Security Review: My Apartment
The apartment complex I live in is comprised of a garage and multiple residential floors. The access points into the building are through the elevator, garage, and a street access door. All three use RFID keycards to restrict the access to only residents. The elevators are activated with the keycard. Once activated a floor button can be pushed and the elevator functions normally. The keycard is also used open the garage gate and outside doors. Once inside a resident would have to use the elevator to reach his or her apartment floor.
Assets/Security Goals:
– Safety and Privacy: With people living inside, safety is an important security goal. People need to feel secure and know unwanted parties cannot enter.
– Private Property: Besides personal wellbeing, the residents also need to be assured that their private property cannot be stolen or damaged.
Potential Adversaries/Threats:
– Employees: Most employees have access to anywhere in the building and a few have keys to enter any apartment. An employee could willingly, or unwillingly, provide a gateway into someone’s apartment.
– Malicious people: There is always the possibility of someone wanting to harm someone else or steal someone’s belongings. Having access to someone’s home allows the possibility for either event to occur.
– Former Residents: Since the same key is used to access the building, a resident could try to duplicate the key. This might allow the person to have access to the building after he or she leaves.
Potential Weaknesses:
– RFID Access: The garage, elevators, and outside doors all use an RFID reader to access the building from outside. The weaknesses of RFID also apply as someone could try to create an access key into the building by first reading someone else’s key.
– Residents: It is possible to access the building by following a resident. Someone could enter the garage right after someone else opened it or enter the elevator right after someone used his or her key.
Potential Defenses:
The main defense is controlling who has access into the building. As mentioned above, outside doors, the garage, and the evaluator require an access key. Although the access method has its own weaknesses, it still provides some protection against unwanted guests from entering.
Another method of controlling access is locking the staircase in one direction. The doors to the staircase remain unlocked, but the doors from inside the staircase are lock. This prevents people, even residents, from accessing the building from the stairwell.
There are security cameras at every floor. Although these cameras are unlikely to prevent anything bad from happening, they can be used to detect and recover from an attack.
Evaluation of Risks
Although piggybacking on another resident’s access into the building is possible, it does have its limitations. Each key access only allows one floor button to be pushed. If someone was strictly relying on someone else’s key, he or she would be limited to the same floor. Also with the one-way staircase access, that person would not be able to use the stairs to change floors.
Although this one-way access does provide an added security feature, like in the case above, it can also provide inconvenience. Since the stairways only have a one-way access, the elevator is the only way to access the residential floors. This restriction allows for a denial of service attack. If the elevators were ever disabled, residents would not be able to access their apartments without removing the security of a locked stairwell.
Conclusion
There are flaws in RFID, but why go through the trouble of breaking the restricted access mechanism when a social engineering attack is easier. There have been many times when I’ve entered the elevator with someone else inside, noticed my floor was already pushed, and never had to take out my key. Of course no one will ask “Hey, do you live here? Can I see your key?” In the end having access require keycards or some other type of technology doesn’t really matter if someone else opens the door.