Seeds of Insecurity: How 'Mellon' Cracks Open OSDP

When it comes to physical security, the advancements in technology have been both a blessing and a curse. The sophistication of security measures has undoubtedly increased, but so has the ingenuity of those seeking to bypass them.

Today, we're diving into the world of Mellon, an intriguing tool and methodology designed to exploit RFID readers, focusing particularly on the Open Supervised Device Protocol (OSDP). This blog post is not just an exploration; it's a deep dive into the vulnerabilities that "Mellon" exploits and the implications for security systems worldwide.

Communications Methods

Photo by Jason Rosewell on Unsplash

Quick primer on Physical Access Control Systems (PACS) and how they communicate. In general there are two types of communications with a traditional PACS, the front end and the back end. The front end is the communication between the card and reader, while the backend is the communication between the reader and controller.

The controller is what decides who has access and who does not. The reader is given an encrypted number by the card, and relays that information in a new form the controller can understand to the controller.

In essence think of it like this:

Card and Reader speak German (front end communication)

Reader and Controller speak French (Back end communication)

This means that the reader must be able to speak two languages , but the card and controller only need to speak one.

For a deep dive into exactly how RFID works and ther attack vectors, read this post.

The First Language: Card to Reader

The first language comes into play between the RFID card and the reader. When an RFID card comes into proximity with a reader, it triggers an engaging conversation. The reader sends out a signal, activating the RFID chip embedded in the card. In response, the chip transmits its data back to the reader—this data typically includes the card's identification and authentication information. This interaction, though seemingly simple, is the first crucial step in granting or denying access.

The Second Language: Reader to Controller

Once the reader receives the information from the card, it needs to communicate with the control system to determine whether the access should be granted. This is where the second language comes into play. Historically, and even presently for a significant majority (around 70-80% globally), this communication has relied on a protocol developed in the 1970s known as Wiegand. The Wiegand protocol, despite its widespread use, has a glaring vulnerability—it effectively transmits an unencrypted number. This means that the critical information exchanged between the reader and the control system is susceptible to interception and unauthorized access.

The Emergence of OSDP: A Leap Towards Enhanced Security

Photo by Kaffeebart on Unsplash

Recognizing the inherent vulnerabilities in the Wiegand protocol, the security industry sought a more robust solution. This quest led to the development of the Open Supervised Device Protocol (OSDP). OSDP was not just an improvement but a transformative upgrade over its predecessor. It was designed to bring the communication between the reader and the controller into the modern era of security. One of the most significant advancements that OSDP introduced is encryption.