HID Pushes "Major, Mandatory Upgrade" For "Legacy Downgrade Attacks"
IPVM has advocated HID deal with downgrade attacks it has known and allowed. Now, in what HID is describing as a "major, mandatory upgrade," HID is taking action.
But what does this upgrade mean, how effective is it to address these vulnerabilities, and what issues still remain?
For recent IPVM coverage of HID and access control vulnerabilities, see:
- HID Standard Profile Makes 13.56 MHz SE / Seos As Vulnerable As Cracked 125 kHz For Downgrade Attack
- How HID High-Frequency Only Readers Are Vulnerable To Downgrade Attacks
- Are Integrators Responsible For HID 13.56 Mhz Downgrade Attack Using Multiclass Readers?
- Flipper Zero Access Control Hacking Tested
- How the Seader App Works With HID SAMs and Flipper Zero
- HID Touts "Signo = Security” Despite Critical Vulnerabilities
Executive *******
***** ********* ******** ** ****, *** is *** ******* ********* ****** ******* updates, ******* ************* ********* ***************. *** update ******** ************* *****, ********** ****** credentials ******* ** *** *******, *** prompts ***** ** ******* ****. **** legacy *********** *** ********, **** ****** be **-******* ******* ********** ***.
***** **** ****** ********* *************** ****** the *******, *********** *** *** ***** will **** ** ****** **** ** significant **** *** ****. ******* *** readers *** *** ** ********* *** centrally *******, *********** *** ***** **** update **** ****** ********. **** ******* will ** *****-********* *** **********, ********* users ** ******* *** ****** ***** reader *** ** *** ***** * mobile ****** *** ***, ***** *** take **** **** ** ******* *** each ****** *** ** ****** ***** cycling.
HID ********
**** ******* *** ** *** ******** times, **** ** ******** **** ***.
Mandatory ****** ******* ******
*** ******** * ********* ****** ******* update** ******, **/**, ********* ******* ** configuration ***** *** ****** ***********. ***** are ******** ** ****** *** ****** Manager *** ** ******* **, ****, to ******** ***** *** ***. *** update ******** ************* ***** *** ******* when *** ****** ** ********* *** gives ****** ** *** ***** **** the **** ** ******* ****** ***********.
*** **** ** ****** *********** ********* inside *** ******** *** *** ******** Prox, ****** ******, ****** **, *** Mifare ******* *******, *** **** ***** credentials *** ********, **** ****** ** re-enabled ******* ********** ***.
Legacy ** ******** ****
************, *** *** ****** ***** ************ legacy *** ********* ****** *** *********** that **** **** **** ** * security **** (*.*.,*** *** *** ** ***** ************* "******" ** *****, *** **** of **** ******* ** **** ******** this ** * ******** ****).
** *** ********, ***, *** *** reader ******* ****** *** ********** ******** that "****** *********** *** ****** * security ****:"
iClass ** ******** ** ****** / ******** ****
*** ********** ****** ** ** * legacy ********** ** **** ****** *** list. ********, ****** ** ** ********* *** ************ * ********** **** ********** ********* attacks (******* *** ******* **********'* *** MIFARE *******:
*********, ****** ** ********* *** ****-******** features ** **** ** ****** ******* credentials, *** ********* **** ** ******* to ****** * ****** ******* ** secure ***********
**** **** *** **** ** *** publicly ********* *************** **** ****** **.
HID ************ ********* *******
***** ***, *** *** *** ******** any ****** ************* ** *** ******* that ************ ** ********* ********* *******.
*** ******** * ************** *** ****** ** ******, **/**, then ******* ** ** ********, **/**, noting "*********** ****** ****."
** ***'* ****************** **** *** ******, *** ************ downgrade ******* ***** ****** ***********. *** describes *** ********* ****** ** ***** "the ********* **** ** *******" ** copying **** **** **** **** ** iClass ****** ** ****.
*********, ****** ** ********* *** ****-******** features ** **** ** ****** ******* credentials, ***migration **** ** ******* ** ****** * ****** ******* ** ****** ***********. The high-security credential data is read (typically with HID technology), then third-party ***** *** **** ** ****** * ****** ********** **** *** **** **** ** ***** **** ***** ******** ******** (like MIFARE Classic® and legacy iCLASS Elite™), published **** (legacy iCLASS®), or cards **** ** ********** ******** ** *** (classic Prox). [emphasis added]
*** ************** ***** ****** ************ ** ********* attacks ****** *** ***********.
* ********* ****** * ********* ****** has **** *** ******* ** ****** publications, *****, *** ******** ***** *****.
