Flipper Zero Makes 125 kHz Prox Cards "Actually Dangerous," Says HID Director

•Published May 10, 2024 13:23 PM

PUBLIC - This article does not require an IPVM subscription. Feel free to share.

While HID refuses to stop selling 125 kHz Prox cards, an HID director, this week, publicly declared that Flipper Zero makes these cards and readers "actually dangerous," the latest in a series of remarks challenging his employer's HID's profitable sales.

IPVM Image

IPVM has in-depth testing and reporting on Flipper Zero and HID vulnerabilities, including:

HID Director: Flipper Makes 125 kHz Cards "Actually Dangerous"

HID Business Development Director Phil Coppola commented on a LinkedIn post about a Flipper Zero advertisement on copying/cloning 125 kHz credentials, saying, "the flipper renders 125kHz Prox-based cards and readers not just obsolete, but actually dangerous." [emphasis added]

IPVM Image

We contacted HID HQ, asking them if they agreed with this. However, HID never responded to us, but shortly thereafter, Coppola edited his comment, softening the language:

IPVM Image

Ongoing Criticism Of 125 kHz Prox

This criticism is part of a long series of public pleas that HID's Copolla has made to stop using 125 kHz prox, especially because of the rise of Flipper Zero. Below are four more posts from the last five months highlighted:

IPVM Image

HID Continues To Sell And Support 125 kHz Prox

Despite acknowledging the security risks of 125 kHz Prox credentials and declaring them "legacy," HID continues to sell and support these outdated products. Nearly half of all physical access credentials in use still rely on insecure 125 kHz Prox technology (see Prox / 125 kHz Access Control Credential Usage Statistics). HID's inconsistent messaging undermines the security of physical access control systems.

Migration From "Legacy" Falls Short

HID's narrative on "migration" away from 125 kHz Prox technology has been prominent for over a decade. However, HID continues to sell and support these credentials, shifting the blame to its partners and customers for buying outdated and insecure credentials from them.

No Comment From HID

HID did not respond to IPVM's request for feedback on questions. If they do, we will update the report with their comments.

Comments (2)

Undisclosed #1

•May 10, 2024

Changing the statement is more likely due to company liability than correcting a falsehood.

Of course, enabling the nefarious use of Flipper Zero and other similar tools is dangerous. Anyone could name dozens of scenarios where this could be dangerous.

Without the ability to post this statement anonymously, I would expect to get a call from our global director of security. Why? because of liability.

Keep it up Phil. You're one of the foremost experts on this subject. HID should stand behind your statement and begin phasing out 125 kHz Prox.

Reactions:

(10)

(2)

Rick Caruthers

•May 11, 2024

Galaxy Control Systems

Change comes from the top and in the world of 125kHz prox that is HID. It is very disingenuous for them to have someone like Mr. Coppola constantly use social media to criticize this technology all the while his company profits greatly from its existence. I'm not saying his messages are off base, in fact I agree with most all his post. Leading by example would be to:

1). Discontinue the 125kHz only product line.

2). Refrain from bringing forth lawsuits against anyone that is building or trying to build readers that bundle low and high frequency technologies.

Both of these actions will help decrease the amount low frequency products in the market..I don't expect for either of these things to happen anytime soon.

Just to be fair, we resell HID and other brands and the low frequency readers are the most popular ones used. We promote the use of more secure formats but in the end the dealer/customer must decide their path.

Reactions:

(1)