Axis Releases Access Credentials - Insecure But Convenient

By Brian Rhodes, Published on Nov 02, 2016

Axis continues to build out their own end-to-end 'solution'. The company recently announced a series of credential cards, but instead of a cutting-edge and high security type, they are promoting a format that is easily exploited with equipment bought off the internet.

But it may not prove to a bad move, and rather may make using more Axis access product easier, especially for novice installers.

Inside we examine the new card offering, explain why it is an insecure choice, but why that largely may not matter to most users.

**********

*** ********** ** ***********, see *** *********** ****** *********** *****.

Axis' *** *********** ***********

**** *** ********* * line ** ***-***** **.** MHz *********** ********** ***** [link ** ****** *********], in ** ********-******** **-** size (3.4 * *.* × 0.03 **). **** **** credential *****, ************ ** PVC, ****** ******* ********, and ***** *** **** chemical *** ******** *****. *** ***** *** ***** and ******** *** ******** or *********** ******* *** picture ** ********.

***** ***, ****' ********* of ****** ******* **** has ********* ** * **** ********** *** **** *******, *** ** ***********. This ******** ***** * gap ******' ***-**-*** ********* ********* ** ****** *******.

Card *******

****** ******* *** **** cards *** ~$*** *** box ** ***, *** standard ***** ********. ********** pricing ** ~$*.** *** each.

**** ** ***** **% more **** *******, ***-**** branded ***** **** **** the**** *************, ***** ****** at ~$*.** ** ********, ********* ** ****** as $*.**.

Based ** ******* ****** ** ******

******* ***** **.** ***, these ********** ***** *** not *** ****-******** ************.

*** ***** *** ****** Classic ** ******, ***** have **** **** *******, with *** ***** ******* reported *** ******** ** NXP ** *** *** 1990s. ****** ******** ****, like **** ********* **** ***** ******* kit, *** ** ********* for ~$*** *** **** to '*****' ***** *********** in ***** * *******.

Axis ****** **********

*** ******* ******* ** Axis ********** ***** ** they *** ********* ** be ********** **** ****' two *******:

  • *****-* [**** ** ****** available]: *** ******** **** branded **** ****** ** a *****-*****, ******/*******, **** compatible ***** **** * street ***** ** ~$***.
  • *****-*: *** ************ ** this ***** *** *** same, *** *** * PIN ****** ** *** reader **** *** ******* *********** **************. ****** ****** *** ~$325.

********** ******** ** ***** *******, with ******** ** ******* and ********* ** ********* of '********' *********** ** chose *******. **** ********** the ******* ** ******** only *** ******** **** that ***** **** ***** readers, ** ************* *** reordering ** ********** *** ****** dealers ** ***-*****.

Not *** ********* *****

**** ***** *** ******** **** * **********, *** **** * and *** **.** *** formats **** ****** *** not *********, ***** ***** that ** *** ********* Axis ******* *** *** used, **** ****** ** taken ** ******** ******* a ********** *** ***** reader.

** **** *****, ******* 13.56 *** *******, **** those ******** ** **** HID ***********, *** ** used ** **** *** most ***** '**** ****** number' (***) ** **** when ********* ***** **** a ******.

Practical ***** ******** *****

***** '**** *********' ******* avoiding ********** ******* **** have **** *******, **** this ****'* ****** ******* 1K, *** ******* **** of ******** *********** ** typically *** * ******* or ******* ** **** end-users *** *********** *** still******* ********** ******** *** **** **** secure/unencrypted ** **** *** 125 *** *******.

******* ******* ** ****** or *********, *** **** of ******** ****** ******* credentials **** ** ************ for **** ****** *****, who *** *** *** rather ****** *** ****-***** methods ******** ** ***** keys * ******* ******* compared ** **** ********* risks **** **********************, ****** **** ********.

Comments (7)

"But it may not prove to a bad move, and rather may make using more Axis access product easier, especially for novice installers."

Why would selling Mifare credentials make using Axis access product easier? It may make it easier to quote but there is not much benefit beyond that.

Mifare credentials have become commodity products and there's no money in selling those credentials.

IMO, it's not a very smart move on Axis' part.

Why is this not 'a smart move'?

Many end-users do not know the differences between MIFARE or iClass or DESFire or ProxII, and they all look basically the same to someone who doesn't know what to look for.

Axis has a large portfolio of accessories to their camera products; brackets, extenders, lenses, etc. Are those not 'smart moves'?

Although they all look the same they are different under the hood. Mifare cards don't work on Prox readers and Prox cards don't work on Mifare/DESFire readers.

It's smart to sell brackets because they are specifically designed for Axis cameras and are required to install Axis cameras. Extenders, lenses etc not so smart a move since they are available from a plethora of other vendors. It's not to say that it doesn't make sense, I just wouldn't classify it as a "smart move".

"Although they all look the same they are different under the hood. Mifare cards don't work on Prox readers and Prox cards don't work on Mifare/DESFire readers."

This is essentially the benefit for 'end-to-end' minded Axis. The supply clerk googles up 'axis access card' and finds the reorder product easy, avoiding ordering something that just doesn't work (but looks the same) by mistake.

More like they'll search for "access card" or "prox card" and will find Amazon, Alibaba selling $0.20 cards.

More like they'll search for "access card" or "prox card" and will find Amazon, Alibaba selling $0.20 cards.

Unrealistic for their target market, simply because the companies Axis is selling to are people who are buying Axis cameras for $200 - $2,000 when they could have already searched Amazon and Alibaba to get $20 - $60 cameras.

I am not defending Axis, I think the whole OEM / copy / package solutions is a failure to have a real strategy, I am just saying there are definitely organizations out there that will pay Axis an extra 50 cents per card just to get it from Axis.

I agree and disagree with you John. Sure, those integrators/dealers/end users who choose Axis for their products/support will spend the extra dollars for the right products. When it comes down to ordering "consumables", those decision makers are probably not even in the loop anymore. That task might be on the hands of the facility manager or similar. Why would they care that the cards they are sourcing are not "Axis".

We supplied an integrated system to a very high end Hotel who spared no expense in selecting high end gear. When it came down to purchasing cards for their suites we lost the annual 65000 piece per year card sale. They has a source for cards at $0.20 USD each.

Read this IPVM report for free.

This article is part of IPVM's 6,587 reports, 888 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Access Control Levels and Schedules Tutorial on Sep 29, 2020
Configuring access levels and setting up schedules is central to maintaining...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Access Visitor Management Systems Guide on Jul 22, 2020
"Who are you, and why are you here?" Facilities that implement Visitor...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...

Recent Reports

Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVR Test on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...
Watrix Gait Recognition Profile on Oct 16, 2020
Watrix is the world's only gait recognition surveillance provider IPVM has...
Intel Presents Edge-to-Cloud Ecosystem for Video Analytics on Oct 16, 2020
Intel presented its processors and software toolkit for computer vision at...
Best Manufacturer Technical Support 2020 on Oct 16, 2020
5 manufacturers stood out as providing the best technical support to ~200...
Microsoft Azure Presents Live Video Analytics on Oct 15, 2020
Microsoft Azure presented its Live Video Analytics offering at the September...
Worst Manufacturer Technical Support 2020 on Oct 15, 2020
4 manufacturers stood out as providing the worst technical support to ~200...