ADI Pushing Cracked 125 kHz Access Control

By Brian Rhodes, Published Oct 25, 2018, 02:31pm EDT

Security distribution giant ADI commonly promotes access bundles featuring vulnerable and cracked 125 kHz card formats.  Even worse, they promote these kits as a 'hot deal' in email blasts:

The most confusing aspect of all is that there is no major cost difference in offering these products despite introducing major security risks. 

We examine the situation in this note, explain how easy it is to crack the systems using these cards and look at alternatives.

Hikvision's ******* ****** ***

********* ***** ******** ** a '*** ****' *****'* ******* ***** ** Hikvision ***'* *-**** ****** Bundle ********* * ***** ********** and *** (*******) *** kHz '*********' *******:

*** *** **** ** furnished **** ** ********** blank *****, ** **** users *** ***** ***** the ****** *********** **** it ** *********.  

**** ****** *********'* ****** Control*** ***** ** *** several ********** *********, ********* 'high ********' ******** **** integrated ***** ****** *** reader ****** *******.

*******, *** *** ***** strengths, ******* ********* *** system **** ***-********, ********** 125 *** ******* ***** the ****** ** ** huge ******** *****.

ADI's *** *** **** ******

*** ********** ***** *** kHz ** ***** ****.

******** *** ********* ***** examples, ******* ****** ******* bundles **** ******* ***********, enclosures, ********, *** ******* for * *** ***** in * *****-********* *** licensed ***.  *** ******** of *** ***** **** is **** *** ******* furnished **** *** ***, not **.** ***, *******.

** ************ *****, *** ADI's ********* **** ****:

**** *********:

**** **********:

**** ******:

******:

****** ****** ***:

*** ******* ********:

**** **** *** *** limited ** **** ***** examples, *** ***** *** several ******.

** *** ** ***** cases, ****** **** **** an ****** ******* **** ADI ** ****** ** purchase *** ******* ***** commercial ****** ********.

Cracked *** *** **** ** ****

*** *** *********** **** been *********** ** ***** and ***** ********** **** * ******, ********* ****** **** than * ***** $** gadget *** **** ***** cards ** ****** ************ and ************ ****** ** keys.

*** ***** *****, **** our **** **** ****** ******* With **** $** *** 125kHz **** ****** ****, **** *** ****** skill *** *** ******* a *** ***-***** ****** system *** ** ******* undermined:

ADI ******** ******* ******* ***************

** **** ****** ***** ADI, ***#* ******** *********** ** the **, **** *** ******** to ******* ***** ********** credentials, even ******** ** ****** label ******** ****** ** the ********* ***** ***** their ******-******* '********* *****' ****:   

**********, ***** *** ****** 'cost *********, ******* ********' and **** ******* ************* with **** ***-**** *******, they ** *** **** any ****** ***** *** security *** ******** *** true ********** ** ***** products.

Most **** **** **** ****** **.** ***

**** **** *********, *** and ****** ******* ***** build ***** **** ********* ********* **.** *** Smartcard *********** ****** **********.

***** **** *** ** these *********** ************** ***/** **** **** reader ******, ****** ********* ********* readers ***** ** **** and ********* ** *** same ****** ** *** default *** *** *****.

***** ***** **.** *** will ********* ****** *** types ** ********** **** types *** **** ******* offerings **** *** ********* Cards ********, ***** ***** encrypted, ****** ********* ***** and ******* *********** ********** the ***** ** *** kHz *******.

Not *********** **** **********
** *** ***** ** cost, *** **** ***** saved ** ***** *** kHz ***** ******* *** credentials, ******* **** * cost ********** (**** ************ like ***) ** **** than **% ******* *******, typically **** **** ~$*.** per ****, *** **** often ****** ****** ******* of **** *****.
*** *******, *** *** 13.56 *** ****** *** SE ****** ** *********** the **** ***** ** the *** *** *** Miniprox ****** ** ******* ******* **** ******:
*** * ******* ******-***** access ******, *** **** impact ** ***** **.** MHz ******* ** *** kHz **** ** **** than $*** *** *** entire ****** *********** *** difference ** **-** *****, and * - ** readers.
ADI: **** ******** ***** *** ***
***** ***'* ******* **** access ******* ****** ** denied, ** ***** ** 2014's *** *** ****** ** Access ******* **** ***?, *** *********** ***** take *** **** **** in ******** * **** practical **** ** ****** dealers *** ********* ***** by ****** ******** ** stop ******* *** *** ********.
** **** *****, **** a ****** ***** *** exploits ****** *****, ***** is ******* * **** of ******* *** **** advantages ** ***** **** risky *******.

