HID: 91% Of Access Cards Potentially Insecure

By Brian Rhodes, Published Aug 05, 2021, 12:07pm EDT (Info+)

HID, one of the world's largest access companies, said at the IPVM Access Control Show that more than 90% of the cards used are potentially insecure.

IPVM Image

Inside this report, we share:

HID Says Over 91% 'Potentially Insecure'
Large Portion Of Market Still Uses 125 kHz
How Many Credentials Use Unsecure CSN/UID Features
Recommends Multi-Factor Authentication
HID Still Sells/Supports Risky Formats

For background, see Hack Your Access Control With This $30 HID 125kHz Card Copier, Contactless Access Credentials Guide, and Multi-Factor Access Control Authentication Guide.

HID **** **% *********** ********

****** ******* **** ****** ****, *** **** **** *% ** the ******* *********** ****** ** ***** secure **********:

**** ** *** ******** ***** **** showed ** ********** **** *****:

IPVM Image

*** *******, ******** ** ******* ********* at *** **********:

*** **** *** **** ** ***** high-frequency *********** ** * *** **** detail, *** *** *** **** ****** around *% ** *** ****** (*** this ** *** ***** ********) *% of *** ****** ** **** ** would **** * '****** **********', *** the **** ** **** ** *********** insecure.

125 *** ***** ******

*** **** ****** **% ** *** credentials **** ** **** *** ****** copied *** *** *******:

******* **** *** *********:

****************,********************************************************,*****************************************. ********%***************************************** (**.** ***)***********%*************** (*** ***),********.

** ******** **Hack **** ****** ******* **** **** $** *** ****** **** ******, these access credentials are inexpensively and quickly duplicated with gadgets easily purchased off the internet.

***** *** ************* ** *** *** formats ** **** *****, **** ***** do *** ******** *** **** **** enough ** ***** ***** ********* ** secure ******* *** ***********, ** ******** in******* ****** ****** ******* ********* *****.

CSN/UIDs *** "**** ********" ********

**** ****** ********** ******* **** **.** MHz ****** *** ****** ******* *** be **** **********, ************ **** ***** formats ** *** *** ********* *********** to ** *** **********.

******, ** *** ***** *** ** the '**% *********** ********' *****,**** ******* *** ***********/****** ******** **** Serial ******* (***) **** ****** *** (Unique **) ********** ***** ** *** credential.

***** *** **** ******'*** *** ****** ***** ** **** for ******** ** ******* ****** *******', it ********** **, ***** *** **** data **** ** ********* * ******'* users *** *** *********** **** *** issued.:

IPVM Image

***** ******* *** *** ****** ******* they ******* ** ********** *** ** read/unlock *** *** ********* ******** ** any **.** *** ******, ********* *** credential's ********* **********.

** ********, **** ****** ** ********* static *** ****** ** *******. ***** we ** *** **** ***** ***** this **** *** **** *********, ******* this ********* ****** ***** *********** ****** in ************ ********** ***** **** ** an ****** ******.

******* ***** ******** *****, ****/**** *** still ******** **** ** ****** *******, especially '*****' ****** ******* ** ***** using ****** *** *** ******* **** do *** ******* ********** **********.

(****: *** *** ********* **'* *** iClass *** ****** ******* *** *********** will ******* *******/******** ****. **** **** test **** ********.)

HID: *** *********** ** ********

*** ********** **********-****** ****** *************** ***** *** **% '********* ********' formats, ****** *** ********** ****** *** increase ******** *** ****** ***:

******* *** *** *** ** ******** credit ********** **********, *** ***** ** a ****** ***, *****? ******* *** can ***** ** ****** **** *****/ two-factor **************. ** *** *******, * could ** ***** * **** (*** kHz) ****, *** * ***** ** using ** ** *********** **** * keypad ****** ** * ********* ******. And **** *'** **** ** ********* the **** ***** * ****** ***.

