Trend Micro Research

Given the increasing use by enterprises of contactless security solutions, the security of the devices that themselves are meant to control access to premises should be of prime consideration. We analyzed several popular edge-based access control devices and found weaknesses that could put enterprises at risk.

Enterprises are increasingly deploying contactless security solutions to control access to their spaces, especially now in the midst of a pandemic. These solutions mostly rely on devices that use facial recognition to manage entry to enterprise premises in an effective and efficient manner. To allow for fluid movement in and out of the workplace, the devices need to process the image of a face quickly and act immediately to either allow or deny entry.

Because of the computational expense of image processing and facial recognition, some solutions rely on external services (hosted mostly on cloud servers) for authentication. The cameras have to send images to the services for analysis and processing. Unfortunately, there is often a lag between access request and authentication due to network latency between the cameras and the facial recognition services. Also, it takes substantial network traffic to send the pictures out of the premises.

To address these issues, the security solutions industry adopted edge computing and applied it to facial-recognition-based access control devices. Edge computing is a rising architectural paradigm for more advanced computational needs and data storage. In this type of design, compute nodes are positioned at the edge of the network, close to the devices or the sensors collecting data. In contrast to the more traditional setups, edge computing has much lower latency.

This has led to the growing popularity of a new class of smart camera devices that are able to perform facial recognition and authentication. These edge-based devices rely on external services solely for coordination purposes.

Considering that these access control devices are quite literally the first line of defense for employees and assets on enterprise premises, we set out to test the security of the devices themselves and to find out whether they are susceptible to cyber as well as physical attacks. Our research paper “Identified and Authorized: Sneaking Past Edge-Based Access Control Devices” dives into the specific weaknesses of four different devices and provides security recommendations for manufacturers and enterprise users of this new generation of access control devices.