***** ********* ******* **** ********* ******** ** ** ****, *** *** *** ***** ****** against ***** *************** ***** ***.
*** **** **** *** **** **** within *********** ****** ** ******* "** a ********" ** "** ********* ***********."
********** ******* ***** *** **** ******* as * ********: ****** ****** **** identify * **** ** * ******.Integrators, ************, *** *** ***** ****** ******** *** **** **** **** ********** ******* **** **** ***** **** ***** ********* ***********. ********** ******* ****** ******* *********** *** ***** ******* **** ************ ****** *** **********. [emphasis theirs]
Reader ******* ****** ****** ** ******
***** ***** **** ** ****** *** reader ******* ****** ***, *** ******** updates *** *** ****** ** *** readers *************. ***** **** ** ******* and ****** **** ***-******* ****** ************ to ******* ************* ***** *** ****** credentials. ** *** ******* ** *** have *** *************, **** **** ** purchase * ********* ****** *** ****** it ** *** ****** ****** ********** updates.
**** ** * *********** ********** ** current ***-***** ** ********* **-********* *******, as ****, ***** **** ** ******* firmware ********. **** **** ***** *** percentage ** ******* ******* *** ***** downgrade ****** ************* ** ******* ****** the *******.
*** ******* ****** ********** ************ ** more ******* **** *********** ** *******, as **** ** *******, ***** *** push ******** ******* ** *** ******* at ****, **** ******* ***** ************. With *******, ***** **** ** ******** update **** ****** *** ** ***, which ** * ********* ***********.
Most ******* **** *** ******
*** ** *** ********* ******* ** updating, ** ****** **** ******* *** to ****** ***** *******. ***** **** to ******** * *********** ****** ** time ** ****** ***** ******* ** their *** ** *** ***** *********** to ** **, ***** ****** *** extent ** *******.
Most ***** ***** ******
**** ********* *** ******** ** ***** American *** ***** *** ***** ****** credentials (*.*., ****, ****** ******, *** SE) ***** ** *** **********:
- *** ****** ******* ***** **********
- **** / *** *** ****** ******* Credential ***** **********
- **.** *** ****** ******* ********** ***** Statistics
HID ********* ** **** ******** ******* *** ****** ***********
*** **** **** **** *** **** selling ** ********** ****** ***********.
*** ************ *** ****** ***** ** the ****** ******* *********** *** ********* to ***** *** ***** ** ***** customers ***** ******* ** ****** ********. HID **** ******** ** **** ******** supporting ***** ********* *** ****.
***** **** ****** ********* *************** *** readers ** "********* ****" ***** ******** configuration, ** *** ********* ** ******* legacy *********** *** ***** ******** ******* readers, ***** *** **** ************ ** upgrade ***** ******* **** **** ****** credentials.
Responsibility ****** ** *********** *** ***-*****
*** ****** *** ************** ** *********** and ***-***** **** **** ******, ***** might *** ** ********* *** *** users ** ********* *** ** *** labor-intensive *** ********** ****** ** *******. HID ****, *** ***** **** ** disable "********* ****" **** *** ********* is *********, *** **** *** ***** an ********* *** ** ** **.
Once ********* ** ********, ********* **** **** ** ******** ** ******* **** *** ******** ******** ***** *********** *****. While legacy credential support is enabled, the risks of legacy and insecure credentials remain, including unauthorized duplication and use. [emphasis theirs]
*** ****** ***** ********* *** ******** products *** ****** *******.
*** *** * ******* ******** ****, including ********* *** *** *** ****** technology **** ***** ***********, ********* *** compatibility ** **** *******.These ********* ***** *** *****, ********* *** *********** ** ************ ***********, *** **** **** ********** within their specific operational context.
For **** *************, especially those facing minimal security threats or those with other protective measures in place, using ***** ************ **** **** ***** *** ** *********. ** ** ********** ** businesses choosing door **** **** *** ** ********** at the local hardware store — a matter of convenience and cost. [emphasis added]
*******, ** *** ********, ***** **** HID *** *** ********* ******** **** long ******** ******** ***** *****, ** believe ****, ** *** **** *****, are ******* ** *** **** ** is *** ***** ******* ** ** attacked.
