HID Touts "Signo = Security” Despite Critical Vulnerabilities
While HID markets "Signo = Security" and that "security comes first," HID obscures and features critical unfixed vulnerabilities both for low frequency / 125 kHz as well as its own proprietary cracked iClass legacy credentials.
Deceptive marketing, especially for security products, is a serious issue, one that the FTC regulates. The fact that HID not only obscures these issues but then also makes such strong marketing statements about security capabilities harms the public.
HID's response to IPVM contradicted its own marketing.
Executive *******
*** ****** **** "***** = ********." But *** *** **** ***** **** its **** ******** **** "******** *******" Signo ******* *** ********, *** **** supporting ******** *********** **** *** **** but **** ******** ********* ****** ******** credentials **** **** ** ** *********** by ******* *** ******* **** *** iClass. ******* ** ******** ***** ******, HID ******** ****. *** ******* ****** says ******* ** **** *** ********* that **** *** "******" ************.
*** *** ***** **** ****** ********* or ********** ****** ***** *** ******** capabilities ** ******** *********** ** ****** or ********* ******** ***** § * of *** *** ***. *********, ********* security *************, **** *** ********* ** exaggerate ******* ************ *** **** **** a ********** ***** *** *** ***** made ** ***********. ** ********* *** to ******** *** ******** *** ** make **** ********, **** ******** ************. If ***, *** ******* ***** **** FTC ************ *** *****.
HID ****** "***** = ********"
******* *****'* ***************,*** *********** ************** "***** = ********," *** **** "no ****** *** ******* **** ****** control *****, ******** ***** *****":
** ******** ****** ******* ****, *** ****** **** * "********* promise ** *****" ** "*****[***]... ********," and **** *** ******* **** "********* security" *** "************ ***********":
*** ***** ******* ****** ** ******* of *** *******' ******* *****, ************** ****** ****** ***,***** ****** ****** ***,***** ****** **, ******** ****** **, ******** **** *** ******* **** a "***** ******* ******** ** ****** electronic ****** *******":
*********,******* ******** "******** ***** ********* **** *** Signo":
FTC **** ******** ****** **** *** *******
*** *** ***** **** ******** *************** paired **** ********** *********** *** ********** an ****** *** ********* ******** ***** § * ** *** *** ***. A ****** ******* ** ******'* **** **** ******* *-****(* ********* ******* ****** ** *******, routers, *** ***** *********) *** ****** and ********* *********.
****** **** ** *** **** ******* D-Link**** *** ******* ******** ********* ** making * **** ** ********** ********** about ******* ********. *-**** ******** § 5 ** *** *** *** ** making ***** *************** **** *-****’* ******* and ** ******* **** “****** **** unauthorized ******" *** **** *-**** *** taken “********** ***** ** ****** ***** products **** ************ ******."
*** **** ***** ***** ** ***. The ******* *** ******* ********* ** making ****** ****** ****** ***** *** Signo *******' ******** ************.
****** **** **** ** *** ************* *-**** “****** ** **** ********** steps ** ****** *** ******** *** their ******* *** ** *******.” ** failing ** ** **, *-**** “******, or ... ****** *****[*], *********** ****** to ********* ** *** ****** ****** that ** *** ********** ** ************** benefits ** ********* ** *********** *** is *** ********** ********* ** *********.” According ** *** ***, **** *********** an ****** ******** ***** § *.
***'* ******* *** ** ******, ***. By "****[***] ** **** ********** ***** to ******" ****'* *** ****'* ***************, HID ***** "****[***] *********** ****** ** consumers." ********* ** ******* **** ******* ****, *** ********, *** **** ** easier ** ********* ****** ****** ******* systems **** *** *** *** ****. If * ******** **** * ***-******* device ** ***** **** * ***-********** facility, *** *** ***** **** ********* about *** *** ****** ** *** known ******** ***************.
FTC ******** ** ************ *** ************** **** **********
***’* ********** ****** ***** ******** ************ could **** *** ******* *** ******** on *********** ************ *** **************.
*** *** ** ***** **** ********* must *** *********/********** ******* ************. *********** *. ****** *********, *** *** ***** **** ****** of ******* *** ********** *** ********** of ********** *** ******* *** ******* to *** * $**+ ******* **********. In** ** *** ****** *******, ***., *** *** ********** **** ****** maker ****** *** *********** ******* ****** benefits. *** ** *********** *** ******** capabilities *** ***** **** *** *********.
********* ******** ** **** * ********** ******** *** ***** **** ** ***********. Companies **** **** *********** ******* ****** almost ********* ***’* **** ******** ************** - ** * ********* ** *** accurate, **** *****'* **** ****** *** proper ******** ** ******* **. *** likely **** *** **** ****** ************** for *** ****** ****** **** "***** = ********."
*** ** *** ****** **** *** of ***** **** **** ******* *** company ***** ******** ********. *** *** says **** *****-**-*********** **** ***** ******* to "********* ** ******** ********":
** *** **** *** ******* *** Signo *******' *************** *** ****** ********** advertising, *** ******* ***** **** *** questions.
HID *******
*** ********* ** * ******* *** comment **** ****, ******:
*** ******** ** *** ********* ** HID’s *** ********. *** ***** ******* have * ***** ** ********** ******** that **** ********** *********find *** ***** ******* ******* *********** *** ********. For example, each Signo reader is currently offered with 8 different pricing options, 6 of which do not support Prox. Multi-technology readers offer customers the opportunity ** ******* *** **** ** ********* **** **** ****** ********** ************, a migration they may not be able to make otherwise. We also offer tools like HID Reader Manager to update reader configurations in the field and work *********** ** ******* *** ********* ** *** ********** ** ********* ****** ********** ********** unless needed. [emphasis added]
***'* ********* ***** ******* * ******* between *********** *** ******** *********** *** own *********, ***** **** **** "******** comes *****" *** **** "***** = Security."
*** ****** ** ********, *****, *** forthright ** *** ****** ********* ** that *** ****** ******** ** ***** devices, ** **** ** ****** *** may *** ***** ******** ** ***, know *** ***** ********.
**** *** ***** ***'* ********** *** the ******* ** ******** **** ******* or *******
** ***** ** ***** **** *** manufacturer ** ******** ********* ********* **** Signo ** ******** *** **** "******** comes *****" **** *** ******* ** that **** *** ************ *********** *** profits **** ********.
*** **** ****'*. **** ********* ****** more *** *** ********. **** **** integrators *** ** ** ****.
**** *** ************* ******** ***** ******* on **** ** *** ** *** integrators ** ** *** ***** *****, and ********* *********** *** *** ****** and ******** ***********.
**** **** ** *** **** **** to **? ******* ********* ************* ********? They **, ** *** **** ******* readers. ********* ********* ************* ** ** option ********?
*'* ******* - **** ** ** that *** **** *** ** **?
**** ** ** **** *** **** HID ** **?
*'* **** **** *** *** *** to ********** *** *** ********** ***** about *********.
***'** **** ***** ****** ** ********* arguments ******. ** ***** ** **** this **** *** ***** ********* ** ignore *** *********** ** *** **** market. *** *** *** ******* **, companies *** **** **** ****-*********** ************* and **** ********** **** *** *** defend **** *****.
****** **-**** *** **** *** *** regulatory ******** *** ******* ****. *'* then ***** ** ******* ** ****.
* **** *** ******* ** **** one ** ****** ***** **** **** studying ***** ********.**** ****’* *******, ** ** * real **** **** *** ***** ******/********** systems.**’* ***** *******, **** **** ********* against ********* *** ************.
***** *** ******* ******* **** ***** has **** **** *********** ******* ********.*** ** ***** ********* ********: * Signo ****** ** **** ******* ***’* be ***** *** ** **** ******* without ****** ******* **** *** *** pushing ** ** *** *******.**** ***’* ******* ****** *****, ** adding ****** *********** ***** *** *** manipulation ** **** (***** ******* ***** be ********** ** ******* **** ****** to *****, ** ******).***** *** ***** *** ******* **** anti-relay ******** (********* **** ****** *** MultiClass ******’* **.*** ******** ** **** ********, *** device ****** ** *****/***/***.
**, ***, ***** ** ***** ***** secure ******* ** ****, ** ********* secure ******* ********.
********** *** ********* ****** ************* ** the **** *** **** ***** ********* can ** ********** ** *** ******* code *******.** *** ****** ***** ********, **’* possible ** *** ** *******.*************, ************* **** ***** *********** **** mean **** ** ***** **** *** extracted (*** *******, ** ******* ****** attacks), *** *************, **** *** *** that’s ******** ****** ** *** ****** is **** ***** *********.
***** ** ********* *** *** *******’* use **** ****** * ******** ******** them.
** *** ****** ******** ** *** SEOS ******* *** ***** *** ***** party ********** *******, ** ***** **** IPVM ***** ** *********** ***** **** exploiting ******** ******** *** ******* ******** to *** **** ****.*******, *** *** ********* ****’* ********** (and **** ******, ***** *** **** are *****), ********* ** *** ****** (iClass **, ***.), ** ********* **** secure (***/***/****).
***** **** ***** **** ** *** best ******** ** *** ******, **** you *** ****.** **** *** ***** ******** ** the **** ** *** ****, ******* it’s * ************ ****** **** ********* compatibility.* ** **** **** **’* *********, but ** ****** *** ** **** than ******** ** *** ********.* ********** **** **** ** **** is * **** ** * *** better **** *** ******** ***** “**** it”, *** **** ******* **** **** because *****’* ** ********** ****.
*****…*** **** ********* ******* ** ******, user-owned, ******** *******, **** *************** ***** AES-128 ** ******. *** ******* *** is ***** **’* **.
*** **** **** *********** ******** ** push *** **** ****** **** **** Wiegand ******* **'* ***** *** **** doesn't ****. **** *** ***** ***'* understand *** *** ******* ** ******** MITM ******* ** *******, *** ***'* pay ** *** **** ********** ****** you *** ******* *** ***** ****.
** *** ** * ****, **** over ****** ** ***** ******, *** should ** *** *** *** ************ using *** ** **********.
*******, ** **** ** ********* ********** is ***** ***** **** *** **** technologies, ***** **** ****** ** * back ****. ****'* ***** ****** **** PKOC **** **** ****, *** ** always **** *** ******** ********, ** will **** ***** (** *** *******) to *********.