HID Signo Access Control Readers Tested

By Brian Rhodes, Published Nov 11, 2020, 11:41am EST (Research)

*** ** ******* *** ************** ** "*** ********* **** ** access ******* ******* **** *** ******" but *** **** ** **** ****?

IPVM Image

** ****** *** ****** *** ********* Signo ******* (* ******* ********** ******** ******) ** *** *** **** stack ** ******* *********** (********* *****, Lenel, ********) ** *** ******** *****.

******, ** *******:

  • * *** ********* *** * *** weaknesses
  • ******** ****** *** ****** ******* *** it ******, *** ** ** ********** and *** **** ******** ** ******
  • ****** **** ******** ** ***'* *********
  • *** ******** ********** ************* ***** **** Signo
  • *** **** ** ****** **** **** 'Secure *******'
  • **** ******** *** ****** & *** lightbar *******
  • *** ***** *******
  • *** **. *********** ****** ****** **** Lenel & *****
  • *** **. ********

Key *********

*** **** ***** *** ***** ******* have ******* *** *********:

  • ********** ******: ***** ***** ***** ******** ********** BLE/NFC*** ******, ***** ****** ***** ** ****** SE ***** **** ******** ****-** *******.
  • ***-***** *************:***** ***'* ****** ******* *** **** detailed ************* *** ************ ** ***** faster *** **** ******* **** ********** readers **** *** *****.
  • ******** *** ***** *******:*** *** ****** ** **** *** top *** *** ****** ******* *** be *******, *********** ****** ***** **** aesthetically ******** **** ***** ***** *******.
  • **** ****** ******* *****:** ****** *********** ** *********** ***** OSDP ** '****** *******'. **** **** and ******* ********* *** ******** **** Signo *** *** ** ********** **/*** via *** *** ****** ******* ****** application.
  • ***** ******* **** *** ******: *** ****** ****** ******** ***** dirty/oily *********** ***** ****, *** ******* use ** ******** ** **** ** soil ******* ** * ****** **** 'tells' ****.
  • **** ********* **** ***** **: *****'* ******* ** ***** **** previous ***** ** ******* **** *** same ** ******-******* *********** *** **** access *******.

Key *********

*******, ***** *** **** ********* ** consider:

  • ** ************* **** *******:***** ****** **** *** *********, ***** does *** ******* ***** ************* *****, which ******** ********** ** *** *********** with *** *** *** *********. *** many, *** ****** **** ****** ******* issues.
  • ******* ********** **** *** *****:**** ****** **** ** ********** **********. 'On-the-wall' ****** ********** ******* ****** ******* is ********* *** **** ******* **** to *********. *** **** ***** **** configuring ****** ** ***** ******* *** be *******, *** *** ****** ******* app **** ** **** ** ***** reader ** *********.
  • **** ***** **** ***** ******* *******: ***** *** *** *********** ********* are **** ** **** ******* ********* than **. ** ***, *** **** shows *** **** ********* *** **** a *** ** ~*".
  • ****** ******* ****** ** *******:********** ****** ************* ******* ** ***** 'Profile' ******* ** ***** ** ****. We ****** *** '********' ******* **** reads ***** *** *** *** **.** MHz *******, *** ***** ******** ** not.
  • ***** **** **** *** ******: ******* ********** ******** ******** ********* several ****, *** *** **** ****** to ***. ***** *** ***** ****** were *****, ***** ******** ***** **** long ******* *** *** ** *******.

Multiple ****, **** ******** *****

** ***** ******* ***** ** **** July **** *** ******* ********* * number ** ****** **** ****** ****** and ************* **** ** ********** ********. For ***** ******, *** ********* **** with ******** ******* ** *** ******* or ** *** ************** ****.

*******, **** ******* *** ******* **** 3 ****** ***** ******* *** ***** fixes, **** *** ******* ******* ****** deadlines ** *****. *** **** ** the ********** ****** *** *** ***** was *** ** ** ********** ***** of ******** ***** *****.

