The Access Passback Problem

Published Aug 18, 2021 13:33 PM

'Passback' -- the practice of using someone else's credentials to gain entry, is a troubling access control vulnerability.

IPVM Image

In this report, look at the problem and how designers can minimize vulnerabilities, including:

  • Passback vs Tailgaiting
  • Why Passback is an access risk
  • Soft anti-Passback: time limit
  • Hard anti-Passback: reader pattern and flow
  • Biometrics & Turnstiles
  • Integrator feedback on solutions they use
  • Many just ignore the risk

Passback *********

'********' ***** '******* ***********'. **** *** example *****, *** ****** *** ******* through ** ******-********** **** ** ******* the **** *****:

IPVM Image

'********' ****** **** '****** *' ***** their ********** ** '****** *' ** that ****** *** **** ******. **** practice ** ******* ** ******** * door *** ******* * **** **** to ** ******* ****** ** ******* your ******** **** ******* ****.

Security *************

** ****, ******** ***** **** *** system ** *** *********** ****** ** the *** ** *** ********, *** at *****, ** ***** **** * potential ****** ***** *****.

Less ***** **** **********, ***** * *******

'**********' ***** **** **** * ********** has ****** * ****, ** ** left **** ** **** **** **** one ********** ** ******* ** **** through. ** ******** ** '********', '**********' bypasses *** *********** ** **** *** credentials, ***** '********' ******* ****.

************ * *********** **** ** ***** of ******** *******, ***** ******** ** generally **** ******* *** *********** ** dangerous. ******** ** ******* *** **** with ********* ****** ** * ********** is ***** ****, **** *** *** that ********* *** *** ****.

** *******, ******** ** ****** ** manage **** **********, **** **** ********* or ******** ************* ************ ********** *** act **** ** *** ****.

*** **** ** *** **** *********** tailgating ******, ********* **********: ******* ******** *************.

Anti-Passback *********

** ******* *** ****, ****** ******* systems ***** ******* **** ******** '****-********' controls:

  • **** ****** (**** ****** '**** ****-********')
  • ****** ******* & **** (**** ****** 'Hard ****-********')

*******, ** ***** ********* *** *** able ** ** ****, *********** ******** can ** **** **** **** ***** cost:

  • **********
  • **********

Soft ****-********: **** ******

*** ******** *** **** ***** ******* means * ********** ****** ** **** at *** **** ****** ***** ****** a ******* ****** ** ****. **** feature ** ***** ******** **** ********** access ******* *** ******** ************* ** use **** ******* *** *********.

****** ********* * **** **** ******** access ** *** **** ****** *** a ****** ** * ** * minutes *********** *** *********** ** ********** using * **********. ** **** *****, the ***** *** *** **** ** fully ******** **** ***, *** *** event ** ******* ** * ****** for ********** ** *********** *******.

*******, **** **** ** ******* *** be ************ ** ***** ************ **** something ***** ******* * ****, ****** distracted ** * ************, ** **** some ***** ********** ****** *** ******* re-credentialing ******* ** *******.

Hard ****-********: ****** ******* *** ****

*** **** ****** ** **** **********, but **** **** ****** ** *********.

***** '****** ******* *** ****' ******* requires ********** ***** ** ****** * logical ******* ****** * ******. *** example, * ********** **** ** **** at ** '***' ****** ****** ** can ** **** *** ** '**' function. ********, * ********** ****** ** used ** ***** '******** *' ** 'Building *' *** *** ***** **** exited.

**** ****-******** ****** ** *** **** stringent ******* **** *** *********** *** problem, *** ** ******** *** **** cost ** '***' ******* **** **** be ********* *** ****** ** ******** on ****** *** ***** ********** ****** a ********, **** ***** **** *** infrequently ****.

Using ********** ********* ****

******** *** ** ********* ** ************* users ***** ** ********** (***** ***** body) ******* ** '*********' ***********.

IPVM Image

*******, *** *** ********, *****, ** facilities *** **** ** *** **********, and **** ********* ******* *** ** needed.

Turnstiles & ********* ***** **********

* ******, *** ********* ******, ****** of ********** ******** ** ***** **********, revolving *****, ** ******** ** ********** prevent **** **** * ****** ****** entering ** *** ****.

***** ********** ** ***** ****** ** deployed ** * *** **** **** allows *** ***** ** * ****, and ** **** ** ******** ****** exist ** ****** ******* *********** *** to ******.

*** ****, ********* ******* ********** *****.

Other *********

************ ********** ******** ********* ******** **** than **** ********. *** *******, ** our********* ********* ** ************ *** ****************, **** **** ** ******** ***** were *****,

IPVM Image

**** **** **% ** ***** ********* mentioned ***** **** **** *** ******** method *********:

  • *******:******* ****** ******** ******** ***** ************ cameras ** ****** ****** ******.
  • *******:*** **** ****** '****' ******* ** address *** **** *** *** *** of ***** ** ****** ****** **** misusing *** ****** ******* ****** ** undermines ******** ********.

