Axis Releases Access Credentials - Insecure But Convenient

By Brian Rhodes, Published Nov 02, 2016, 09:10am EDT

Axis continues to build out their own end-to-end 'solution'. The company recently announced a series of credential cards, but instead of a cutting-edge and high security type, they are promoting a format that is easily exploited with equipment bought off the internet.

But it may not prove to a bad move, and rather may make using more Axis access product easier, especially for novice installers.

Inside we examine the new card offering, explain why it is an insecure choice, but why that largely may not matter to most users.

**********

*** ********** ** ***********, see *** *********** ****** *********** *****.

Axis' *** *********** ***********

**** *** ********* * line ** ***-***** **.** MHz *********** ********** ***** [link ** ****** *********], in ** ********-******** **-** size (3.4 * *.* × 0.03 **). **** **** credential *****, ************ ** PVC, ****** ******* ********, and ***** *** **** chemical *** ******** *****. *** ***** *** ***** and ******** *** ******** or *********** ******* *** picture ** ********.

***** ***, ****' ********* of ****** ******* **** has ********* ** * **** ********** *** **** *******, *** ** ***********. This ******** ***** * gap ******' ***-**-*** ********* ********* ** ****** *******.

Card *******

****** ******* *** **** cards *** ~$*** *** box ** ***, *** standard ***** ********. ********** pricing ** ~$*.** *** each.

**** ** ***** **% more **** *******, ***-**** branded ***** **** **** the**** *************, ***** ****** at ~$*.** ** ********, ********* ** ****** as $*.**.

Based ** ******* ****** ** ******

******* ***** **.** ***, these ********** ***** *** not *** ****-******** ************.

*** ***** *** ****** Classic ** ******, ***** have **** **** *******, with *** ***** ******* reported *** ******** ** NXP ** *** *** 1990s. ****** ******** ****, like **** ********* **** ***** ******* kit, *** ** ********* for ~$*** *** **** to '*****' ***** *********** in ***** * *******.

Axis ****** **********

*** ******* ******* ** Axis ********** ***** ** they *** ********* ** be ********** **** ****' two *******:

  • *****-* [**** ** ****** available]: *** ******** **** branded **** ****** ** a *****-*****, ******/*******, **** compatible ***** **** * street ***** ** ~$***.
  • *****-*: *** ************ ** this ***** *** *** same, *** *** * PIN ****** ** *** reader **** *** ******* *********** **************. ****** ****** *** ~$325.

********** ******** ** ***** *******, with ******** ** ******* and ********* ** ********* of '********' *********** ** chose *******. **** ********** the ******* ** ******** only *** ******** **** that ***** **** ***** readers, ** ************* *** reordering ** ********** *** ****** dealers ** ***-*****.

Not *** ********* *****

**** ***** *** ******** **** * **********, *** **** * and *** **.** *** formats **** ****** *** not *********, ***** ***** that ** *** ********* Axis ******* *** *** used, **** ****** ** taken ** ******** ******* a ********** *** ***** reader.

** **** *****, ******* 13.56 *** *******, **** those ******** ** **** HID ***********, *** ** used ** **** *** most ***** '**** ****** number' (***) ** **** when ********* ***** **** a ******.

Practical ***** ******** *****

***** '**** *********' ******* avoiding ********** ******* **** have **** *******, **** this ****'* ****** ******* 1K, *** ******* **** of ******** *********** ** typically *** * ******* or ******* ** **** end-users *** *********** *** still******* ********** ******** *** **** **** secure/unencrypted ** **** *** 125 *** *******.

******* ******* ** ****** or *********, *** **** of ******** ****** ******* credentials **** ** ************ for **** ****** *****, who *** *** *** rather ****** *** ****-***** methods ******** ** ***** keys * ******* ******* compared ** **** ********* risks **** **********************, ****** **** ********.

Comments (7)

Undisclosed Manufacturer #1

11/02/16 08:51pm

"But it may not prove to a bad move, and rather may make using more Axis access product easier, especially for novice installers."

Why would selling Mifare credentials make using Axis access product easier? It may make it easier to quote but there is not much benefit beyond that.

Mifare credentials have become commodity products and there's no money in selling those credentials.

IMO, it's not a very smart move on Axis' part.

Agree
Disagree: 1
Informative
Unhelpful
Funny
Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed Manufacturer #1 | 11/02/16 09:08pm

Why is this not 'a smart move'?

Many end-users do not know the differences between MIFARE or iClass or DESFire or ProxII, and they all look basically the same to someone who doesn't know what to look for.

Axis has a large portfolio of accessories to their camera products; brackets, extenders, lenses, etc. Are those not 'smart moves'?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #1

In reply to Brian Rhodes | 11/02/16 09:16pm

Although they all look the same they are different under the hood. Mifare cards don't work on Prox readers and Prox cards don't work on Mifare/DESFire readers.

It's smart to sell brackets because they are specifically designed for Axis cameras and are required to install Axis cameras. Extenders, lenses etc not so smart a move since they are available from a plethora of other vendors. It's not to say that it doesn't make sense, I just wouldn't classify it as a "smart move".

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed Manufacturer #1 | 11/02/16 09:24pm

"Although they all look the same they are different under the hood. Mifare cards don't work on Prox readers and Prox cards don't work on Mifare/DESFire readers."

This is essentially the benefit for 'end-to-end' minded Axis. The supply clerk googles up 'axis access card' and finds the reorder product easy, avoiding ordering something that just doesn't work (but looks the same) by mistake.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #1

In reply to Brian Rhodes | 11/02/16 10:04pm

More like they'll search for "access card" or "prox card" and will find Amazon, Alibaba selling $0.20 cards.

Agree
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed Manufacturer #1 | 11/02/16 10:54pm

More like they'll search for "access card" or "prox card" and will find Amazon, Alibaba selling $0.20 cards.

Unrealistic for their target market, simply because the companies Axis is selling to are people who are buying Axis cameras for $200 - $2,000 when they could have already searched Amazon and Alibaba to get $20 - $60 cameras.

I am not defending Axis, I think the whole OEM / copy / package solutions is a failure to have a real strategy, I am just saying there are definitely organizations out there that will pay Axis an extra 50 cents per card just to get it from Axis.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #1

11/02/16 11:03pm

I agree and disagree with you John. Sure, those integrators/dealers/end users who choose Axis for their products/support will spend the extra dollars for the right products. When it comes down to ordering "consumables", those decision makers are probably not even in the loop anymore. That task might be on the hands of the facility manager or similar. Why would they care that the cards they are sourcing are not "Axis".

We supplied an integrated system to a very high end Hotel who spared no expense in selecting high end gear. When it came down to purchasing cards for their suites we lost the annual 65000 piece per year card sale. They has a source for cards at $0.20 USD each.

Agree: 1
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,205 reports and 959 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports