Dormakaba Stops Selling / Supporting Cracked Mifare Classic Credentials
While MIFARE Classic credentials have been cracked for many, many years, and new devices simplify exploiting such vulnerabilities, Dormakaba has stopped selling / supporting the insecure credential that was central to allowing unauthorized access to over 3 million doors.
Based on an interview with Dormakaba and IPVM's review, we detail this move along with Dormakaba's recommendations / mitigation strategies, concluding with recommendations on improved security.
For background on the vulnerabilities, see Dormakaba Discloses Critical Vulnerability, To Rip And Replace Access For 300,000 Doors, and Dormakaba "Unsaflok" / MIFARE Classic Vulnerability Examined.
IPVM recommends vendors generally stop selling MiFARE Classic credentials.
Related, see our call to HID to stop selling cracked 125 kHz Credentials: HID: Stop Selling Cracked 125 kHz Credentials, and most recently, HID Should Stop Selling And Supporting 125 kHz.
Executive *******
********* **** **** **** **** ******* selling *** ********** ****** ******* *********** in *** ************* / *** ********, prioritizing "**** ******" ************ ***** ******** researchers ********** * ******** ************* (****** "********")******** ************ ****** ** * ******* doors.
***** ********* ********** ********* ****** ******* with ****** ********** * ** ****** DESFire *** **** **** ** ******** this *************, **** ********** ************ **** support ******** **********, **** ** ******* EV3 ***** ***-***. *******, **** ******** Dormkaba ***** ** *** ******* ***-*** and ***** ******* ***** ******* *** replacing ********.
****** **** ** *** ***** *** sell / ******* *****, ******* *********** (e.g.,*** ***** ******* / ********** *** own ******* *** *** / **** credentials), ********* *** ******* ******* *** supporting ****** ******* ***********. *******, **** comes ***** ***** *** ************** ** MIFARE ******* *** ********* ***** ******* ***** ***** ********** *** 300,000 ***** ******* ** ** ***** ripped *** ********, ********* *** ********** ******** (***) ********* Cracked*** *** **** ** *********** *** Proxmark3, ***** ** ******** ***** *** Saflok ******* **** ** *********** ** cloning ******* ** ******* ***** *** kHz / ****.
** ****, **** ******** ********* (*** many ******) ****** ** * **** further *** **** ******* *** ********** 125 *** / **** (** *** other *****, ******* **********) ***********, ********** of ******** / *** ****. **** problem **** *********** ** *** ***** (most ******* ******* ****) *** ******** to ******* **** *************** *** ************ simplified / ****** *********.
Dormakaba ***** ******* / ********** ****** *******
********* **** **** **** **** ******* selling *** ********** ****** ******* ***********.
** **** *** ******** ****** *** that *** *** *** ******** ** upgrade, ** **** *** **** ****** Classic *******.
*** ******* ***** ******* ** ****** Classic ***** *** *******, ***** **** first ****** ** ***** **** (******** ******** *** ********************* ******** ******) *** ** ********* **** (****** ******** ********) ** *********** *** *********** ******* customers, ****** * **** ***** *** vulnerability *** ***** ******** ** **** by *** ***********.
*** **** ****** ************** ********* *********’* changes ** *** ******* ******* **** technology **** ****** ** ***** **** and ********* **** ** *** *********** and *********** ******* *********.
************, **** ***** (***** ****), ********* released ****** ******** ********* *****-****** ******* ********* *** only ******** ********* ** ****** ********** options, *** ***** ********** * ** DESFire *** **** ****** *** (****).
******* *** ********** / ******* ****** Classic, ********* (*** **** ******) ************* *** ***** ****** / **** for ******* ****** ******* ***, ***** *** **** ***** ** cracked *** **** * ******, *** should **** ******* / ********** *********** and ******* ** **** ****** / stronger ********** *******.
Cracked *********** **** *** ** ****
***** **** ** ***** ********* *********** "support" ***** *********** *** *** "***********" them (****** *** **** ****), *** applicability ******. *******, ******** ********* *** to ***-**-**** ****** ********, *.*., ******** Explorer, *** ********* / ******* **** with ****** / ******** ****.
