Configuring STid readers that use the SSCP protocol to prevent relay attacks

2024-05-09Last updated

Prevent relay attacks on supported STid readers by enabling the system to detect delays in the RF communication exchanges between cards and readers, and reject access requests from the cards that take too long to communicate.

Before you begin

What you should know

A relay attack uses two malicious devices to relay messages between a reader and a card, allowing attackers to access doors without needing the card physically near the reader. In such scenarios, the system takes longer than normal to authenticate a card because the attackers must relay messages to each other in the middle.

Enabling a proximity check on STid readers ensures that only access requests from cards that fall within a configured time threshold are granted.

Procedure

  1. Log on to the Synergis™ Cloud Link unit.
  2. Click Configuration > MIFARE DESFire .
  3. In the Readers and associated MIFARE DESFire configurations section, select the Proximity Check option beside one or more STid readers.
  4. (Optional) In the Proximity check settings section, configure the following:
    Note: It is recommended to keep the default settings. Lowering the maximum latency can cause certain cards to fail the proximity check. Increasing the maximum latency can increase the chance of a relay attack succeeding.
    Proximity check settings section of the MIFARE DESFire page in the Synergis Appliance Portal.
    Maximum latency
    The threshold in microseconds of an exchange between the card and the reader. The default value is 500 microseconds.
    Round-trip time measurements
    The number of exchanges between the reader and the card used to calculate whether the card read is valid. Each exchange must not exceed the configured Maximum latency.
  5. Click Save.

Example

If the Round-trip time measurements is set to four, then when a reader with the Proximity Check setting enabled receives an access request, a proximity check is run, according to the configuration in the Proximity check settings section. The proximity check calculates the duration of an exchange between the card and the reader four times.
The proximity check results in one of the following:
  • If the time calculated for each of the four exchanges falls within the Maximum latency, the card succeeds the proximity check. The Synergis Cloud Link unit proceeds to grant or deny access based on the access rights of the card, and the door unlocks or remains locked accordingly.
  • If at least one of the exchanges takes longer than the Maximum latency, the card fails the proximity check. The Synergis Cloud Link unit does not proceed to make an access decision, and the door remains locked.
    Note: No Access denied event is generated when a proximity check fails.