Signo ** ***** ***** **** ****** **

*** ** *** ******* *********** *** Signo ** **** ******* *** ****** less **** *****, ************ ******* ****** SE ******.

**** ******* *** ***** ** ~**% - **% **** **** ********** ****** SE ******:

  • *******: *** **** ** $***, *** Signo ** ** $***
  • ****-*****: *** **** ** $***, *** Signo ** ** $***
  • ****-***** **** ******: *** ***** ** $630, *** ***** *** ** $***

*******, ****** ******* *** ***** *** is ~$*** *** ***** ** *** ~$250 (**** **** *** **** ******** credentials ********* ** *** '********' *******).

Signo ******** ** ****** **

***** ******** ** ****** ** *** older *** ****** *** ****** *** same ****, *** *** **** *-** VDC *****, *** ******* ** *********** using ******* ** ****.

***** ******** ********** *** **** *******, the ******** *********** *** ***** ******* compatibility ** *** ****.

*** ********** ***** **** ***** (*** readers ** *** ****) ****** ***** iClass ******* (*** *** *** *****):

IPVM Image

** **** *****, *** ** ******* and ********** ****** ** ********* *****. The ******* ********* ** ** ** immediate ***-**-**** ***** *** ****** ** readers ** ***** ******* *********:

***** ** ** ****** ** *** other *** ******* ***** ** * result ** **** ******.

*** ***, ****** ** ******* *** still ** ****** ******** **** **** support **** *** ******. **** ** discontinue ****** *********, ** **** ******** to ** ** *********** **** ************* for *** ********** **** ** ********** our ******** *** ********* **** ** make.

******, ****** ** ******** ****** '********* Available' ** ****** *****'* ******* ******* **************.

Signo ******** ********

*** ***** ****** *** **** ******* and **** ****** ******* (**). ** our *******, *** ******* **** ********** with *** ********* ** ******. ** our *******, ** ******** ***** ** the ******* *** *** **********'* ****-******* power.

***** ** ****** *** ******, ******** ****** ******** ****.*** **** *****:

  • ******* (**): *** ******* ***** ***** measures ~*.*" * *.*" * *.*.
  • ****-***** **** ****** (***): *** ****-***** unit **** * * * * capacitive ******.

** *** ***** *****, ** **** the ** *** ***:

*** ***** *** ****** ***:

  • ******* **** ****** (***): *** ********* in *** ****** ** ******, *** 20K ** * **** ******* ***** reader **** * * * * capacitive ******.
  • ****-***** (**): *** ****-***** **** ******** ~ *.*" * *.*" * *.*".

Signo *** ********** ******

******* ******* ******** ** **** ***** includes ******/*** ******* ** ********** *******, unlike *** ********** ******* ****** **** must ** ***** ** ****** **.

***** ********** ******* ********* *** ~$** - $** ** *** ***** ** an ****** ** ******, *** *** included ** *** **** ***** ** Signo ******.

Format *******/**** ********

** ****** ***** **** ******** **** both *** *** *** **.** *** credentials. ***** *** '********' ******* ***** version, ** ************ **** ******* ***** 'external' *********** ********** ******* **** *** reader:

  • *** *** ***
  • *** ****** ****
  • ****** *******
  • ****** ******* *** & ***

*** ******* **** ** * ***** of ~*.*" ** *". ** ****** more **** *** ***** **** **** type, ******** **** **** ** * general ***** ***** ** *** *****:

IPVM Image

************ ** *** ****, *** **** range *** *** *** ***** *** close ** *** **** (********* ****** an ****) ** **.** ***. ** asked *** ** **** *** ******* or ***, *** **** ******** ** as * ************ **** ******** **********-***** variables:

** * **** *****, **** **** results *** *** *******, *** ** is ********* ** ******* ******* **** information ** *** ***** ***** *** reader ****** ***** ******.

...**** ******** ********** (*** ****, ******, Seos, *******, ***.) ****** *** **** card *************, ********, ********** **** ******** platforms, ******* *******, ********** **********, ******* manufacturing ********, *** *****-**** ********** **************, all ** ***** **** ****** **** range.

