Skip to main content
REQUEST A DEMO

Increasing Security for Legacy Access Control Systems


Exploring how companies can utilize legacy equipment to raise their level of security 


By Jeff Smith
Jeff Smith, CPP, CDT, is Principal, Vice President at TEECOM in Oakland, California

Google the phrase “hack access control card” and you’ll be treated to countless stories, how-tos and warnings about vulnerabilities in today’s legacy 125 KHz proximity access cards and readers. Despite few documented incidents of someone cloning an access card and entering a facility to perform nefarious deeds, owners and security managers should be concerned.

Why Is It Important To Update Legacy Access Control Systems?

Why? Because it’s easy to take a card reader off the wall and attach a small circuit board that transmits cardholder data to someone nearby as each person enters the door. The copied data can be used to create access cards and gain entry to the building. You could even take your proximity card to your local home goods retailer and have it copied in order to keep one in your desk, one in your car and one in your bag. Does this sound like a secure credential? So how do companies utilizing legacy equipment raise the level of their organization’s security? 

The answer is to acquire technology that is both secure and forward compatible as well as develop a comprehensive implementation plan. The basic approach is to implement smart 13.56 MHz encrypted cards, smart 13.56 MHz multiformat card readers, Open Supervised Device Protocol (OSDP) enabled products and work with manufacturers that support the encrypted data chain from access card to access control panel. These basics should also include your cybersecurity practices and be implemented in conjunction with your IT team’s best practices (changing default passwords, creating and implementing firewalls and educating users on phishing attacks).

What To Do With An Insecure Legacy Access Control System?

If you’re using a legacy system that you know is no longer secure, you don’t have to forklift the entire thing out tomorrow. Take an incremental approach. If you already utilize Prox access cards, you might start by adopting dual-form-factor cards with 125 KHz Prox and 13.56 Smart formats on the same card as a bridge to your upgrade strategy. The next step would be implementation of OSDP multi-format card readers, ensuring secure communication between card and reader. Lastly, upgrade to card reader panels utilizing OSDP data format. These are typically located in the building’s MDF and IDF rooms. These incremental steps will provide a secure data communication chain from access card to card reader to access control panel.

The point is that your security system upgrade can be done incrementally and as allowed by a limited budget. Our goal is to magnify your limited security dollars and ensure they are stacked on top of each other instead of being expended on disparate, ancillary efforts. Use an experienced security consultant and the access control system manufacturer’s professional services team to help you devise a solid plan, map out the implementation strategy and clean up the existing card holder database as part of the project.

Updating Legacy Systems with OSDP Access Control?

When choosing an access control system manufacturer, look for those that use open-sourced OSDP access control hardware boards as well as industry standard OSDP multi-format card readers. Commoditize as many of the security system components as possible so that you as the owner can migrate onto a new software platform with virtually no changes to your currently installed field hardware if desired in the future.

Supporting Legacy Access Control Systems

Your facility’s physical and cybersecurity is only as strong as its weakest point, and unfortunately in many cases that weak link is the access card’s data transmission chain. By modernizing your system, you raise the level of protection for your company, ensuring the safety of your employees and the protection of your company’s assets, including intellectual property. Manufacturer-agnostic physical security consultants can help clients select systems and components that meet their specific security requirements.

Learn more about our security products
REQUEST A DEMO

Frequently Asked Questions About Legacy Access Control Systems

A legacy access system can refer to any access control system that hasn’t been upgraded in years. Essentially, this is a security system that doesn’t make use of technological advancements and often comes with challenges associated with aging system efficiency. There are many ways to update a legacy access control system, especially with the rising use of cloud-based access control, and with the right integrations, this doesn’t have to be a costly process where everything is replaced at once. The current state of access control, however, makes it vital to begin considering incremental security upgrades. 

Legacy security systems are systems that have been vastly improved upon by modern technology and can no longer reach the same capabilities as modern security systems. 

While legacy systems can still be reliable, as time passes these systems will be open to additional risks. As a result, teams need to implement newer security systems over time. For many companies, a cloud-based system can be a great fit, since these don't require additional opportunities and can be updated automatically.

Many companies continue to use legacy control systems due to the costs associated with upgrading, as well as the potential learning curve for a new security system. 

Legacy access control systems can come in many different types. Either they are unable to be scaled, no longer have any updates available, rely on legacy data, or they have simply reached their End of Life. There are also many on-premise solutions, which operate on-site and are typically built into a building. More advancements in technology have given rise to both hybrid and cloud-based access control systems that can operate remotely and put the responsibility of upkeep on the service provider. 

Legacy access control systems can come in many different types. Either they are unable to be scaled, no longer have any updates available, rely on legacy data, or they have simply reached their End of Life. There are also many on-premise solutions, which operate on-site and are typically built into a building. More advancements in technology have given rise to both hybrid and cloud-based access control systems that can operate remotely and put the responsibility of upkeep on the service provider.