Nobody should be instaling new system's with low frequency readers anymore. More over the low frequency should be disabled in the reader if using multiclass readers
Why HID Says Credential Numbers Should Be Kept Secret
Published Feb 16, 2024 12:59 PM
While credential numbers are commonly printed on cards, HID recently warned (in its major, mandatory update) that credential numbers should be kept secret, but why?
This report examines how credential numbers are used in PACS, how they can be abused, and how they differ across credential architectures.
Executive *******
***-********* / **** / *** *** cards *** ********* ****** ****** ** knowing *** ****** ******* ** *** card.
****** [******] *********** *** ** ****** if *** ****** *** (***** *** so ******) *** *** ********** ****** printed ** *** **** *** *****. The ****** **** *** ** ********* from *** **** ** *** ****** with * "*******" ******.
****** *** (**.** ***) ***********, **** Seos *** *******, ******* *** ******* issues ** ****** * ***** ** AES-128 **********, ****** ** ****** **** difficult ** **** ** *****, **** if *** **** *** ********** ******.
HID ***** *** ********** ****** *******
** ***'*"*****, ********* *******" *** "****** ********* Attacks,"*** ****** ***** ** ***** ********** numbers ******* ** ********* *** ***** secrecy.
Credential ******* serve the same ******* ** * ********: ****** values that identify a user to a system. Integrators, distributors, and end users should exercise the same care with credential numbers that they would with other sensitive information. Credential holders should protect *********** *** ***** ******* from unauthorized access and disclosure. [emphasis added]
A ****** ** ***********
*** ****** *** ***** *** ******** printed ** ***** ***** **** ** be ******* **** ****** ******* ********** software. **** ******** *** ** ******* printed ** *** *****, ** ** simple *** ****** ** **** ** the ****** ** *** **** *** enter ** **** *** ****** ******* management ********. ***** ******* ******* ******* would **** ** ** ******* ** a ******, *** *** **** **** would ** ****** **** *** ****** and ******** ** * ****. ***** access ******* ********** ******** *** * bulk ******** *** ******** ***** *** assigning **** ** *****, ***** **** in **** ***** **** ****** **** assigning ***** **** ********** *******.
Cloning ** **** (*** ***) **** **** ********** ******
***** *** ****** *** ***** **** credentials ** ****** ******** ****** ** the *****, **** *** **** ***** some **** *********** ***** ** ***** credential ******. **** **** ***** **** their ********** ****** *******, ***** *** be ********* **** *** **** **** to **** ****** ** *** *******.
*** *******, *** ********** ******* ** the **** **** ***** *** ** separated **** *** *****: *** ******** number (***) *** *** ** ****** (45545). *** *** **** ******* ***** numbers ** ******: ******** ****** (********) and ** ****** (****************). ** ********* the ****** ******* *** ********** **** to *** (******), *** *** ******* the **** **** ***** *** ********** format (*.*., *** ******) **** *** Flipper **** *** **** ****** ** PACS.
** *** ***** *****, ** **** the **** *********** *** *** ******** PACS **** ********** **** *** ********** number ***** * ******* ******.
iClass ********** ****** **** *** **********
****** ***** *** ***** ** ******** technology, ********* ** **.** *** *********, and *** *** *************** ********** ** increase ******** **** *********** **** *****.*** *** *************** *************** ****** ***** ***** *** ****** keys, *** *** **** ****** ****** encrypts **** ***** **** ********** ******** (DES) *** ******* *********** ****.
*** **** ****** ******* *** ********* written ** *** *****, ********* **** of *** *********** ****. ********* *** use******* ********* ******* *** ****** **** **** the ******* **** * ******* **** or * ******** *** ******** *** diversified **** ***** *** ********** *********.