************, ************* ******* ****** *** ****** (e.g. ***** ******** *******) *** ************* impact **** *********** ** **** *********** while ****** **** ****** ** ******.

** *** ****, ** *** *** have *** ****** *********** ******* **** a **** ** ***** *-*** **** could *********** ********* **** *****.

Keypad ***** ************

*****'* ****** ****** ****** *** ** changed (* ****** *********), **** ** the *** ******** ** *** *** of *** ****:

******* ******* ****** *** ******* *** are *********, *** ***** **** *** lighting ** ****** *******, *** ******** for ******** **. ******** ***** *** be ********** ** *** ***:

IPVM Image

** *** *******, *** '*****', '****', and '****' ******* ****** ** **** compared ** ******* ******, **** ** bright ********.

Mobile ****** ******** ****** ****

** *** *******, *** *** ****** strength ************* *** ******** *** ***** work ****.

*** '*** ********' ******* ****** ***** to **** **/*** ******** *** ** configure ********** ******, ********* ** ***** of *** ********. ** ***** ** granularity, ****** ****** **** * *** resulted ** ********** *** ******** ******** changes ** ******* ******:

IPVM Image

***** **** ****** ****** ******* **** similar '****** ********' ***********, *** ****** impact ** *** ******* ******** ** often *** ********** ****** *** ******* are ****. *******, ***** ******* *** much **** ******** *** **********.

** ***** ** ***, ****** ******** values ****** ** ******* ********* ***** detected. *** ******* -** *** ******** in * **** ***** ** ~* inches.

Wiegand ** **** *** **** *****

*************, ********** ** ******* ** **** is ****, *** **** **** ***** are ********, **** ***** *** ***** used *** ****** **/** ** **** A/B.

*** ***** ** ***** ***** *** pigtail ***** ********* ***** ***** ** the *********:

***** ******** ************ ** *** **** for ****** ********, *** ****** ** use *** **** ** *** ***** is **** *** *** ****** ******* app ******** *****.

App-based ************* ****

****** ******** *** *******, ***** ** configured ********'* ****** ********** ****** **** ****** ********** '************* cards'.

***** *** ***, ********** *********** ******** via *** ** *** ****** *** performing ******** ****** ***** **** ****** reader ********, ****** ****** ********, *** assign *** ********-*********** ****** ***** *** that *** ***** '***' (****'* ** shown *****).

*** ***** ***** ***** *** *** and *** ** ** ********* **** to ********* *****:

** *******, *** *** ** **** faster *** ****** ** *** ** make ****** ******* ******** ** ************* cards, *** ***** ******** * **** to **** * **********, ***, *** be ******** ******* ** ***** **, while ***** **** ******* ******, ***** presentations.

Each ****** **** ** ************ **********

*** ** *** ******* ********* **** Signo ** **** ******* *** *** to ****** *** ****, **** ****** requires * ***** ********** *** *** to * ***** ** ****** ** make *** *******.

***** *** **** ******* ********** *** OSDP ** ** ***********, *** ******* is *** ******** *** *********** **** to ** ****** *** ***** ** configure * ******.

************, *** *** ****** ***** ******** individual ******* *********, ** **** ***** is ********* ** '*** ******' *** technicians *** ****** ** **** ******** finding ******** ***** ****** **** *** close ** * ****** ** ********* its ******** *** ****** ********:

IPVM Image

*** ***** ***** ************ **** *****:

Signo ** ********

************** *** ******* ****** ** *** *** ***-**-*** ****** and ** * *** ***** ***-**. Comparing ** *** ** *** *** party ****:

  • ****** *******: ******** ~$*** ******* *** moderately **** ********* **** ***.
  • ******* *******: *** ** **** ********* than ******** **** *** ***** ** employees ** ***** ** *** *** the ********, **** *****. ******** ***** pay ~$**/***** *** ****** ** *** mobile ***********. *** ******, *** ******* $0.50/month *** ****, *** *** ******.
  • ******** ***************: ********'* ****** ****** ******** that *** **** ***, ******* '***** Unlock' *** * *********** ********** ******** process. ******** ***** *** ************* *** where *** **** *********.
  • *** ***** ***************: *** ****** * keypad *** ********** ***** ****** ***** Openpath **** ***.
  • ******** **********: ********'* ********* ******** **** also ******* ****-******* *** ************** ******** channel ********* (**** ** ****** *** property ********** *********) ***** ***** ** be **********.
  • *** **********: *** ** *** **-** choice *** * ***** ******* ** the ******** ******.

