HID: Stop Selling Cracked 125 kHz Credentials

By: IPVM Team, Published on Nov 05, 2018

HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on eBay and Amazon.

To its credit, HID has long acknowledged the vulnerability and does take steps to warn customers of the risks, as HID has explained to IPVM inside this post.

Vulnerable / Cannot Be Fixed

However, since these products are vulnerable and cannot be 'fixed', they should not be sold at all. If HID or Axis or any responsible manufacturer found a vulnerability in their firmware, they would stop selling such products until they fixed it. Since the 125 kHz vulnerability cannot be fixed via firmware or software upgrade, they should be discontinued. The video below demonstrates exploiting the vulnerability:

Transition Time

Reasonably, HID can set a period of time in the near future where they will stop manufacturing such that existing users can transition their hardware and/or credentials as appropriate.

Facilitating an EOL deadline would not exclude HID from upgrades, as HID already has 'migration hardware' available with Multiclass readers supporting an immediate reader upgrade and slower/budgeted/planned credential migration.

Using those intermediate readers is a primary method HID itself suggests for transitioning, one of the three solutions we detail in our Cracked 125kHz Access Control Migration Guide.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

HID Largest Provider

We are calling on HID because they are the largest credentials provider and the only ones, short of government, capable of making a major market impact.

Moreover, HID could even use this as a differentiator against their smaller competitors to position themselves further as the 'market leader' who takes a strong stand in favor of 'security' at the expense of easy profits from selling vulnerability access control credentials. Notably, if HID did this, it would put pressure on rivals still selling these cracked credentials who would be viewed as still profiting from such insecurity.

Acknowledges Vulnerability

To their credit, HID acknowledges vulnerability, including a statement they provided to IPVM in response to our inquiry about discontinuing 125 kHz cards:

Moreover, HID emphasized in follow-up remarks that:

Our field teams disclose these known vulnerabilities in virtually every 1-on-1 customer (channel partner, consultant, or end customer) meeting regarding readers/credentials. These conversations are always followed by discussion of steps to mitigate the vulnerability through credential migration.

Most of our field team members have cloning devices for demonstration of attack methods.
We typically bring common cloning devices to tradeshows (e.g. GSX) where we conduct demonstrations during customer meetings in HID booth.

Despite this, HID says ~40% of the market is still using these cracked credentials and that, given that they would prefer they buy it from HID, a 'trusted partner':

as 125 kHz represents approximately 40% of the global physical access control credential market. Until there is a more substantial market shift away from the technology, we prefer that customers source it from a trusted partner.

No Warnings on HID Product Documentation

While HID has marketing materials warning of the vulnerabilities, they do not do so on their 125 kHz product documentation. The product pages and datasheets make no mention of any vulnerability nor defect. Indeed, HID markets their 'value' and how 'cost-effective' they are:

Indeed, the ProxCard II datasheet markets these cards 'security':

This is, at best, highly misleading since the issue is not the number of codes, it is that regardless of the specific code used, it can be read and copied using a cheap cloner.

The direct product documentation is quite important since specifiers and buyers often review or cite those documents when purchasing. Minimally, by including the vulnerability warning there, it would make it clearer what the risks are being exposed.

Conclusion

HID, by its own remarks, has placed itself in the rather remarkable position of selling against a vulnerable / defective product while simultaneously selling that defective product.

Surely, HID wants to be a 'trusted partner', as they say, and discontinuing cracked 125 kHz credentials would increase that trust while driving scores of users away from these credentials.

Vote / Poll

Comments (26) : Members only. Login. or Join.

Related Reports

Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Amazon, Microsoft and IBM Abandoning Face Recognition Is An "Irresponsible PR Stunt" Says AnyVision on Jul 17, 2020
In the wake of national protests against US police abuses, big tech firms...
Provider Admits Seoul Bus Station Temperature Screening Wrong on Aug 31, 2020
The South Korean company, EHOO, providing the temperature tablets highlighted...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
South Korea Bus Outdoor Temperature Screening Endangers Public on Aug 26, 2020
These $80,000+ South Korea bus stations have gained world-wide attention but...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
Temperature Screening From The Protection Bureau and ZKTeco Violate IEC Standards and FDA Correct Operation on Jun 22, 2020
ZKTeco and integrator The Protection Bureau are marketing an installation...
Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
Beware Rigged China Fever Cameras on Sep 08, 2020
Many China fever camera manufacturers have rigged algorithms dynamically...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...