion were unique username/password combinations. We're told time and time again to use unique passwords made up of hard-to-guess numbers and words, but the need for cybersecurity doesn't often outweigh the desire for convenience.
Although they can be costly and time-consuming, cybersecurity breaches are typically not considered “life-or-death” events. But when it comes to access control, it is possible. A small cybersecurity flaw in a connected access control device can prevent it from doing its job of keeping unauthorized people out of an area.
For owners of commercial buildings and multifamily buildings, cybersecurity issues within access control devices can have serious implications. Unauthorized access through security system compromises can lead to theft and property damage, putting the safety of your tenants and employees at risk. Ensuring robust cybersecurity measures on these devices is important to protect both physical and financial assets.
Earlier this year, a security flaw was reported regarding a smart door lock provider called Chirp. A man named Matt Brown discovered the problem. Brown, a senior systems development engineer at Amazon Web Services, discovered the flaw when he inspected the app before downloading it. “I'm pretty picky about what I trust on my devices, so after downloading Chirp and decompiling it, I discovered that my password and private key strings were stored in a file,” he says. said Brown.
The problem, according to a report by the U.S. Cyber Defense Agency, was that the app contained a hard-coded password used for door locks, “BEACON_PASSWORD.'' Fortunately, this password was only used to change the settings of the door lock's Bluetooth beacon, and a remote user with the password could not change the settings or unlock the door. But the fact that new smart door locks could be designed with such security flaws highlights the lack of oversight and standards in the access control industry.
The potential threat posed by cybersecurity flaws in access control systems like Chirp highlights the need for improved regulatory standards. Owners of commercial buildings and multifamily properties are particularly at risk, as violations can result in unauthorized access, jeopardize occupant safety, and create significant liability issues for owners. .
This year, the European Union passed the EU Cyber Resilience Act, which creates security standards for hardware and software manufacturers. The law not only requires IoT devices such as smart locks to include a certain level of cybersecurity, but also requires manufacturers to provide security updates and vulnerability patches for at least five years after the device is sold. We also require that you continue. It will also create a directive that will hold manufacturers accountable if their products may have security flaws.
The United States does not have a single mandatory cybersecurity law. Instead, there are a number of industry-driven standards and voluntary initiatives. However, the Cyber Resilience Act already requires manufacturers to design their products differently, even though the US does not have its own standards. Matthew Vaughn, chief product security officer at Honeywell, said: “Once the standard is implemented in the next few years, all software will have to go through certification testing, which will make it difficult to sell it anywhere. It's going to change the way we provide support.”
Although the United States has not adopted these standards, there is a growing movement to follow the EU's example. “The government is very concerned that the industry will reject the new standards,” Bohne said. “So we're working with them to help them understand that agreed standards will actually help them get adopted.”
Europe's new standards have had a significant impact, but their effectiveness remains limited. The cybersecurity landscape is constantly evolving, meaning no single law can keep us safe forever. “Cybersecurity knowledge is like milk,” Vaughn said. “Whether you use it or not, it's going to fail at some point.” To prevent cybersecurity breaches of access control devices that can lead to potentially dangerous problems, manufacturers, regulators, and operators must We need to stay engaged with each other. Forums, industry groups, and conferences already exist for cybersecurity professionals, but in the future, these should be extended to everyone involved in deploying and managing access control devices.
