It seems that the so-called ‘next-gen OSDP’ (Open Supervised Device Protocol) was meant to make it harder for criminals and intruders to break into secure facilities – but it has failed, many would say spectacularly so.
OSDP was first developed by system integrators to address the need for a uniform and secure authentication system for access control within facilities. It was designed to combine functional and physical security, and thus allow for more efficient access control at a much higher level of security.
However, the OSDP has proven to be far from a secure or reliable system for access control. A 2019 report by Rapid7 revealed that numerous vulnerable security access control systems were easily breached due to OSDP being connected to the internet. The report uncovered that more than 6,000 vulnerable control systems worldwide had not been changed to the more secure version of OSDP, making them vulnerable to being hacked and providing easy access to an intruder.
The report went on to further identify over 20,0000 systems worldwide, in which the authentication credentials of OSDP-enabled devices were exposed and available to the public online. This gave a potential hacker the ability to take full control of building access through remote means, allowing for devastating attacks on any given facility.
In addition to the vulnerable systems and exposed authentication credentials, the OSDP protocol is inherently insecure, as it transmits a single secret to a door controller each time a card or reader is used — opening it up to easy manipulation and spoofing.
It is clear to see that the OSDP, intended to make it harder to breach the security of facilities, has ultimately failed in achieving its primary goal. The vulnerabilities within the OSDP protocol have allowed malicious actors to further their own criminal goals with ease, leading to serious implications for the security of important facilities which have employed OSDP for access control. It is clear that system integrators need to improve the security protocols employed in such access control systems to ensure the continued safety of such secure facilities.