Comments (31)

I have had some customers who could care less about the vulnerability of a technology such as this. You try and convince them they should upgrade to a more secure product but more often than not they really don't care. One big drawback getting someone to switch was due to the shorter read range of the 13.56 MHz technology compared to the old 125kHz. I always push for customers to switch out to newer card readers and credentials but some just don't care. Depending on the site I get it, who is truly going to clone one of their cards. 

That's good feedback.  We are talking with HID about this, and I'll be sure to elevate the issue of shorter read ranges with 13.56 MHz to see what they respond with.

In the past, they've acknowledged this difference but said that customers should consider using BLE or Mobile Credentials to replace 125 kHz long-range readers especially because the long read ranges present a bigger 'threat footprint' to exploit.

In addition, credentials using UHF or even VHF can go farther than even 125 kHz credentials, often up to 15' or 25' feet.

Default passwords are easier too…

Depending on the site I get it, who is truly going to clone one of their cards.

I agree completely and face the same challenges.  There is no reason for them not to deploy multi-technology readers now and that's a fairly easy sell if they as they add new readers.  The credentials themselves are definitely the challenge particularly the larger the customers deployed card count.  I have debated acquiring a longer range version of the cloner that IPVM tested to show customers how easy it would be to duplicate.  Has anyone had any success with showing clients just how vulnerable they are?

Seeing Brian's post below a good point he brings up is regarding the bluetooth readers.  Most of the clients mentioned above are testing or even doing prototype deployments.  However, those are a mixed bag for me as I have to unlock my phone, enable Bluetooth which is usually turned off, load up the app, etc.  The one benefit is that I rarely lose phones but I have no frigging clue where the 10 cards I have for different clients are at any point until I need them.

For the record, I don't care about the revenue.  I am not a sales person and am not commissioned.  Most of our clients purchase credentials elsewhere anyway and the small revenue boost on a multi-tech reader doesn't set the world on fire.  I do feel that we, as security companies, should be taking every reasonable effort to educate our clients on potential risks.

 

Side note regarding initial post: it's ADI, is anyone surprised?

Has anyone had any success with showing clients just how vulnerable they are?

With long range, no. I haven't had the time to build that. I do plan on building it in the future when I ever get some spare time. I had success twice. One was a client, but we didn't provide the access. I brought it up to them once I recognized the readers. A larger local company provided Lenel with 125 kHz  on a green install. We did the test with the scanner referenced by IPVM. It almost didn't work though because the coil was in the wrong spot on the unit. Once it worked, the installation company claimed they had no idea. This is probably true but scary considering I don't install access control.

The other case was more of a white hat deal. I scanned someone's card with their knowledge and had them try it at their work. It worked with no issue. Now they have iClass readers but they are still using 125 kHz for their credentials. One of their security personnel tried to get bent out of shape over it.  I told them please don't unless they wanted their system flaws broadcast to the press. I had let the person I knew from security know what I was doing. There was no intent but to prove their system was insecure because they seemed to not believe me. They claimed they fixed the issue, except I don't think they did because I don't believe anyone was issued new credentials.

I have actually seen this sold as a feature. A private swimming pool for a gated community uses the old 125kHz and a cloner to mass produce cards for their residents.

 

This is an example of access control being used for convenience instead of security. I see this in cases where you can just jump over the fence connected to the controlled gate if you were fit enough.

The read range is even worse in the Multiclass readers as well. If you are still using prox for credentials, especially keyfobs, then you should get a flash card that makes Prox the priority. This does help. We installed an HID Bluetooth on our front entry and it maybe worked 50% of the time. Oh and a side note the HID Bluetooth readers are not meant to be used outdoors IMO. This is more water than a reader would normally get but but we had a sprinkler head malfunction and deluge the reader with water every other day. Needless to say it shorted out the reader. You could silicone the reader to the base but that makes for a messy looking install after a service call or two. I have had a customer use the UHF but unless you are holding the card in your hand to be read then the water in your body cuts the signal way down.