Multi-Factor ******* ********

** ******* *******-****** ****** ******* ************** *****, *** *** ****** ** **** a ****** ******** *********** ***********, **********, and/or ****** *****, *** ** ***** two ***** ***** *** ******** ** unlock *** *******, *** **** ********* credential ****** *** ********** *** *** user ** ******* ** *** ****.

*** ***** ***** ***** ** ******* of * ******* '***** ******' ****** device:

IPVM Image

New *** ******** ******* ***, *** **** **** & *** ***

*** ****** ************************* ********** *****-****** *** ** **'****** *******, ******** *** ******* ***** ******** and ***** *** ******** ********** **** risky *** *** ******* *** **** broadcast ******** ****/****.

** ***** *****: **** ******* ******* *** *** Credentials, ******* *** ***** ** *** kHz ***** ******* * ********** ****.

****/****

Comments (17)

Undisclosed Integrator #1

08/05/21 04:19pm

*** ****** **** ** *** * CSN *** ** ******* ** ********** on ** ****** ****.... ** ** the ***** **** **** *** ** known ******* *** ******* ** ****** card **** **** *** *** ** the ********* ******* ** *** ***** card, ******* ** *** *** ******* the ****?

Agree

Disagree

Informative

Unhelpful

Funny

Brian Rhodes

IPVMU Certified | In reply to Undisclosed Integrator #1 | 08/05/21 04:30pm

*** ********** ****** *** **** ****:

** *** ***** **** **** *** is ***** ******* *** ******* ** iCLASS **** **** **** *** *** in *** ********* ******* ** *** smart ****, ******* ** *** *** through *** ****?

* ***** **** ** ********* ** the '*********' ****.

Agree

Disagree

Informative

Unhelpful

Funny

Undisclosed #2

IPVMU Certified | 08/05/21 05:52pm

******, ** *** ***** *** ** the '**% *********** ********' *****, **** systems *** ***********/****** ******** **** ****** Numbers (***) **** ****** *** (****** ID) ********** ***** ** *** **********.

** ** *****, *** **% *********** Insecure ***** ** **** * ******* of ***-**** *****, *** ** *** based ** *** **************.

Agree

Disagree

Informative: 1

Unhelpful

Funny

Undisclosed Integrator #1

In reply to Undisclosed #2 | 08/05/21 06:05pm

** ****** ****** (*** *****-********) **** read * *** **** * ****** card. ** ****** **** *** *** to ** ********** **** *** ****** control ******. **, ** * *** the *** ** *** ****** ****, then ******* *** *** ** ******* an ****** **** **** *** # in *** ****** ********* **** ** the ****** ****, * ***** *** through *** ****.

*** ******* - *** **** *** program ** ****** **** **** * specific ********** # **** **** ********* to ** ****** ****** - **** reader **** **** **** **** # to *** *** ******? *'** ***** done **** ******.

*** * ******* * ***** ****** to *** **** * *** **** a ****** **********?

Agree

Disagree

Informative

Unhelpful

Funny

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #2 | 08/05/21 07:18pm

** ** *****, *** **% *********** Insecure ***** ** **** * ******* of ***-**** *****, *** ** *** based ** *** **************.

**** ** *** **** *** ********. They ********* *** *** **. **.** MHz ** * ******** *****.

Agree

Disagree

Informative

Unhelpful

Funny

Undisclosed #2

IPVMU Certified | In reply to Brian Rhodes | 08/05/21 07:55pm

**** ** *** **** *** ********.

****** ** *** ******** ***** ** the **:** **** **** *** *** him ** ******* **** ** ***** by *** ‘*********’ ******. ********, ** does ***** **** *** ***** *** being * *******, ***** ** **:** he ******* ** *** “*** **** was ***** **** *** ********* ** counted ********** **** *** [**-**** *****???]” as ** ****** ** *** *%, and ********** **** **** *** *** 91%.

** ***** ****’* *** * ***** it, * ***** ** *****.

*** *** ****-************* ***** ********* **** :)

Agree

Disagree

Informative

Unhelpful

Funny

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #2 | 08/05/21 08:01pm

** ** *****, ******** **** *** included ** **.** *** ***** ** addition ** *** ***. ****, ******** this ********* **** ***:

***** *** **** ******'*** *** ****** ***** ** **** for ******** ** ******* ****** *******', it ********** **, ***** *** **** data **** ** ********* * ******'* users *** *** *********** **** *** issued.:

Agree

Disagree

Informative: 1

Unhelpful

Funny

Undisclosed #2

IPVMU Certified | In reply to Brian Rhodes | 08/05/21 08:29pm

** ** *****, ******** **** *** included ** **.** *** ***** ** addition ** *** ***.

****, *** **** *** ****** **** granular **** ** **** ****** ** granted *** ***? *** ***** **** know?

Agree

Disagree

Informative

Unhelpful

Funny

Undisclosed Integrator #3

08/05/21 06:11pm

*** *** ** **** ***** ** more ****** **** * ***** ** realize. ** *** ****** ** ************ by * ********** ****** * ********* programmer ******* ** **** ***** ***** I *** ****** *** ***** *** path ** ***** ********** (***) ** used. ***, * ***** **** **** assessment **** *** ****** ** * more ****** ******... *** ********* ** sell *** ** *** ************* ** real ********.

* **** * ******* >**% ** the ***** *****'* *** *** ****** for ***** **** *******.

** *** **** **** ** *** some ******* *** ** *** **** costly ****** *****/*******. ******* ****** ** effectively **** **** ** ** ********** with ****** **********. ** ***** ***** those ****** *********/******** **** *********** *** tied **** ******** ***** ******* ******* (e.g. *******, ****** ****** ******* ********, key *******, ****** ******) ***** *** functioning *** ***** ****** ******* ******* and ********* ** *******. *** ********* of ******** *** ** ***** ***-******* is ******* ********* **** ********* ** 13.56mhz ** **** **** ** *********** all ** ***** *******.

** ***** ** ******** ** **** function *** *** *** *** ******* readers ** *** ******. ** **** article ****** **** ** **** ** insecure ** ****. ** ****** *** any ********* ** **** ************ ****** issue ** ******* ***** * ** interested ** ******* ****.

* ** *** **** *** ***/**.** mhz ****** *** * **** ********. As **** ** *** **** ****** of **** ******* **** ****** *********** is **** ******* **** ** **** the *** **** *** **** ** perpetuity. ***** ******* **** **** ******** theater.

Agree: 1

Disagree

Informative

Unhelpful

Funny

Shannon Davis

IPVMU Certified | 08/05/21 07:06pm

*** **** *** *** *** ***-****** credentials ** **** ** **** *** and ****** *** * ***** ******** on ********** ** ***** ************. *** I **** **** ** *** ** easy ** ** ****** ******* ** will ****** ******** *** ******** ** readers *** *********** ***** **** *** will ** ******. ** *** **** and ******* ******* ** ********* *** service *** *** ****'* ******* ** multi-technology ******* **** ***** ** ***. The **** ********** ***'* **** **** these ****.

******* ****** *********** **** ********** *** an *** ** *** **********, ********** once *** *** *** ***** ****** for **** ********** **** ** ******* mainstream *** **** ************* ******* *** program **** ***** *******.

Agree: 3

Disagree

Informative

Unhelpful

Funny

Undisclosed Integrator #3

In reply to Shannon Davis | 08/05/21 08:48pm

***** **********. ** ***** ** * can ** **** **** *** **** it **** **. "****'* * ******** problem." *** **** **** ******** ** to **** **** *** ***. *** bigger ******* ** **** **** ** HID **** ** **** ****** *********** and ******* ***** ******* ***** **** in *** *** ********. ****'* *** problem **** ****** ***** ********* **** open *** ********. ****** *** ******** production ** **** *********** **** **** would **** *** ****** ****** ***** is ****** **** *** ** ****** for **** ***** **** ****.