Ignoring **** ******

*******, **** ****** ** ****** *** issue. ***** **% ** ********* **** they ****** ** ******* ******* ********** it ** *** ******, ** ** is *** ****** ** * **** to ******* ***************.

Dangerous ** ******

******** ** ****** *** ****** ******* intruders ** **** ***** ** ***** they *** *** ** ******** ** enter. **** ******** ******* ** ******** risk, ** ********** *** ******* ********** in ****** *******.

Comments (28)
RB
Ramsey Burns
Aug 19, 2021

* ***** **** ** *** **** from ** ********** **** ****-******** ** when *** ****** ** ********, ***** is ** ***** ** *** ****** but ****** ** ***** *******. ***** anti-passback ** **** *** *** *** pass * ***** ********** ****** * certain **** *****. *** **** ** a *** ******* *** **** *** two ******** *******.

(1)
U
Undisclosed #1
Aug 19, 2021
IPVMU Certified

IPVM Image

**** ********, ** * **** ** a ****** ****, *** ***** ****** passback ******* ** **** ******* ** opening *** ****?

** *** **** ** * ****** turnstile ***** ***** **

*) ** *** ** **** ** open, ***

*) **** ** **** *** **********

** ***** ***** ** **, *** a **** *** ******* ** *****.

(1)
(1)
(1)
Avatar
Brian Rhodes
Aug 19, 2021
IPVMU Certified

** **** *****, ***** *** ** tailgating ******, *******, ** ********* **** would ****** *** * ********** *****, but *** *********** ** ********. ** the ******* *** ******* *** ********* enough ** ** ********/********* ***********.

(2)
Avatar
Brian Rhodes
Aug 19, 2021
IPVMU Certified

** **** *********** ***** ********** ***** easier - *'* ***** ** ** pretty *************** ** **** **** *** door ****, *** **** ****** ******* (especially **** ********** *** ****-******** *****) will ***** ** * **** ** held **** *** ****.

******** ** * ****** *** ****** this!

(1)
RB
Ramsey Burns
Aug 19, 2021

**** ********, ** * **** ** a ****** ****, *** ***** ****** passback ******* ** **** ******* ** opening *** ****?

** **** *** ***** ****** *** enter ** * ***** ****.

(1)
(3)
Avatar
Brian Rhodes
Aug 20, 2021
IPVMU Certified

**** ** * **** ****** * had *** **********!

U
Undisclosed #1
Aug 20, 2021
IPVMU Certified

******** ***’* *** ****** ** ** the **** ****-******** ****** ******* ** the *****.

(2)
(1)
(1)
U
Undisclosed #1
Aug 20, 2021
IPVMU Certified

*., **** ** *** ***** ** the **** ** ***** *** ** those ****** ***** (*-* **) ******* on *** ****, **** *** **** being **** *** ******** ******’* **** to **** ***** **** *** *** waif *** *** *****, *** ***** just **** ********?

***** *** ******* **** *** **** on *** *** ***?

(1)
(1)
(1)
Avatar
Brian Rhodes
Aug 20, 2021
IPVMU Certified

** ***** ****** **** *** ******* employees ** ****, *** ****** *** or *** *** *********** *** used *** **** ***** ***** ** quite *****, ****** ~*"/***** ** ****.

(1)
RB
Ramsey Burns
Aug 20, 2021

******’* **** ** **** ***** ****

*****'* **** ******** ** *** ******** unless *** **** ****** **** (**** a *******)

JE
Jim Elder
Aug 22, 2021
IPVMU Certified

**** **** ** *** ** ******* a ******* ** ********** ** ** view. *** ****** * **** **** tailgating ***** * ***** **** ** used ** ** *******. **** **** detection ** **** **** ****** *** great, *** ***** **** ****** ***** the ***** ******. ** *** **** addresses **** ******* ***** *** ***** goes ***. **** * *****? **** a **** **** *** *** *** offender ******* **** * ****? **** the ******? *** *** **** * video, *** ** ***** ** ***'** looking ** * ***** *********, * crime *** ******* ********.

**** **, **********-***** ******* *** ****** a *********** *** ****; *** ** you ** ** *****, *** *** be **** ** **** ** *** door ** ******. ***** *** **** (turnstiles, ********* *****, ***) **** *** indeed ***** * ***-****-***-****** ***** ******, but *** **** ** **** *******. Two ***** ** ******* ********** *** example, *** *** *** **** **** $100K. *** * **/* ***** ** the *** *** ****** ******* $**** per ****. ****, **** *** ****** what ******* ** ***** ********* ***** to *** ******** ** **** ********* or ******** ****** ** ****** ********.

(1)
Avatar
Harun Seel
Aug 25, 2021
IPVMU Certified

**** * **** ** ***** ******. One ** ** ******** ******** *** hilariously ****”****-**** ****?? *** ******** **** ask *** ** *** ** **, three ***** ***** **** **** **** you ** **** ** ***!” **** has **** ** **********.

