HID: 91% Of Access Cards Potentially Insecure

By Brian Rhodes, Published Aug 05, 2021, 12:07pm EDT

HID, one of the world's largest access companies, said at the IPVM Access Control Show that more than 90% of the cards used are potentially insecure.

IPVM Image

Inside this report, we share:

  • HID Says Over 91% 'Potentially Insecure'
  • Large Portion Of Market Still Uses 125 kHz
  • How Many Credentials Use Unsecure CSN/UID Features
  • Recommends Multi-Factor Authentication
  • HID Still Sells/Supports Risky Formats

For background, see Hack Your Access Control With This $30 HID 125kHz Card Copier, Contactless Access Credentials Guide, and Multi-Factor Access Control Authentication Guide.

HID **** **% *********** ********

****** ******* **** ****** ****, *** **** **** 9% ** *** ******* credentials ****** ** ***** secure **********:

**** ** *** ******** chart **** ****** ** illustrate **** *****:

IPVM Image

IPVM Image

*** *******, ******** ** Product ********* ** *** Global****:

*** **** *** **** at ***** ****-********* *********** in * *** **** detail, *** *** *** that ****** ****** *% of *** ****** (*** this ** *** ***** shipping) *% ** *** market ** **** ** would **** * '****** technology', *** *** **** is **** ** *********** insecure.

125 *** ***** ******

*** **** ****** **% of *** *********** **** in **** *** ****** copied *** *** *******:

IPVM Image

******* **** *** *********:

****************,********************************************************,*****************************************. ********%***************************************** (**.** ***)***********%*************** (*** ***),********.

** ******** **Hack **** ****** ******* **** **** $** *** ****** **** ******, these access credentials are inexpensively and quickly duplicated with gadgets easily purchased off the internet.

***** *** ************* ** 125 *** ******* ** well *****, **** ***** do *** ******** *** risk **** ****** ** spend ***** ********* ** secure ******* *** ***********, as ******** ********* ****** ****** ******* Migration *****.

CSN/UIDs *** "**** ********" ********

**** ****** ********** ******* like **.** *** ****** and ****** ******* *** be **** **********, ************ when ***** ******* ** not *** ********* *********** to ** *** **********.

******, ** *** ***** out ** *** '**% Potentially ********' *****,**** ******* *** ***********/****** readable **** ****** ******* (CSN) **** ****** *** (Unique **) ********** ***** to *** **********.

***** *** **** ******'*** *** ****** ***** be **** *** ******** or ******* ****** *******', it ********** **, ***** the **** **** **** to ********* * ******'* users *** *** *********** they *** ******.:

IPVM Image

***** ******* *** *** secure ******* **** ******* no ********** *** ** read/unlock *** *** ********* readable ** *** **.** MHz ******, ********* *** credential's ********* **********.

** ********, **** ****** is ********* ****** *** cannot ** *******. ***** we ** *** **** cases ***** **** **** has **** *********, ******* this ********* ****** ***** potentially ****** ** ************ duplicates ***** **** ** an ****** ******.

******* ***** ******** *****, CSNs/UIDs *** ***** ******** used ** ****** *******, especially '*****' ****** ******* or ***** ***** ****** 125 *** ******* **** do *** ******* ********** encryption.

(****: *** *** ********* it's *** ****** *** MIFARE ******* *** *********** will ******* *******/******** ****. IPVM **** **** **** released.)

HID: *** *********** ** ********

*** ********** **********-****** ****** *************** ***** *** **% 'Potential ********' *******, ****** the ********** ****** *** increase ******** *** ****** use:

******* *** *** *** an ******** ****** ********** technology, *** ***** ** a ****** ***, *****? Because *** *** ***** in ****** **** *****/ two-factor **************. ** *** example, * ***** ** using * **** (*** kHz) ****, *** * could ** ***** ** in *********** **** * keypad ****** ** * biometric ******. *** **** I've **** ** ********* the **** ***** * little ***.

Multi-Factor ******* ********

** ******* *******-****** ****** ******* ************** Guide, *** *** ****** is **** * ****** supports *********** ***********, **********, and/or ****** *****, *** at ***** *** ***** types *** ******** ** unlock *** *******, *** just ********* ********** ****** was ********** *** *** user ** ******* ** the ****.

*** ***** ***** ***** an ******* ** * typical '***** ******' ****** device:

IPVM Image

New *** ******** ******* ***, *** **** **** & *** ***

*** ****** ************************* ********** *****-****** *** ** it's***** *******, ******** *** ******* still ******** *** ***** new ******** ********** **** risky *** *** ******* and **** ********* ******** CSNs/UIDs.

** ***** *****: **** ******* ******* 125 *** ***********, ******* *** ***** of *** *** ***** address * ********** ****.

****/****

Comments (17)

Undisclosed Integrator #1

08/05/21 04:19pm

*** ****** **** ** how * *** *** be ******* ** ********** on ** ****** ****.... or ** *** ***** once **** *** ** known ******* *** ******* an ****** **** **** that *** *** ** the ********* ******* ** the ***** ****, ******* it *** *** ******* the ****?

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed Integrator #1 | 08/05/21 04:30pm

*** ********** ****** *** risk ****:

** *** ***** **** that *** ** ***** someone *** ******* ** iCLASS **** **** **** CSN *** ** *** encrypted ******* ** *** smart ****, ******* ** and *** ******* *** door?

* ***** **** ** qualified ** *** '*********' risk.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #2

IPVMU Certified | 08/05/21 05:52pm

******, ** *** ***** out ** *** '**% Potentially ********' *****, **** systems *** ***********/****** ******** Card ****** ******* (***) also ****** *** (****** ID) ********** ***** ** the **********.

** ** *****, *** 91% *********** ******** ***** is **** * ******* of ***-**** *****, *** is *** ***** ** CSN **************.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed Integrator #1

In reply to Undisclosed #2 | 08/05/21 06:05pm

** ****** ****** (*** multi-protocol) **** **** * CSN **** * ****** card. ** ****** **** CSN *** ** ** programmed **** *** ****** control ******. **, ** I *** *** *** of *** ****** ****, then ******* *** *** to ******* ** ****** card **** *** # in *** ****** ********* part ** *** ****** card, * ***** *** through *** ****.

*** ******* - *** does *** ******* ** iCLASS **** **** * specific ********** # **** when ********* ** ** iCLASS ****** - **** reader **** **** **** card # ** *** ACS ******? *'** ***** done **** ******.

*** * ******* * SIGNO ****** ** *** read * *** **** a ****** **********?

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #2 | 08/05/21 07:18pm

** ** *****, *** 91% *********** ******** ***** is **** * ******* of ***-**** *****, *** is *** ***** ** CSN **************.

**** ** *** **** HID ********. **** ********* 125 *** **. **.** MHz ** * ******** chart.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #2

IPVMU Certified | In reply to Brian Rhodes | 08/05/21 07:55pm

**** ** *** **** HID ********.

****** ** *** ******** video ** *** **:** mark **** *** *** him ** ******* **** is ***** ** *** ‘potential’ ******. ********, ** does ***** **** *** about *** ***** * problem, ***** ** **:** he ******* ** *** “but **** *** ***** here *** ********* ** counted ********** **** *** [hi-freq *****???]” ** ** points ** *** *%, and ********** **** **** for *** **%.

** ***** ****’* *** I ***** **, * could ** *****.

*** *** ****-************* ***** miserably **** :)

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #2 | 08/05/21 08:01pm

** ** *****, ******** CSNs *** ******** ** 13.56 *** ***** ** addition ** *** ***. Also, ******** **** ********* from ***:

***** *** **** ******'*** *** ****** ***** be **** *** ******** or ******* ****** *******', it ********** **, ***** the **** **** **** to ********* * ******'* users *** *** *********** they *** ******.:

IPVM Image

Agree
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed #2

IPVMU Certified | In reply to Brian Rhodes | 08/05/21 08:29pm

** ** *****, ******** CSNs *** ******** ** 13.56 *** ***** ** addition ** *** ***.

****, *** **** *** really **** ******** **** on **** ****** ** granted *** ***? *** would **** ****?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #3

08/05/21 06:11pm

*** *** ** **** might ** **** ****** than * ***** ** realize. ** *** ****** is ************ ** * technician ****** * ********* programmer ******* ** **** these ***** * *** easily *** ***** *** path ** ***** ********** (CSN) ** ****. ***, I ***** **** **** assessment **** *** ****** is * **** ****** method... *** ********* ** sell *** ** *** inconvenience ** **** ********.

* **** * ******* >80% ** *** ***** doesn't *** *** ****** for ***** **** *******.

** *** **** **** to *** **** ******* off ** *** **** costly ****** *****/*******. ******* 125Khz ** *********** **** open ** ** ********** with ****** **********. ** large ***** ***** ****** cloneable/readable **** *********** *** tied **** ******** ***** badging ******* (*.*. *******, badged ****** ******* ********, key *******, ****** ******) which *** *********** *** other ****** ******* ******* and ********* ** *******. The ********* ** ******** one ** ***** ***-******* is ******* ********* **** switching ** **.***** ** they **** ** *********** all ** ***** *******.

** ***** ** ******** to **** ******** *** the *** *** ******* readers ** *** ******. As **** ******* ****** that ** **** ** insecure ** ****. ** anyone *** *** ********* to **** ************ ****** issue ** ******* ***** I ** ********** ** hearing ****.

* ** *** **** 125 ***/**.** *** ****** are * **** ********. As **** ** *** easy ****** ** **** staying **** ****** *********** is **** ******* **** to **** *** *** down *** **** ** perpetuity. ***** ******* **** like ******** *******.

Agree
Disagree
Informative
Unhelpful
Funny

Shannon Davis

IPVMU Certified | 08/05/21 07:06pm

*** **** *** *** the ***-****** *********** ** stop ** **** *** and ****** *** * final ******** ** ********** of ***** ************. *** I **** **** ** not ** **** ** it ****** ******* ** will ****** ******** *** millions ** ******* *** credentials ***** **** *** will ** ******. ** you **** *** ******* readers ** ********* *** service *** *** ****'* putting ** *****-********** ******* then ***** ** ***. The **** ********** ***'* that **** ***** ****.

******* ****** *********** **** eventually *** ** *** to *** **********, ********** once *** *** *** Apple ****** *** **** credential **** ** ******* mainstream *** **** ************* license *** ******* **** their *******.

Agree: 3
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #3

In reply to Shannon Davis | 08/05/21 08:48pm

***** **********. ** ***** is * *** ** kick **** *** **** it **** **. "****'* a ******** *******." *** only **** ******** ** to **** **** *** can. *** ****** ******* is **** **** ** HID **** ** **** making *********** *** ******* today ******* ***** **** in *** *** ********. That's *** ******* **** 125khz ***** ********* **** open *** ********. ****** HID ******** ********** ** some *********** **** **** would **** *** ****** market ***** ** ****** they *** ** ****** for **** ***** **** this.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Baudouin Genouville

SUPREMA | 08/09/21 06:51am

**** *******.

*- * ** * big *** ** *** Dearing (******* ** ********* work ************ ** *** previous *******)

*- * ***** ***** on *** **% ******** cards, *** *** **** are ****.

*** **** **** ******** DesFire ***/*/* ***** **** are ***** **** ** CSN *** *** ****** ID (****** ** **** encryption). ** ******* **** option ** ****, *** despite ** **** ** hard *** ********** ** have **:

*- ****** ******* **** be **** *****, *** End **** *****'* ********** the ********** **** *** (we **** ** ****)

*- ***-***** ***** **** training ** ****** ****** EV1/2/3 ***** ******* *** is ***************. ** **** send *** ***** *** interesting ******* **** *** encoded **** ****** ** "by *******" (** ******** needed)

*- ** * ***** say ** ** ****, 70% ** ***** **** are ********* (****** + MF *******) *** **% are "*********** *******" (*** not ****** **** *** secured ***)

/**** (*******)

Agree
Disagree
Informative
Unhelpful
Funny

Jason Choy

Welcome Gate - Global
08/09/21 08:46am

**** * *** *** those ** *** ********* the ***** ** ******** other ******* **** *** also *** ****** ** run ***** *******, *********:

- ******* ("******-**-*****")

- ******* ******** / Cashless ******** ** **** terminals ** **********

- ******** *******

- *** **** ********

- ******* **** ******* screens

***** **** ** ***** for * "**** ** multi-technology" **** ** *** upgrade ** **** ** timed **** *** *********** of ***** ********* *** ensure *** ******* ** those ******* *** * sample **** *** *************.

**** **** *****.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Undisclosed #4

08/09/21 05:55pm

****, **** ** *** going ** *********** **** so ****** **** ** forced ** ******* ******* and ***********??? **** **** to **** *** ****-*** sometime ** ********** ********* will **** ******* ********** them.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Charles Baker

08/09/21 06:27pm

***** **** *** *******/* and *** ******.

*** *** *** *** be **** ** **** people *** *** **-****** legacy **** ******** ** to ***** ****** ** that ********** ** ****** iClassSE. ***, ****** ***** purchase **** **** ***** providers, *** ** ***** HID ***** ** ** a ******** ** ******** as * "****** *******". Of ******, * ** sure **** *** ***** share ******* ****** ***** with *** ******* ****** & ******* **** **** from ******* **-****** *****.

******, * **** ** go. * **** ** duplicate ** **** ** the ***** **** *********** for * ****** ** mine.............and *** ******......*** *** friend.........etc.......

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Sergio Guzman

Pine Crest School
IPVMU Certified | 08/10/21 01:07pm

** **'* ******, **'* at ****.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #5

08/10/21 01:36pm

********* ****** ******** ******* used *** ******** ******, unless *** ******* ** secured ********, *** *** used ** **** *** door ** **** ** secure ** *** **** itself.

*****, **** *******, *** pass **** *** **** of * ******** **** the *********** ****.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,270 reports and 968 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports