HID: Stop Selling Cracked 125 kHz Credentials

Author: IPVM Team, Published on Nov 05, 2018

HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on eBay and Amazon.

To its credit, HID has long acknowledged the vulnerability and does take steps to warn customers of the risks, as HID has explained to IPVM inside this post.

Vulnerable / Cannot Be Fixed

However, since these products are vulnerable and cannot be 'fixed', they should not be sold at all. If HID or Axis or any responsible manufacturer found a vulnerability in their firmware, they would stop selling such products until they fixed it. Since the 125 kHz vulnerability cannot be fixed via firmware or software upgrade, they should be discontinued. The video below demonstrates exploiting the vulnerability:

Transition Time

Reasonably, HID can set a period of time in the near future where they will stop manufacturing such that existing users can transition their hardware and/or credentials as appropriate.

Facilitating an EOL deadline would not exclude HID from upgrades, as HID already has 'migration hardware' available with Multiclass readers supporting an immediate reader upgrade and slower/budgeted/planned credential migration.

Using those intermediate readers is a primary method HID itself suggests for transitioning, one of the three solutions we detail in our Cracked 125kHz Access Control Migration Guide.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

HID Largest Provider

We are calling on HID because they are the largest credentials provider and the only ones, short of government, capable of making a major market impact.

Moreover, HID could even use this as a differentiator against their smaller competitors to position themselves further as the 'market leader' who takes a strong stand in favor of 'security' at the expense of easy profits from selling vulnerability access control credentials. Notably, if HID did this, it would put pressure on rivals still selling these cracked credentials who would be viewed as still profiting from such insecurity.

Acknowledges Vulnerability

To their credit, HID acknowledges vulnerability, including a statement they provided to IPVM in response to our inquiry about discontinuing 125 kHz cards:

Moreover, HID emphasized in follow-up remarks that:

Our field teams disclose these known vulnerabilities in virtually every 1-on-1 customer (channel partner, consultant, or end customer) meeting regarding readers/credentials. These conversations are always followed by discussion of steps to mitigate the vulnerability through credential migration.

Most of our field team members have cloning devices for demonstration of attack methods.
We typically bring common cloning devices to tradeshows (e.g. GSX) where we conduct demonstrations during customer meetings in HID booth.

Despite this, HID says ~40% of the market is still using these cracked credentials and that, given that they would prefer they buy it from HID, a 'trusted partner':

as 125 kHz represents approximately 40% of the global physical access control credential market. Until there is a more substantial market shift away from the technology, we prefer that customers source it from a trusted partner.

No Warnings on HID Product Documentation

While HID has marketing materials warning of the vulnerabilities, they do not do so on their 125 kHz product documentation. The product pages and datasheets make no mention of any vulnerability nor defect. Indeed, HID markets their 'value' and how 'cost-effective' they are:

Indeed, the ProxCard II datasheet markets these cards 'security':

This is, at best, highly misleading since the issue is not the number of codes, it is that regardless of the specific code used, it can be read and copied using a cheap cloner.

The direct product documentation is quite important since specifiers and buyers often review or cite those documents when purchasing. Minimally, by including the vulnerability warning there, it would make it clearer what the risks are being exposed.

Conclusion

HID, by its own remarks, has placed itself in the rather remarkable position of selling against a vulnerable / defective product while simultaneously selling that defective product.

Surely, HID wants to be a 'trusted partner', as they say, and discontinuing cracked 125 kHz credentials would increase that trust while driving scores of users away from these credentials.

Vote / Poll

Comments (26) : PRO Members only. Login. or Join.

Related Reports

Mobile Surveillance Trailers Guide on Jan 17, 2019
Putting cameras in a place for temporary surveillance where power and communications are not readily available can be complicated and expensive....
Testing Bandwidth Vs. Low Light on Jan 16, 2019
Nighttime bandwidth spikes are a major concern in video surveillance. Many calculate bandwidth as a single 24/7 number, but bit rates vary...
Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Winter 2019 IP Networking Course on Jan 10, 2019
Today is the last day to register for the Winter 2019 IP Networking course. This is the only networking course designed specifically for video...
NTP / Network Time Guide For Video Surveillance on Jan 10, 2019
Inaccurate time can lead to missing or inadmissible video, yet this topic is often overlooked, with cameras and servers left defaulted,...
Wavelynx Access Control Manufacturer Profile on Jan 10, 2019
Denver-based WaveLynx is not well known as an access reader manufacturer, but OEMs for big industry brands including Amag, Isonas (Allegion),...
UK: Private Video Surveillance Complaints Down Since GDPR on Jan 09, 2019
The arrival of the GDPR on May 25, 2018, brought fears the law would spark a massive increase in privacy complaints about security camera use....
2019 Video Surveillance Cameras Overview on Jan 07, 2019
Each year, IPVM summarizes the main advances and changes for video surveillance cameras, based on our industry-leading testing and...

Most Recent Industry Reports

The IP Camera Lock-In Trend: Meraki and Verkada on Jan 18, 2019
Open systems and interoperability have not only been big buzzwords over the past decade, but they have also become core features of video...
NYPD Refutes False SCMP Hikvision Story on Jan 18, 2019
The NYPD has refuted the SCMP Hikvision story, the Voice of America has reported. On January 11, 2018, the SCMP reported that the NYPD was using...
Mobile Surveillance Trailers Guide on Jan 17, 2019
Putting cameras in a place for temporary surveillance where power and communications are not readily available can be complicated and expensive....
Exacq Favorability Results 2019 on Jan 17, 2019
Exacq favorability amongst integrators has declined sharply, in new IPVM statistics, compared to 2017 IPVM statistics for Exacq. Now, over 5 since...
Testing Bandwidth Vs. Low Light on Jan 16, 2019
Nighttime bandwidth spikes are a major concern in video surveillance. Many calculate bandwidth as a single 24/7 number, but bit rates vary...
Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
UK Fines Security Firms For Illegal Direct Marketing on Jan 16, 2019
Two UK security firms have paid over $200,000 in fines for illegally making hundreds of thousands of calls to people registered on a government...
Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Gorilla Technology AI Provider, Raises $15 Million, Profiled on Jan 15, 2019
Gorilla Technology is a Taiwanese video analytics manufacturer that recently announced a $15 million investment from SBI Group, saying this...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact