Axis Releases Access Credentials - Insecure But Convenient

By: Brian Rhodes, Published on Nov 02, 2016

Axis continues to build out their own end-to-end 'solution'. The company recently announced a series of credential cards, but instead of a cutting-edge and high security type, they are promoting a format that is easily exploited with equipment bought off the internet.

But it may not prove to a bad move, and rather may make using more Axis access product easier, especially for novice installers.

Inside we examine the new card offering, explain why it is an insecure choice, but why that largely may not matter to most users.

**** ********* ** ***** out ***** ******-**-*** '********'. *** ******* ******** announced * ****** ** credential *****, *** ******* of * *******-**** *** high ******** ****, **** are ********* * ****** that ** ****** ********* with ********* ****** *** the ********.

*** ** *** *** prove to * *** ****, and ****** *** **** using **** **** ****** product ******, ********** *** novice **********.

****** ** ******* *** new **** ********, ******* why ** ** ** insecure ******, *** *** that ******* *** *** matter ** **** *****.

[***************]

**********

*** ********** ** ***********, see *** *********** ****** *********** *****.

Axis' *** *********** ***********

**** *** ********* * line ** ***-***** **.** MHz *********** ********** ***** [link ** ****** *********], in ** ********-******** **-** size (3.4 * *.* × 0.03 **). **** **** credential *****, ************ ** PVC, ****** ******* ********, and ***** *** **** chemical *** ******** *****. *** ***** *** ***** and ******** *** ******** or *********** ******* *** picture ** ********.

***** ***, ****' ********* of ****** ******* **** has ********* ** * **** ********** *** **** *******, *** ** ***********. This ******** ***** * gap ******' ***-**-*** ********* ********* ** ****** *******.

Card *******

****** ******* *** **** cards *** ~$*** *** box ** ***, *** standard ***** ********. ********** pricing ** ~$*.** *** each.

**** ** ***** **% more **** *******, ***-**** branded ***** **** **** the**** *************, ***** ****** at ~$*.** ** ********, ********* ** ****** as $*.**.

Based ** ******* ****** ** ******

******* ***** **.** ***, these ********** ***** *** not *** ****-******** ************.

*** ***** *** ****** Classic ** ******, ***** have **** **** *******, with *** ***** ******* reported *** ******** ** NXP ** *** *** 1990s. ****** ******** ****, like **** ********* **** ***** ******* kit, *** ** ********* for ~$*** *** **** to '*****' ***** *********** in ***** * *******.

Axis ****** **********

*** ******* ******* ** Axis ********** ***** ** they *** ********* ** be ********** **** ****' two *******:

  • *****-* [**** ** ****** available]: *** ******** **** branded **** ****** ** a *****-*****, ******/*******, **** compatible ***** **** * street ***** ** ~$***.
  • *****-*: *** ************ ** this ***** *** *** same, *** *** * PIN ****** ** *** reader **** *** ******* *********** **************. ****** ****** *** ~$325.

********** ******** ** ***** *******, with ******** ** ******* and ********* ** ********* of '********' *********** ** chose *******. **** ********** the ******* ** ******** only *** ******** **** that ***** **** ***** readers, ** ************* *** reordering ** ********** *** ****** dealers ** ***-*****.

Not *** ********* *****

**** ***** *** ******** **** * **********, *** **** * and *** **.** *** formats **** ****** *** not *********, ***** ***** that ** *** ********* Axis ******* *** *** used, **** ****** ** taken ** ******** ******* a ********** *** ***** reader.

** **** *****, ******* 13.56 *** *******, **** those ******** ** **** HID ***********, *** ** used ** **** *** most ***** '**** ****** number' (***) ** **** when ********* ***** **** a ******.

Practical ***** ******** *****

***** '**** *********' ******* avoiding ********** ******* **** have **** *******, **** this ****'* ****** ******* 1K, *** ******* **** of ******** *********** ** typically *** * ******* or ******* ** **** end-users *** *********** *** still******* ********** ******** *** **** **** secure/unencrypted ** **** *** 125 *** *******.

******* ******* ** ****** or *********, *** **** of ******** ****** ******* credentials **** ** ************ for **** ****** *****, who *** *** *** rather ****** *** ****-***** methods ******** ** ***** keys * ******* ******* compared ** **** ********* risks **** **********************, ****** **** ********.

Comments (7)

Undisclosed Manufacturer #1

11/02/16 08:51pm

"But it may not prove to a bad move, and rather may make using more Axis access product easier, especially for novice installers."

Why would selling Mifare credentials make using Axis access product easier? It may make it easier to quote but there is not much benefit beyond that.

Mifare credentials have become commodity products and there's no money in selling those credentials.

IMO, it's not a very smart move on Axis' part.

Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed Manufacturer #1 | 11/02/16 09:08pm

Why is this not 'a smart move'?

Many end-users do not know the differences between MIFARE or iClass or DESFire or ProxII, and they all look basically the same to someone who doesn't know what to look for.

Axis has a large portfolio of accessories to their camera products; brackets, extenders, lenses, etc. Are those not 'smart moves'?

Undisclosed Manufacturer #1

In reply to Brian Rhodes | 11/02/16 09:16pm

Although they all look the same they are different under the hood. Mifare cards don't work on Prox readers and Prox cards don't work on Mifare/DESFire readers.

It's smart to sell brackets because they are specifically designed for Axis cameras and are required to install Axis cameras. Extenders, lenses etc not so smart a move since they are available from a plethora of other vendors. It's not to say that it doesn't make sense, I just wouldn't classify it as a "smart move".

Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed Manufacturer #1 | 11/02/16 09:24pm

"Although they all look the same they are different under the hood. Mifare cards don't work on Prox readers and Prox cards don't work on Mifare/DESFire readers."

This is essentially the benefit for 'end-to-end' minded Axis. The supply clerk googles up 'axis access card' and finds the reorder product easy, avoiding ordering something that just doesn't work (but looks the same) by mistake.

Undisclosed Manufacturer #1

In reply to Brian Rhodes | 11/02/16 10:04pm

More like they'll search for "access card" or "prox card" and will find Amazon, Alibaba selling $0.20 cards.

John Honovich

IPVM | In reply to Undisclosed Manufacturer #1 | 11/02/16 10:54pm

More like they'll search for "access card" or "prox card" and will find Amazon, Alibaba selling $0.20 cards.

Unrealistic for their target market, simply because the companies Axis is selling to are people who are buying Axis cameras for $200 - $2,000 when they could have already searched Amazon and Alibaba to get $20 - $60 cameras.

I am not defending Axis, I think the whole OEM / copy / package solutions is a failure to have a real strategy, I am just saying there are definitely organizations out there that will pay Axis an extra 50 cents per card just to get it from Axis.

Undisclosed Manufacturer #1

11/02/16 11:03pm

I agree and disagree with you John. Sure, those integrators/dealers/end users who choose Axis for their products/support will spend the extra dollars for the right products. When it comes down to ordering "consumables", those decision makers are probably not even in the loop anymore. That task might be on the hands of the facility manager or similar. Why would they care that the cards they are sourcing are not "Axis".

We supplied an integrated system to a very high end Hotel who spared no expense in selecting high end gear. When it came down to purchasing cards for their suites we lost the annual 65000 piece per year card sale. They has a source for cards at $0.20 USD each.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

HID Releases Lower-Cost Signo Readers on Mar 06, 2020
HID Global is releasing a new line of readers called Signo they claim read farther, are mobile-ready, and automatically adjust for better reads on...
New: Mobile Access Proxy Releases 'World's Smallest Mobile Reader' on Mar 04, 2020
Mobile access provider Proxy claims its new Nano is 'the world’s smallest mobile reader' that can be installed into nearly all existing access...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see, especially because most look and feel the same. Even insecure 125 kHz...
Access Credential Form Factor Tutorial on Feb 10, 2020
Deciding which access control credential to use and distribute, including form factor, can be a difficult task. Knowing the limitations and...
Vehicle & Long Range Access Reader Tutorial on Jan 21, 2020
One of the classic challenges for access control are parking lots and garages, where the user's credential is far from the reader. With modern...
Directory of Access Reader Manufacturers on Nov 27, 2019
Credential Readers are one of the most visible and noticeable parts of access systems, but installers often stick with only the brand they always...
Fingerprints for Access Control Guide on Sep 09, 2019
Users can lose badges, but they never misplace a finger, right? The most common biometric used in access are fingerprints, and it has become one...
Nortek Blue Pass Mobile Access Reader Tested on Jul 11, 2019
Nortek claims BluePass mobile readers are a 'more secure and easy to use approach to access', but our testing uncovered security problems and...
Farpointe Data Conekt Mobile Access Reader Tested on Jun 13, 2019
California based Farpointe Data has been a significant OEM supplier of conventional access readers for years to companies including DMP, RS2, DSX,...
Startup GateKeeper Aims For Unified Physical / Logical Access Token on Apr 04, 2019
This startup's product claims to 'Kill the Password' you use to keep your computers safe. They have already released their Gatekeeper Halberd...

Most Recent Industry Reports

GeoVision Presents AI and Facial Recognition on May 22, 2020
GeoVision presented its AI analytics and facial recognition at the April 2020 IPVM New Products show. Inside this report: A 30-minute video...
Density Presents Occupancy Monitoring For Coronavirus Protection on May 22, 2020
Density presented its cloud-based occupancy sensor to deal with Coronavirus at the May 2020 IPVM Startups show. Inside this report: A...
Openpath Presents Two Door PoE Controller on May 21, 2020
Openpath presented its new PoE controller at the May 2020 IPVM Startups show. Inside this report: A 30-minute video from Openpath including...
Bosch Presents MIC 7100 Extreme PTZs on May 21, 2020
Bosch presented its MIC 7100 Extreme PTZs at the April 2020 IPVM New Products show. Inside this report: A 30-minute video from Bosch...
Hikvision Chairman Targeted For Sanctions As Federal Watchdog Calls Out Hikvision "Serious Religious Freedom Violations" on May 21, 2020
The US government's religious freedom watchdog has criticized Hikvision for being "credibly implicated in serious religious freedom violations"....
Hikvision Temperature Screening Tested on May 20, 2020
Hikvision has ramped up the promotion of its 'temperature screening' system, including their salespeople arguing for no blackbody needed. But how...
Axxon Presents VMS 4.4 and AI Behavior Analytics on May 20, 2020
AxxonSoft presented its VMS 4.4 and AI behavior analytics at the April 2020 IPVM New Products show. Inside this report: A 30-minute video...
Indoor Robotics Presents Tando Aerial Drones on May 20, 2020
Indoor Robotics presented Tando indoor autonomous drones at the May 2020 IPVM Startups show. Inside this report: A 30-minute video from...
Directory of 89 Video Surveillance Startups on May 20, 2020
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly...
FLIR Cancelling Contract With X.Labs / Feevr on May 20, 2020
While X.Labs announced the signing of a new agreement with FLIR on May 12, 2020, FLIR said, in response, on May 18, 2020, that they had cancelled a...