Does *** ***** ************* ********
******* * *****-********* *** ********** ****** process ** ***** **** *** ***** vulnerability ********. **** ***** **** ** unaware ** ***** *********** ****** ***** PACS ** ****** **** *** ** high ***** *****. ****** *** ***** selling *** ********** ****** ***********, ***** will ** **** ************ ** ****** to **** ****** ****.
*******, ** ******* **** "*****, ********* upgrade" *** ********* **** **-******* *** whitepaper ************* ****, *** **** ************* raise ********* ** ***** ******** ***** with ***** *********, ***** **** **** improve ********.
** #* ***** ** *** ******* notes *** ********* **** *** ******* to **** ********* ***:
*. **** ****** ** *** ********** SE ******* *** ******* ** ***** used **** *** ****** ******* ********. If ***'** *** ******* ******** *** readers **** *** ****** ******* ******** (i.e. ***** ***** ****** *****) **** will **** ** ****** ** *** or *** ********.
*. *** ** ****** ******* ******** by **** *** ****** ******* ********* natively ** *** * **** ** module ** *** ****.
*. ** ****** **** *** *** choose ***** ****** ******* **** ****** functional ****** *** ******, ** ** the ******** ** ***** ****** ****** for ******* ***'* **** ******** ** and *** *** ******. *** **** time ***'* **** ** ******* *** would ** ** *** **** * mistake ** ******** *** ******.
"*** **** **** ***'* **** ** contact *** ***** ** ** *** made * ******* ** ******** *** reader."
** **** ****** *** ****** ******* to ******** *******. **** *** ****** during ************, *** *******, **** ****** need ** ** ********.
********* **** ******* *** *** ****** security ******, *** ***** *** ***** to ** ********** ***** *** ******** wants **** ****** ***** ** ***** SEOS ******* ********* **** *****.
*'* *** ******* ******* ** ***** arguments **** *******, *** ** ** definitely ****** **** ********** **** **** fourteen-year-old **** * ******* ** *********** their **** *********** ******* ** *** it ** ****** *** ***** **** integrator ****'* **** *** *************.
*** *** ** **** *** ******* that ** *** ******* *** ******** what ****** ** ******
*** **** ** ***** ** **** backpack. ** ***** **** ** *** killed *** *** ******** **** *** BLE ********.
(**** ** *******, *** ************ **** seller, *** *** *** ******* **** that).
** *** **** ** *** ***, and *** *** ***** ****** **/********** SE, **** *** **** ** *** a ********. *** *** **** **** around ****** ** ******, ****BE ******* **** *** **** ** *** *** ****. ***** ***** ****. *********, ***** ****** ****.
** *** **** *** ****, **** the ********* **** *****, *** *** will *** *** ****** ****** *** firmware *******. ** **** ** * fair *** ** ***** ******** **** lesson.
********** *** ********* ** ***** **, if *** **** ** ** ****. You ****** **** ** ** ****, because ***** ***** ** ****, ****** distance ** ****, *** ***** ******* to ***** ** ****.
** *** *** **** ********* ******, save ******** *** **** *** *** an ******* *****.
*** *** ****** **** **** ***** on ***** **** (****/****/***.), *** ****'* because **** *** * ****** ****** thing ****** ****. ** ******* ***** a ***, *** ** *** ******** I've **** ** ****'* ******** *************. It ***** **** ** *****'* ***/**** running ** *** **** ***** *** lines, ** **** ******* *****, ** something. * ****** * ***** ** RP10 *******, *** *** **** ** everything.
** * **** ** **** *** after **** ****** ** ******* ** re-enable ****** *************? **** **** **** time.
**. **** ***'* **** *** *** ones ** ***. ****** ** ******** to ** * ************ ***** - on *** *** ****** *** *** while **'* ** ***, **** **** it ***.
*** "********" **** ***** *** ******* iClass *** ********** *******, **** ******* > ** ***** *** *** *** that ***** (** ****** *** ** those ******* ******* *** *********** *********** and ****** ** ******** ***** ** the ******** ********* **** *******).
