Researchers have discovered a suite of vulnerabilities that largely break a next-generation protocol that was designed to prevent the hacking of access control systems used at secure facilities on US military bases and buildings belonging to federal, state, and local governments and private organizations.

Like an earlier protocol, known as Wiegand, OSDP provides a framework for connecting card readers, fingerprint scanners, and other types of peripheral devices to control panels that check the collected credentials against a database of valid personnel.

When surreptitiously inserted by a would-be intruder into the wiring behind a peripheral device, Gecko performed an adversary-in-the-middle attack that monitors all communications sent to and from the control panel.

Secure Channel allowed OSDP-based communications between peripheral devices and control panels to be encrypted with 128-bit AES, a tried and tested algorithm that is virtually impossible to break when used correctly.

While all but four of the vulnerabilities can be effectively eliminated, mitigations require configuration settings that aren’t described in the official OSDP specification (available here for $200) and differ depending on the manufacturer of each device.

OSDP works over RS-485, a serial communication protocol designed to provide relatively high bandwidth (up to 10 megabits per second), the ability to span reasonably long distances (up to 4,000 feet), tolerance for lots of radio frequency noise, and capacity for 32 devices on a single line.