Thanks for highlighting this issue. Our company has been supplying restricted masterkey systems for over 40 years to solve the problem of unauthorized key duplication. We supply these systems in the majority of commercial applications. I would often point out to the customer that the access reader for the same door they have installed a restricted system on an have the cards easily duplicated. I purchased a cloning device 5 years ago and would show them how it is done. The main issue I would point out to them is identity theft. When someone duplicates your access card they assume your access level and in the audit trail of the systems software the name of the person accessing the door is you. 

Yeah, I can easily see the confusion in buying/installing/maintaining Restricted Keyways that are difficult and costly to exploit, but the 125 kHz access system can be defeated with an eBay buy under $35.

many jobs are expansions of existing 125khz sites with hundreds/thousands of 125khz creds.  Selling kits with multi-format readers would help but it can be difficult to transition hundreds of creds over for 125khz to 13.56mhz

Thanks for the comment!

A good analog to this are Banks and other Financial Companies have migrated huge card populations to embedded 'Chip & PIN' cards that are much more expensive than the magstripe types they issued before.

At some point, even Banks (notorious anti-spendthrifts) decided the security risks too high and issued new cards.

The comparative card population of a typical commercial access system is much smaller.  When will the risk be high enough? 

At some point, even Banks (notorious anti-spendthrifts) decided the security risks too high and issued new cards.

The comparative card population of a typical commercial access system is much smaller. When will the risk be high enough?

I have to wonder if it all pertains to a cost calculation they performed.  This Fight Club quote comes to mind:

A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

125KHz just continues to get pounded...

Here's the latest long range skimmer just posted 2 days ago: https://www.trustedsec.com/2018/10/lets-build-a-card-cloner/

Looks 90% similar to Bishop Fox's version.

Any wiegand protocol is insecure and can be bypassed for $30 in 5 minutes. Doesn’t matter with PIN or not, Biometric, high or low feq. Man in the middle attack.

Different attack that takes actual installation of the 'in the middle' device.  125 kHz copying is much more grievous because it can be done without equipment modification at all and done without user knowledge.

We're not defending Wiegand at all, and OSDP makes good steps to rectify those weaknesses, but even if OSDP is used, 125 kHz RFID tags can be copied.

125kHz is not necessary vulnerable in all cases. It depends on how this technology is applied. Impro Technologies - a South African manufacturer - and part of Assa Abloy, has launched their S-Series already a year ago featuring anti-cloning credentials. See their website http://www.impro.net/box.

Copying a tag or card with the mentioned copy devices will not grant you access when you use these 125 kHz products 

It appears that Impro 125 kHz credentials are similar to Kantech's XSF 125 kHz proprietary formats. 

They indeed are 125 kHz, but they are proprietary and won't work with the general-purpose readers in the kits above, and only work with Impro.

This is one of the many reasons we always require card plus pin. Doesn’t matter what cards we’re using, this is what we require our customers to use. No matter what credential you use a card can be stolen. We’ve found employees are also more hesitant to give up both their card and pin when asked to lend to an coworker. I’m not sure why card + pin isn’t more common. 

We do not see the use of card + PIN in many systems. Usually customers using card+PIN  make the use of PIN dependent on the time of day, i.e. office/shopping hours: card. Other hours card+PIN. 

This is one of the many reasons we always require card plus pin.

I have started doing (or recommending) the same even with 13.56mhz credentials.  IMO two-factor is the way to go.  The odds of both having the pin compromised and the card stolen is much less likely.

Is it just me or does the title seem like ADI is to blame or wrong for promoting kits with 125KHz readers?

 

Should they not promote Hik due to cyber security?

 

Should they not promote Arecont due to failures?

 

Should they not promote Axis due to product availability?

 

The list could go on and on.

 

 

does the title seem like ADI is to blame or wrong for promoting kits with 125KHz readers?

Yes, that is the point.

Hik and Arecont would argue that their known respective issues have been fixed, at least for the publicly known ones.

To the contrary, 125 kHz vulnerability has not been fixed. Presumably ADI would not continue to sell an IP camera with a publicly known backdoor, yes/no? If no, why would they continue to sell an access control credential that is cracked and unfix(able)? 

My first thought is you have to be kidding me.

 

How can you possibly lay blame on ADI?

