On August 9th 2023 there was a presentation at the annual BlackHat conference that highlighted vulnerabilities found within OSDP. This sparked many discussions online and inspired the creation of a few blog posts. As someone who has been involved with advocating OSDP since 2018, the reaction to the presentation was a wake-up call. It is clear that OSDP is no longer a niche standard with a limited install base. The OSDP standard has become a critical piece of the physical security infrastructure. I believe that the BlackHat presentation is an inflection point for OSDP. We should be thanking the folks at Bishop Fox for taking the time to publicly provide constructive feedback on how to improve OSDP. It is up to everyone in the security industry to take the information presented and move forward with making OSDP a robust standard that all of us can stand behind.
Before getting into details of the findings, I have some thoughts to convey. First, there is absolutely no reason to ditch the OSDP standard. Open standards have many constraints in order to interop with devices. There are tradeoffs between having the best security and being able operate with all types of hardware. The original purpose of OSDP was to allow for bidirectional supervised communications between a panel and readers. It has been quite successful in this regard. Later, encryption that would be able to process on low powered devices was added. This also has been effectively implemented using AES 128-bit encryption. The trajectory of OSDP is very similar to HTTP used by the Internet for communicating with online services. Once it became apparent that HTTP was being used for critical transactions, HTTPS was created to encrypt sensitive communications. HTTPS went through many revisions as vulnerabilities were found. The strength of the OSDP standard are the workgroups hosted by SIA to continually evolve the specifications. I have no doubt future revisions to OSDP will mitigate the issues found by the BlackHat presentation.
The SIA OSDP techincal working group received the findings a few weeks before the presentation. These OSDP working groups are open to everyone without any restrictions. The fact that there are many active members in the working groups is a strength of the OSDP standard. I was impressed on the level of involvement with many group members in discussing on how to improve OSDP in future versions. Many of the critical areas of concern are not with the OSDP specification itself, it is how vendors implement OSDP. Implementation shortcomings were the cause of the most severe vulnerabilities. This is very fixable situation, which doesn’t require updates to the OSDP specification to rectify the security issues. In future articles, I will be discussing in more detail on how to properly implement secure session within OSDP.
Finally, I appreciate that the Bishop Fox presenters included a slide highlighting the importance of SIA OSDP Verification program. Full disclosure, I currently am contracted to perform verification testing in this program. I encourage all security vendors who have OSDP support to register for OSDP verification. Customers, integrators and consultants need to require that their next project have only OSDP verified components specified. These actions will go a long way to ensuring the best experience and most secure deployment of the security system.