Seos ***** ****** ** **********
***** **** ***** **** ********** ********* from *** ****** **********, **** ********* use ***-****** ********* *** *** ********. Seos ***** ***-*** *** ********** ** key *************** *********, ****** ** ****** more ********* ** ******* **** **** iClass [******] *****. *************, ** ** attacker *** **** ****** **** *** the **** ****** ******, *** **** cards *** ** **********, *** ***** are ** ******** ***** ******** ** extract **** ****** *****.
*******
***** **** **** ***** ****** ******* and ***** *** ********** ******* ** their *****, ** *******, ** ***** cloning *** **********. ****** **** ***** should **** ******* ***** ********** ******* to ***** *********** *** ******** ********.
****** ***** ****** *** ******* *** credential ******* ** ******* *******, *** whenever ********, ***** ****** ** **** blank ** ***** *** ****** ***********.
Comments (13)
CN
Craig Nordman
Feb 16, 2024MK
Mert Karakaya
Feb 16, 2024Craig, thanks for the comment.
For those interested, here is IPVM's guide on How To Move Away From Insecure Prox / 125kHz Credentials
UI
Undisclosed Integrator #2
Feb 16, 2024Craig, even if you stick to 13.56 Mhz, if you use anything other than EV2/EV3 or SEOS with elite keys, I can read your card# with the flipper and clone it as an iClass card.
So you have to go beyond just not using low frequency and actually disable any unused card technologies.
Jacob Hengel
Feb 16, 2024Thank you for speaking up - the industry needs to understand this!
UI
Undisclosed Integrator #3
Feb 20, 2024I agree, but that only applies if the Card reader can read iClass classic. There are HID reader options that only read iClass SE, unfortunately, we as an industry tend to buy Off the Shelf, and that most of the time means the product will read all iClass flavors. Disabling low security or unused card technologies on these readers as you mention is key.
Also keep in mind, if you are only reading EV2/EV3 CSN instead of an encoded SIO, all bets are off.
Bottom line, we need to do our due diligence as integrators.
UI
Undisclosed Integrator #3
Feb 20, 2024100% Agreed. It just baffles me when I see integrators in this day and age installing brand new systems using 26bit 125kHz cards and using Wiegand communication instead of OSDP.
JH
John Honovich
Feb 16, 2024so it's the access control equivalent of this?
Also, on LinkedIn, someone posted this example:
U
Undisclosed #1
Feb 16, 2024I'm not saying there is anything wrong with this report, but did people really need to be told this info? By that I mean, how could any halfway competent integrator or access control system manager not already know this?
If this information is a revolutionary insight for you, you need to seriously evaluate your security posture.
UI
Undisclosed Integrator #2
Feb 16, 2024Yes. Because even to this day on a regular basis there is a customer sending a photo of the end of their badge stock box to an integrator or online vendor so they can order the next batch of cards.
There are still plenty of customers ordering cards with the sequential number printed on them because they either don't want to pay to add an enrollment reader or their ACS doesn't support one.
JH
John Honovich
Feb 16, 2024What #2 said. From time to time, I go to local security events (and send our team members) to remind myself (and them) of how many wild misconceptions are commonplace in the field.
Btw, a thought, since HID acknowledges this risk, why not stop printing credential numbers on credentials? I get the whole ("but integrators want it") but if we are really committed to security and acknowledging it, refusing to print the numbers would be the rational step?
UI
Undisclosed Integrator #2
Feb 16, 2024John, I don't think it's integrators wanting it but more customers. It's similiar to why they are still selling Prox cards, it makes it easier for the customer's badging office to manage and there's no change or added cost involved (admittedly cost is low in this case).
Steve Stowe
Feb 20, 2024If only the technology existed to send cards to system administators with stickers for easy entry that would easily remove..... I guiess that would be too complex for HID.
U
Undisclosed #4
Feb 20, 2024Another alternative would be printing numbers that are not associated with encryption or PACS data. For example, those numbers can match credential numbers in a configuration file that can be easily installed into the systems. Randomizing printed numbers would reduce the chance of copying while maintaining convenience.