 

If I remember correctly, you published several articles on Hik and Dahua security issues, and several articles on how ADI was putting Hik items on sale. Never once did you criticize ADI for selling a flawed product. Now you start?

 

I am sure you can find a flaw in almost every item. Do you know how easy it is to defeat a surveillance camera? Shine a light into it, wear a mask, come up from behind and cover it, etc. Does that mean we shouldn't sell cameras?

 

So a card can be copied if someone can get close enough. For some, it's not that serious.

 

In my office, we share a small bldg with several tenants. The front door is a common door, and who knows how many people have had a key over the years. That is pretty low on the security scale. Now if I install an access control system with 125MHz readers, and delete users after they leave the employment of a tenant, am I worse off? 

 

For that matter why don't you write an article blaming HID, AWID and all the other card manufacturers for even making a 125MHz reader...

For that matter why don't you write an article blaming HID, AWID and all the other card manufacturers for even making a 125MHz reader...

FWIW, the standard reductio ad absurdum argument to be made here is “why don’t you blame the post office for accepting 125Mhz readers for delivery”

 

Jay, good feedback, thanks.

Do you know how easy it is to defeat a surveillance camera? Shine a light into it, wear a mask

You can break your phone if it falls onto the street. You can destroy your laptop if it drops into a lake. You can blow up your surveillance camera if you shoot it with a rocket.

The question then is, what features of a product should a manufacturer and seller be responsible for?

The difference between cracking 125 kHz cards and the examples we both gave is that the former is a defect in what was manufactured and offered by the supplier / seller. 125 kHz credentials were designed (originally) to be secure. It is now defective. However, both the manufacturer and sellers continue to sell it without fixing it nor giving fair warning of the defect.

For that matter why don't you write an article blaming HID, AWID and all the other card manufacturers for even making a 125MHz reader...

Stay tuned. Pt2 to come.

What do you think? Do you think HID et al. should continue to make cracked 125 khZ cards?

I think some more disclosure would be nice. I doubt there will be a fix for the crack, as the obvious solution is go to 13.56.

 

I suspect the risk to this is very low. If I go to a client, which will probably be an apart community as that is our vertical, and tell them about this, I doubt they will do anything. I would bet on it. Anyone trying to get into an apartment community has much easier methods.

 

Now an enterprise client like a school, manufacturing/distribution facility etc may have bigger concerns.

 

Should they still be offered? Sure. Maybe with the manufacturer's recommendation they only be used in legacy installs, and not for new installs.

We challenged HID and they respond in: HID: Stop Selling Cracked 125 kHz Credentials

Card reader / keypad. AKA dual-authentication.

I see prox on designs and client standards all the time.  It is crazy.

We've known about this since reading an article about an intern working at RIM (now known as Blackberry) who built a sniffer well over 10 years ago. We have been transitioning away from 125kHz for several years. Now that the cost differential is negligible on new jobs we only quote smart card format. On existing clients we have notified them and look for opportunities to swap out if they upgrade old systems or do major addons. If you change out the readers to HID multiclass you can support older formats while issuing 13.56 credentials on anything new.

It will happen eventually, maybe slowly but at some point the format will be retired. I remember when Wiegand swipe cards were the standard and how many of those are still being used? A major vertical for us is condos and this is a big problem, especially in Toronto. In addition to losing control over who has access to facilities there have been stories of people renting out the building's guest suites on Air BNB and selling "fitness club memberships" using cloned 125 kHz credentials.

I agree that Bluetooth and NFC are still a bit too flaky for everyday use at present so the best you can do is advise your clients and make recommendations. If they can't/won't take your advice then so be it.

As for blaming ADI for selling insecure products I think that's a bit of a reach. They move boxes to make money. The products are legal and it's up to the person buying the product to understand the product's limitations and to determine if it's appropriate for the application. We rely on our own experience and expertise to be able to do the right thing for the customer. Expecting the distributor to do that is unrealistic, and in my view, unnecessary. ADI sells to the trade (well, mostly the trade) not retail consumers. The tradesperson should have requisite knowledge to design and install the system in accordance with the customer's requirements. Are they not "professionals"?

NOTICE: This comment has been moved to its own discussion: The Tradesperson Should Have Requisite Knowledge To Design And Install The System In Accordance With The Customer's Requirements. Are They Not "Professionals"?

Read this IPVM report for free.

This article is part of IPVM's 6,730 reports, 908 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports