Axis Releases Access Credentials - Insecure But Convenient

By: Brian Rhodes, Published on Nov 02, 2016

Axis continues to build out their own end-to-end 'solution'. The company recently announced a series of credential cards, but instead of a cutting-edge and high security type, they are promoting a format that is easily exploited with equipment bought off the internet.

But it may not prove to a bad move, and rather may make using more Axis access product easier, especially for novice installers.

Inside we examine the new card offering, explain why it is an insecure choice, but why that largely may not matter to most users.

**** ********* ** ***** out ***** ******-**-*** '********'. *** ******* ******** announced * ****** ** credential *****, *** ******* of * *******-**** *** high ******** ****, **** are ********* * ****** that ** ****** ********* with ********* ****** *** the ********.

*** ** *** *** prove to * *** ****, and ****** *** **** using **** **** ****** product ******, ********** *** novice **********.

****** ** ******* *** new **** ********, ******* why ** ** ** insecure ******, *** *** that ******* *** *** matter ** **** *****.

[***************]

**********

*** ********** ** ***********, see *** *********** ****** *********** *****.

Axis' *** *********** ***********

**** *** ********* * line ** ***-***** **.** MHz *********** ********** ***** [link ** ****** *********], in ** ********-******** **-** size (3.4 * *.* × 0.03 **). **** **** credential *****, ************ ** PVC, ****** ******* ********, and ***** *** **** chemical *** ******** *****. *** ***** *** ***** and ******** *** ******** or *********** ******* *** picture ** ********.

***** ***, ****' ********* of ****** ******* **** has ********* ** * **** ********** *** **** *******, *** ** ***********. This ******** ***** * gap ******' ***-**-*** ********* ********* ** ****** *******.

Card *******

****** ******* *** **** cards *** ~$*** *** box ** ***, *** standard ***** ********. ********** pricing ** ~$*.** *** each.

**** ** ***** **% more **** *******, ***-**** branded ***** **** **** the**** *************, ***** ****** at ~$*.** ** ********, ********* ** ****** as $*.**.

Based ** ******* ****** ** ******

******* ***** **.** ***, these ********** ***** *** not *** ****-******** ************.

*** ***** *** ****** Classic ** ******, ***** have **** **** *******, with *** ***** ******* reported *** ******** ** NXP ** *** *** 1990s. ****** ******** ****, like **** ********* **** ***** ******* kit, *** ** ********* for ~$*** *** **** to '*****' ***** *********** in ***** * *******.

Axis ****** **********

*** ******* ******* ** Axis ********** ***** ** they *** ********* ** be ********** **** ****' two *******:

  • *****-* [**** ** ****** available]: *** ******** **** branded **** ****** ** a *****-*****, ******/*******, **** compatible ***** **** * street ***** ** ~$***.
  • *****-*: *** ************ ** this ***** *** *** same, *** *** * PIN ****** ** *** reader **** *** ******* *********** **************. ****** ****** *** ~$325.

********** ******** ** ***** *******, with ******** ** ******* and ********* ** ********* of '********' *********** ** chose *******. **** ********** the ******* ** ******** only *** ******** **** that ***** **** ***** readers, ** ************* *** reordering ** ********** *** ****** dealers ** ***-*****.

Not *** ********* *****

**** ***** *** ******** **** * **********, *** **** * and *** **.** *** formats **** ****** *** not *********, ***** ***** that ** *** ********* Axis ******* *** *** used, **** ****** ** taken ** ******** ******* a ********** *** ***** reader.

** **** *****, ******* 13.56 *** *******, **** those ******** ** **** HID ***********, *** ** used ** **** *** most ***** '**** ****** number' (***) ** **** when ********* ***** **** a ******.

Practical ***** ******** *****

***** '**** *********' ******* avoiding ********** ******* **** have **** *******, **** this ****'* ****** ******* 1K, *** ******* **** of ******** *********** ** typically *** * ******* or ******* ** **** end-users *** *********** *** still******* ********** ******** *** **** **** secure/unencrypted ** **** *** 125 *** *******.

******* ******* ** ****** or *********, *** **** of ******** ****** ******* credentials **** ** ************ for **** ****** *****, who *** *** *** rather ****** *** ****-***** methods ******** ** ***** keys * ******* ******* compared ** **** ********* risks **** **********************, ****** **** ********.

Comments (7)

"But it may not prove to a bad move, and rather may make using more Axis access product easier, especially for novice installers."

Why would selling Mifare credentials make using Axis access product easier? It may make it easier to quote but there is not much benefit beyond that.

Mifare credentials have become commodity products and there's no money in selling those credentials.

IMO, it's not a very smart move on Axis' part.

Why is this not 'a smart move'?

Many end-users do not know the differences between MIFARE or iClass or DESFire or ProxII, and they all look basically the same to someone who doesn't know what to look for.

Axis has a large portfolio of accessories to their camera products; brackets, extenders, lenses, etc. Are those not 'smart moves'?

Although they all look the same they are different under the hood. Mifare cards don't work on Prox readers and Prox cards don't work on Mifare/DESFire readers.