****** ** *** ********** ** ***. You *** *******, *** ********* ********** don't **** ***** ** ****.
**** **** ** ******* *** **** and ** **** ******* *********? ** we ******** ******* ***** ****** ** confirm?
***-** **** ******* (********, ********, *********, ProxPro, ***.) ***'* **** ********. **** doesn't ****** ******** *****. *** **** starts ******** *** ********** **** ** anyone ****** ** **** ** ** gets *****.
***-** ****** ******* (****** *** **, multiclass *** **, ***.) **** ***** keys. *** ***** *** ********** ** duplication, *** **'* *** ********* **** can ****** ** *****.
**-*** **** *** ***** ** ****** be ***** *** **** (****** **/********** SE).
*** ***** ** ********* ** *** as * *** **** (***** ** interesting *** ******* ********** *********). ** might ** *** **** ***** ** PIVClass ******* ***** ****** ********** ** and ****** **.
If *** *** ******* *** ****** *******, *** *** ********* ** *** ******* ** ***. This means you don't need to run around adding backpacks to all the old iClass SE and multiClass SE readers.
*** *** ********* **** **** ************* readers ******* **** ** *** ***. If *** *** **** * ******** is ******* *** *** **** ****** and **'* * **** ******* ***, that's *****. ** ***, ****, ** probably ***** ******* ******* ** **** reader ***** *** **** ***** ***** out (******** **** **).
******** ********* ******* ********** ****** ******** ******** ** the *** ******.
**'* ***** ** ** *********** ** see **** ******* *** ******* ** reader ******** ****** *******.
*** ********* ***** **** ******* **** year:
**** ************ ***:
“******** ******* *** ****** **** ****-********* than ****, *** ** *** ******* to ** ********** *** ******** ** GSX,”
**** **** ** **** **** ********* legacy.
"*** **** *********** *** ***** *** simultaneously ****** ******** *** *****™ ******* connected ** ******** *** ***** ************* **** ********** ****** ******** (****) or ** ***** * ****** ******* over * *** **********. **** *** largest ****** ****** *** ** ******* quickly *** ******."
*** *****'* ** *********** *** *** this **** **** ** *****. ***** are * ***** ** *******-***** ***********, especially **** *** ******* *** *** market. ** **** *** **** *** configuration **** **** *** ***** ** controller ****** ******* ******* ***********, **** it ****** * ***** ** ********.
** *** **** ********, *** *******, is *****.***. **** *** *******'* ***** stuff ** ****** *** *** ******* and ******. * *** ** ******* their *** ** ********* ****** ** operate *** **** *** ***. * use *** ******* ******* ** **** readers **** **** **** (*** **** and ****** ***********). **** **** ** setup (*****-********* *******) ** ***** ** be **** **** ** ****** * lot ** ******* ** ****.
***** ** **** *********** ** ***** to ** *** ********* *** *** out-of-support ** ***** ******, *** *** it *** ******, ** *** ****** and **** *** *********. *'* **** to *** * ********* ** *** many ******* *** ***** *** **** profile ** ***.
***** ** *** ***** ******* (***, untested, ***), *** ** *** ***** being **********.?
** ** ********* *** *** *** been ************* ** *** **** ******** and ******** ***'* ***** ***** ** a ******* ***** ** ****** ********. They ***** ****** ** **** ******** on ***** *********** ***********.
*** **-******** *** ************** ***** *******. ***'* ******* ******* the ******** ** ****** ** ******* to *** **** ** ******* *** language ******* ** "**********" *** "*********" modes. **** ** *** ******** ********** of*** ******** ****** **-*******************.
*** ****** *** ******* ** ***** these ********* ** ****, *** *** years ** ******* **** **** **** update *******. *** * **** * customer **** *** ******* ********* **** the **** ** *****. **** *********** apparent ******:
*. **** **** ** ******* *** they *** ** **** ******* *********? Do ** ******** ******* ***** ****** to *******?
*. *** *** ** **** *** readers **** ** *** ******* *** directly **** ****** ** ******, **** it **** ** ** ***** ** behind *** ******? **** ****** ** required? ** ** ** ********* *** every ****** **** ***** **... ***.
*. ** * **** ** **** HID ***** **** ****** ** ******* to **-****** ****** *************? **** **** more ****.
*** **** ** *** **** ************ on ***-**** **** ******* ** ****** this *******.