Agree

Disagree

Informative

Unhelpful

Funny

Baudouin Genouville

SUPREMA | 08/09/21 06:51am

**** *******.

*- * ** * *** *** of *** ******* (******* ** ********* work ************ ** *** ******** *******)

*- * ***** ***** ** *** 90% ******** *****, *** *** **** are ****.

*** **** **** ******** ******* ***/*/* cards **** *** ***** **** ** CSN *** *** ****** ** (****** ID **** **********). ** ******* **** option ** ****, *** ******* ** push ** **** *** ********** ** have **:

*- ****** ******* **** ** **** price, *** *** **** *****'* ********** the ********** **** *** (** **** on ****)

*- ***-***** ***** **** ******** ** encode ****** ***/*/* ***** ******* *** is ***************. ** **** **** *** cards *** *********** ******* **** *** encoded **** ****** ** "** *******" (no ******** ******)

*- ** * ***** *** ** my ****, **% ** ***** **** are ********* (****** + ** *******) and **% *** "*********** *******" (*** not ****** **** *** ******* ***)

/**** (*******)

Agree

Disagree

Informative

Unhelpful

Funny

Jason Choy

Welcome Gate - Global
08/09/21 08:46am

**** * *** *** ***** ** you ********* *** ***** ** ******** other ******* **** *** **** *** 125khz ** *** ***** *******, *********:

- ******* ("******-**-*****")

- ******* ******** / ******** ******** or **** ********* ** **********

- ******** *******

- *** **** ********

- ******* **** ******* *******

***** **** ** ***** *** * "dual ** *****-**********" **** ** *** upgrade ** **** ** ***** **** the *********** ** ***** ********* *** ensure *** ******* ** ***** ******* get * ****** **** *** *************.

**** **** *****.

Agree: 1

Disagree

Informative

Unhelpful

Funny

Undisclosed #4

08/09/21 05:55pm

****, **** ** *** ***** ** discontinue **** ** ****** **** ** forced ** ******* ******* *** ***********??? They **** ** **** *** ****-*** sometime ** ********** ********* **** **** blindly ********** ****.

Agree

Disagree

Informative

Unhelpful

Funny

Charles Baker

08/09/21 06:27pm

***** **** *** *******/* *** *** market.

*** *** *** *** ** **** to **** ****** *** *** **-****** legacy **** ******** ** ** ***** prices ** **** ********** ** ****** iClassSE. ***, ****** ***** ******** **** from ***** *********, *** ** ***** HID ***** ** ** * ******** of ******** ** * "****** *******". Of ******, * ** **** **** and ***** ***** ******* ****** ***** with *** ******* ****** & ******* that **** **** ******* **-****** *****.

******, * **** ** **. * need ** ********* ** **** ** the ***** **** *********** *** * friend ** ****.............*** *** ******......*** *** friend.........etc.......

Agree

Disagree

Informative

Unhelpful

Funny

Sergio Guzman

Pine Crest School
IPVMU Certified | 08/10/21 01:07pm

** **'* ******, **'* ** ****.

Agree

Disagree

Informative

Unhelpful

Funny

Undisclosed Integrator #5

08/10/21 01:36pm

********* ****** ******** ******* **** *** building ******, ****** *** ******* ** secured ********, *** *** **** ** open *** **** ** **** ** secure ** *** **** ******.

*****, **** *******, *** **** **** are **** ** * ******** **** the *********** ****.

Agree

Disagree

Informative

Unhelpful

Funny

Login to read this IPVM report.

Why do I need to log in?

IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.

HID: 91% Of Access Cards Potentially Insecure

Comments (17)

Undisclosed Integrator #1

Brian Rhodes

Undisclosed #2

Undisclosed Integrator #1

Brian Rhodes

Undisclosed #2

Brian Rhodes

Undisclosed #2

Undisclosed Integrator #3

Shannon Davis

Undisclosed Integrator #3

Baudouin Genouville

Jason Choy

Undisclosed #4

Charles Baker

Sergio Guzman

Undisclosed Integrator #5

Login to read this IPVM report.

Subscriber Login

Loading Related Reports

Login to view the video.