It's smart to sell brackets because they are specifically designed for Axis cameras and are required to install Axis cameras. Extenders, lenses etc not so smart a move since they are available from a plethora of other vendors. It's not to say that it doesn't make sense, I just wouldn't classify it as a "smart move".

"Although they all look the same they are different under the hood. Mifare cards don't work on Prox readers and Prox cards don't work on Mifare/DESFire readers."

This is essentially the benefit for 'end-to-end' minded Axis. The supply clerk googles up 'axis access card' and finds the reorder product easy, avoiding ordering something that just doesn't work (but looks the same) by mistake.

More like they'll search for "access card" or "prox card" and will find Amazon, Alibaba selling $0.20 cards.

More like they'll search for "access card" or "prox card" and will find Amazon, Alibaba selling $0.20 cards.

Unrealistic for their target market, simply because the companies Axis is selling to are people who are buying Axis cameras for $200 - $2,000 when they could have already searched Amazon and Alibaba to get $20 - $60 cameras.

I am not defending Axis, I think the whole OEM / copy / package solutions is a failure to have a real strategy, I am just saying there are definitely organizations out there that will pay Axis an extra 50 cents per card just to get it from Axis.

I agree and disagree with you John. Sure, those integrators/dealers/end users who choose Axis for their products/support will spend the extra dollars for the right products. When it comes down to ordering "consumables", those decision makers are probably not even in the loop anymore. That task might be on the hands of the facility manager or similar. Why would they care that the cards they are sourcing are not "Axis".

We supplied an integrated system to a very high end Hotel who spared no expense in selecting high end gear. When it came down to purchasing cards for their suites we lost the annual 65000 piece per year card sale. They has a source for cards at $0.20 USD each.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Access Control

The Access Control Codes Guide: IBC, NFPA 72, 80 & 101 on Nov 07, 2019
For access, there is one basic maxim: Life safety above all else. But how do you know if all applicable codes are being followed? While the...
90+ Companies Profile Directory on Nov 05, 2019
While IPVM covers the largest companies in the industry regularly (like Axis, Dahua, Hikvision, etc.), IPVM strives to do a profile post on each...
Tailgating: Access Control Tutorial on Oct 31, 2019
Nearly all access control systems are vulnerable to an easy exploit called 'tailgating'. Indeed, a friendly gesture in holding doors for others...
France Declares School Facial Recognition Illegal Due to GDPR on Oct 31, 2019
France is the latest European country to effectively prohibit facial recognition as a school access control solution, even with the consent of...
Lock Status Monitoring Tutorial on Oct 28, 2019
Just because access doors are closed does not mean they are locked. Unless access systems are using lock status monitoring, the doors and areas...
Security Canada Central Show Report 2019 on Oct 24, 2019
IPVM attended Security Canada Central in Toronto to see what is new in the Canadian market. Inside, we share videos and dozens of images...
Covert Elevator Face Recognition on Oct 24, 2019
Covert elevator facial recognition has the potential to solve the cost and complexity of elevator surveillance while engendering immense privacy...
Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems connecting software, readers, and locks. Despite being buried inside...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
Access Control Course Fall 2019 - Last Chance on Oct 17, 2019
Register Now - Fall 2019 Access Control Course. Thursday, October 17th is the last day to register. IPVM offers the most comprehensive access...

Most Recent Industry Reports

Wireless / WiFi Access Lock Guide on Nov 12, 2019
For some access openings, running wires can add thousands in cost, and wireless alternatives that avoid it becomes appealing. But using wireless...
Open vs End-to-End Systems: Integrator Statistics 2019 on Nov 11, 2019
Preference for open systems is on the decline, according to new IPVM statistics. We asked integrators: For video surveillance systems, do you...
Biggest Low Light Problems 2019 on Nov 08, 2019
Over 150 integrators responded to our survey question: "What are the biggest problems you face getting good low-light images?" Inside, we share...
US Issues Criminal Charges For Fraudulently Selling Hikvision And Other China Products on Nov 07, 2019
The US government has made an unprecedented move on the video surveillance supply chain, charging a US company, Aventura for "having conspired with...
The Access Control Codes Guide: IBC, NFPA 72, 80 & 101 on Nov 07, 2019
For access, there is one basic maxim: Life safety above all else. But how do you know if all applicable codes are being followed? While the...
Rhombus Cameras, VMS and Analytics Tested on Nov 06, 2019
Rhombus boasts they have created "the new standard in Enterprise, cloud-managed video security" and told IPVM in January 2019 they offer twice the...
"Stress in the Residential Market" - Major Lender Exits on Nov 06, 2019
The residential security / 'alarm' market is getting worse, at least for traditional players. Now, one of the biggest lenders in the industry has...
Aiphone Video Intercom Tested (IX Series 2) on Nov 05, 2019
Aiphone was one of integrator's favorite intercom manufacturers but how well do their products work? The company's newest offering, the IX Series 2...
90+ Companies Profile Directory on Nov 05, 2019
While IPVM covers the largest companies in the industry regularly (like Axis, Dahua, Hikvision, etc.), IPVM strives to do a profile post on each...