ADI Pushing Cracked 125 kHz Access Control

I have had some customers who could care less about the vulnerability of a technology such as this. You try and convince them they should upgrade to a more secure product but more often than not they really don't care. One big drawback getting someone to switch was due to the shorter read range of the 13.56 MHz technology compared to the old 125kHz. I always push for customers to switch out to newer card readers and credentials but some just don't care. Depending on the site I get it, who is truly going to clone one of their cards. 

Thanks for highlighting this issue. Our company has been supplying restricted masterkey systems for over 40 years to solve the problem of unauthorized key duplication. We supply these systems in the majority of commercial applications. I would often point out to the customer that the access reader for the same door they have installed a restricted system on an have the cards easily duplicated. I purchased a cloning device 5 years ago and would show them how it is done. The main issue I would point out to them is identity theft. When someone duplicates your access card they assume your access level and in the audit trail of the systems software the name of the person accessing the door is you. 

many jobs are expansions of existing 125khz sites with hundreds/thousands of 125khz creds.  Selling kits with multi-format readers would help but it can be difficult to transition hundreds of creds over for 125khz to 13.56mhz

Any wiegand protocol is insecure and can be bypassed for $30 in 5 minutes. Doesn’t matter with PIN or not, Biometric, high or low feq. Man in the middle attack.

125kHz is not necessary vulnerable in all cases. It depends on how this technology is applied. Impro Technologies - a South African manufacturer - and part of Assa Abloy, has launched their S-Series already a year ago featuring anti-cloning credentials. See their website http://www.impro.net/box.

Copying a tag or card with the mentioned copy devices will not grant you access when you use these 125 kHz products 

This is one of the many reasons we always require card plus pin. Doesn’t matter what cards we’re using, this is what we require our customers to use. No matter what credential you use a card can be stolen. We’ve found employees are also more hesitant to give up both their card and pin when asked to lend to an coworker. I’m not sure why card + pin isn’t more common. 

Card reader / keypad. AKA dual-authentication.

We've known about this since reading an article about an intern working at RIM (now known as Blackberry) who built a sniffer well over 10 years ago. We have been transitioning away from 125kHz for several years. Now that the cost differential is negligible on new jobs we only quote smart card format. On existing clients we have notified them and look for opportunities to swap out if they upgrade old systems or do major addons. If you change out the readers to HID multiclass you can support older formats while issuing 13.56 credentials on anything new.

It will happen eventually, maybe slowly but at some point the format will be retired. I remember when Wiegand swipe cards were the standard and how many of those are still being used? A major vertical for us is condos and this is a big problem, especially in Toronto. In addition to losing control over who has access to facilities there have been stories of people renting out the building's guest suites on Air BNB and selling "fitness club memberships" using cloned 125 kHz credentials.

I agree that Bluetooth and NFC are still a bit too flaky for everyday use at present so the best you can do is advise your clients and make recommendations. If they can't/won't take your advice then so be it.

As for blaming ADI for selling insecure products I think that's a bit of a reach. They move boxes to make money. The products are legal and it's up to the person buying the product to understand the product's limitations and to determine if it's appropriate for the application. We rely on our own experience and expertise to be able to do the right thing for the customer. Expecting the distributor to do that is unrealistic, and in my view, unnecessary. ADI sells to the trade (well, mostly the trade) not retail consumers. The tradesperson should have requisite knowledge to design and install the system in accordance with the customer's requirements. Are they not "professionals"?

NOTICE: This comment has been moved to its own discussion: The Tradesperson Should Have Requisite Knowledge To Design And Install The System In Accordance With The Customer's Requirements. Are They Not "Professionals"?