*******, ** ********* ****** *** **** others **** **, ** ***** ******* are ********** ********* / ****-*********, ********* will ***** ****** ** *** **** despite *** ***** ********** **** ****. Dormakaba *******:
** ****** ** *** ******* ** see **** ** ***** ** ******* to ******** *** *************. *** ******** had ************* ************ ** **** ** Ultralight *, ***the *********** ******** ***** *** *** ******** ****, ** **** *** *** **** ****** ******** **. [Emphasis Added]
*******, **** *** *** ***** *** alternatives **** **** ****, ** *** adoption / ********* **** *** **** less ********* ** **** *********:
*********** *** **,the **** ** ********** * *** **** **** ***** * *** ** *** **** *** *****. **** **** ******** * *** **** ********* *** ********* ** ******. So they have been very receptive to that message, and it has been an easier change for them.
Mifare ******* *************** *********
****** ******* *** **** ***** ** be******** *** ******* ***** ****, ***** ************** ********** ********* (******-*)****** *** ******** **** *** ** used *** ************ ****** ** **** stored ** ***** *** **** *******.
*** **** ********* ********* *** "********" vulnerability, ************ "********" / ****** ******* ************* Examined************ ********* ******** *************, ** *** And ******* ****** *** ***,*** *****.
Dormakaba's *********** ***********
***** *** **** *** *************** ********** * *** *** *******, ********* ********** ********* ** ****** Ultralight * ** ******* *** **** Triple *** (****) ********** ******* ** MIFARE *******, ***** ********* **** *** been ********* ***** ****-****.
** **** ********* ********** * **** 3DES ********** ***** ****-**. **** ** the ******** ***** **** **** ********** was ********* ** *** *********.
IPVM ********** ***
**** ********** **** *********'* ********* ******** more ****** ************ *** *********** **** support******** ********** ******** (***), ***** ********* **** **** *** new *************.
*** ******** ********** ********** ** ** additional ******* ** **** ** *** newer ******* **** **** ** ***** layer ** **********. ** *** ** anything ** *** ********** *****. ** certainly ******* *** ********* **** ** our *********. **** ** *** **-** for *** *** *************.
*******, * *********** ******* ** ********* and ***** ****** ******* *************' ******** electronic ***** / ******* ** *** support *** **********, ***** ***** ******* replacing ********.
3DES *** * **** **** ********
***** ** ********* *** ********** ******** to *** ************* *** ** ** use *********** **** ************* *** (****)*** ****** ******** ** *** *****, we ******* *** **** ****** ******** is ** ******* ** ********* **** support ***. ********* ******** **** *** ****** *** (3DES)*** ********* ** ****, ***** ******** NIST ** ********* *** *** ***** out *** *** ** *** *** 3DES ****** ************ ** ****.******** **** ***** ** *** ****** private ***, **** *** ********** *** use ****** *** ******* ************ ***** ******* 1, ****, *** *** ******* ** ***** out **** ********** ******* ****.
***** **** ** *** "*******," *** far ******* *** ****** ********* *** risk **** **** ****, ** ************* power *********, ** **** ****** ********* to ***** ******* ***** ****.
** **** ************* *****, ****** ******* technologies *** ********* **** *** **** years ** **** ******* ** ****. As ********** ********, ****** **** ** Unsaflok *** **** **** **** ************ such ** ***** ****.
Industry-Wide ***************: **** **** **** ******* ***********
***** ********* ** ** ****** ******* / ********** ****** *******, **** (*** all ** *** *****) ****** ** a **** ******* *** **** **** from *** ***** ******* ************, ******* to *** ** ****** *** ** action, *.*., (*,*).
** **** ************* (*** **** ****** show), *** ************ ** ******* *********** is ******* **** ********** / *********, and *** ******** ** * ***** needs ** ***** *** / **** away **** ******* *********** *** ***** actual ******** **** *******. **** ******** regularly ******** / ********** *** *** of ******** ********** ** *********** ** technology ********* *** *** ***** *** services ***** *** ** **** ** exploit ***** ********** ******.
**** ** ********** **** ******** ** the **********.***:********* ***** **** ** ******** ** Hotel ***** ***** ** ******* ** Seconds (*************.***)
**#*, ****** *** *** *******. ** have ********* *** ***** ******* ** this *************, ******* **** ********* *** the ***********:
********* ********* ******** *************, ** *** And ******* ****** *** ***,*** *****
********* "********" / ****** ******* ************* Examined
***** * **** *** ******* **** of *** *******, *'* *** **** calling ****** "*******" ** * ******* terminology. ****** ****** *******, ****** **** was ***** ********* ** ***** **** so *****'* ******* ** ***** **** wanting ** **** ** ********* * credential. * ***** * **** ******** term ** *** ** ********.