Did HID Drop The Ball Here?

I know this is not an IP question, but since we are all in the business, I wonder the reaction to this article this morning. I have already gotten calls from clients, and the article was posted just this morning.

How Secure is Your Security Badge?

Security conferences are a great place to learn about the latest hacking tricks, tools and exploits, but they also remind us of important stuff that was shown to be hackable in previous years yet never really got fixed. Perhaps the best example of this at last week’s annual DefCon security conference in Las Vegas came from hackers who built on research first released in 2010 to show just how trivial it still is to read, modify and clone most HID cards — the rectangular white plastic “smart” cards that organizations worldwide distribute to employees for security badges.

HID iClass proximity card.

HID iClass proximity card.

<snip>

Unfortunately, this means that anyone with a modicum of hardware hacking skills, an eBay account, and a budget of less than $500 can grab a copy of the master encryption key and create a portable system for reading and cloning HID cards. At least, that was the gist of the DefCon talk given last week by the co-founders of Lares Consulting, a company that gets hired to test clients’ physical and network security.

<snip>


Hello Mark:

I think that anyone that claims to make an 'unpickable' lock is foolish, ie: Tobias Exploits Medeco.

The bottom line with iClass vulnerability is that Prox is even more vulnerable and unencoded in open air, yet it continues to be a favorite credential:

The risk of sniffing and cloning is real, no doubt. However, it seems most security managers and integrators think the risk is minor.

I think the best rebutt to the risk here is to employ multiple authentican factors. Require more than one form of validation simulatenously, and the risk of a single stolen credential is minimized.

Customers purchase iClass and Mifare readers/cards thinking that they are buying the highest level of card security when in reality the card security is not much better than standard 125 Khz prox. If integrity of data and card security is an essential part of your purchasing decision, then the best solution is DESfire.