U
Undisclosed #2
Aug 25, 2021

*** **** **** *** ** **** it ***?

RB
Ramsey Burns
Aug 25, 2021

******** *** ** ** **** *** system ** *** *** **** ** the ****** *** ******** *****. *********.

JE
Jim Elder
Aug 25, 2021
IPVMU Certified

***. ****, ** ** **-*** ****** operation, ***** ****** ** ***** ***; or **** ** *** **** ** in **** ****. **** ********* **** often ******** ******* ** ********* *** fix *** ****... ******** ** *** point ** ***********. ** **** ****** if ***** *** *****, ******** *** procedures *** ************* *** ********* * Also, ** ***** ** *** **** is **** ** ***** ********** **** as **** *** **********.

(1)
UI
Undisclosed Integrator #4
Sep 23, 2021

* ****** ******* ******* *** ** access ******* **** **** **** **** "buy-in" **** ***** *****, *** **** policies *** ********* **** **** ** change. ** *** ***'* ** ****...****, you *** **** *** ***.

(2)
U
Undisclosed #1
Aug 25, 2021
IPVMU Certified

**** * **** ** ***** ******.

*** ** *****, *** **** ******®

(1)
(1)
(2)
(7)
Avatar
Harun Seel
Sep 02, 2021
IPVMU Certified

**

* **** ** ** ****** *** alarm ******* ******. ** *** ** Dad. ** *** ** ***. * said **** ** **** ******* ** an ****** ******* ******* ** ****. Did ********* ** **** ********* ******* you ** *** ** **** ***** of ** ******** ***** ***?

(1)
(4)
U
Undisclosed #1
Sep 02, 2021
IPVMU Certified

*** ********* ** **** ********* ******* you ** *** ** **** ***** of ** ******** ***** ***?

* ***** ** *** ******** ******* of *** ****** **** **** “***********” funny ******** *** ** **, *** remember, ***** *** **** ******** ******** end ***** *** ***** **ï***é? **** humorous *** ***********, ******!

** **** *** ** ********* **** of *******; *** * ********** **** for **** * ******, *** ***** and ****-**** * **** *********** *** concept ** ** “***** ******” ***** be ** ***, * ***** **** never **** *****.

-*** * ***** ***

(1)
(1)
(1)
(3)
UI
Undisclosed Integrator #4
Sep 23, 2021

IPVM Image

(1)
(1)
UI
Undisclosed Integrator #3
Sep 02, 2021

*** *** *** ***? ******* ** @ss!

(2)
TC
Trisha (Chris' wife) Dearing
Sep 02, 2021
IPVMU Certified

*** *** *** ***?

@ ***?

(1)
(1)
(1)
(1)
(1)
UI
Undisclosed Integrator #3
Sep 02, 2021

****** ******** ******** ***** ** ********* through *** ***-** ** *** ********'* photo ** *** ****** ******* ****** and ** * *** *********** ** a ******.

BH
Brad Hill
Nov 25, 2021

* ****** *** * ***** *****-******** IT ******** ***** ****, ***'* **** them ***. ******* ***** ********** *** everywhere *** ********* ** *** ******* of *** ******** *** * ******* it ****** ***** ****. ** **** day ******** * ******* ******* ********** I **** ****** **** ******** ** say ********* ******* ** *** **** this *** ********* **** ** ** in ** ******* ****** ****.

(2)
JE
Jim Elder
Nov 26, 2021
IPVMU Certified

** *** ** ******* ************ (*.*. server *****, **** ****) ***** *** risk ** **** **** *** *** are ********** **** *** ******** ****. Signs **** ****** ***** ***** *** issue; *** **** ****** ******* **** video ********* *** *********** *** **** things ******. ** ***** ** **** if ** ***** *** **** ************* to ** ******** **** * **** of *** *****. ****** **** **** this?

*** *************, ***** *** *** **** up **** *********??

DR
David Rasmussen
Mar 17, 2022
IPVMU Certified

********* ** ******** ** **** ****-******** is *******. ** * **** ***** is ********* *** ********* ** *** badge *** **** *** **** ********** badging **. * *** ** ******* this ** * ****** ******* ***** all ********* ***** * ******** ****** at * ***** ***** ** ******* area ***** ***** ** *** "***" function. (**** *** **** ** ******** to ****** * ********** ****** ** who ** ** **** ****** **** doing * *********) *******, ****** ******** can ** ********* *** *** ** troublesome ** ********.

Avatar
Andrija Pusic
May 22, 2022

******* ** *** ******** *** ******** in ********** ** ****-******** *******. ********** is *** **** ****** ***** ********** passback. *** **** *********** ** **** not ******* *********** ***** (*** *****!). Full *** (********** ********, "*******" ***) requires ****** ******* ** *** ***** which ** **** ******, **** ************* for *****, *** *** ******** ****** risks. **** ** ****:

***=****

**** ****** **** *** *** ***** advantage ** **** *** ****** **********? Very ******.

JH
John Honovich
May 22, 2022
IPVM

*******, **** ********! * ******* ** the ******** ** ************ **** ****** care ***** ********** ********, ********** ** widely ****, *** *** ********* *** state.

**** *************, *************, *** ******* ** accept **** ****** ** ******** ***** the **** ******** ** ********** **.

*******, ***:********** ****** ******* ***** ****

(1)