HID ***** ******** ** *****/********-******** *******

***** *** ** *** ** *** biggest ****** *** ******** ***********, *** company **** *** * ******* ******* of ****** ***** ** *** ******** access ******* *****. *** *** ********** been **********-***** ********** ****** ******* ****** ************, ** ***** (***** *** ****** release) ** ****** ** **** * significant ****** ******** ** * ******.

*******, *** *** *** ******** ** physical *********** *** *******, *** ****** credential ****** ** ********** **** ** strong *** ***** ****** ******.

******, ********** ********* (*.*.,*************) **** ***** *** ****** *** 'mobile *********' **** **** **** **** their ********** *******.

****** ******** *** ***** & ****** is *** ************ ******** **** ***** used ** ***** *******, *** ******* pricing *** ******** *** *********** *** be **** ********* *** ****** ** manage *********** **** ******, ******** ****** vendors.

*******, ***'* ******** ****** *** ***** multi-access ****** *********** ** *** * single ****** ******. ** *******, '***** environments' *** ********** **** *** **** expensive ****** ** ** *** ****** in ***** ** ****** **** *** management ***** ********.

Device ******* & ******** ****

  • ****** ** *** ******* *** **.*
  • ** ** ******* ******* *.*.* '****' Software ******* *******
  • ****** *****, (******: **, ***) **** with *********: ***.*.*.*
  • ****, **, *** **: **.** / Bluetooth ***** ***.*
  • *** ****** **.*.* (***** *********)
  • *** ****** ******* **.*.* (***** ***.*)

Comments (47)

No centralized configuration is a deal breaker for large enterprise systems.

Agree: 6
Disagree
Informative
Unhelpful: 2
Funny

Dwayne,

Which access platform offers a centralized reader configuration? I'm used to having to take a configuration card to each HID reader if we need to change the configuration from the factory.

Thanks,

Greg

Agree: 5
Disagree
Informative
Unhelpful
Funny

Openpath needs a keypad version of their reader to entice a larger portion of the market to migrate towards mobile credentials, IMO

Becuase of this, I see the HID Signo platform being much more attractive overall. That main drawback you highlighted about having to be within BLE range to manage each reader individually is certainly unacceptable, though, and I can't see HID going on too much longer without a solution for that ... that is something a startup would normally do (leaving an obvious logistic hole that they are promising to fix "soon", or "in time for ISC West (!?!)"

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

fix "soon", or "in time for ISC West (!?!)"

Is that ISC West in March, July, or October? ;)

Agree: 1
Disagree
Informative
Unhelpful
Funny: 4

Lol ... well, at this time it does appear they'd have three shots at it, probably missing the first! There's quite a few manufacturers at this time of the year saying most anything newcoming will be a "Q1 sort of thing"

Agree
Disagree
Informative
Unhelpful
Funny

Is that ISC West in March, July, or October? ;)

I just want to congratulate myself for having called this before ISC West actually moved the show to July ;)

Agree
Disagree
Informative
Unhelpful
Funny

This was supposed to be one of the features of OSDP to be able to download updates to a reader. The only system I know of that does this is Lenel's BlueDiamond readers. I'm sure there are others though.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Wavelynx readers support file transfer via OSDP.

Agree
Disagree
Informative
Unhelpful
Funny

I think many OSPD readers support file transfer it just depends on the headend platform utilizing the readers and whether that software will send files to the reader.

Agree
Disagree
Informative
Unhelpful
Funny

Hey there - James here from Openpath. We've got the keypad reader on our roadmap so we hear you and appreciate the feedback.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

The bigger issue outside of no centralized configuration is that -- as of now -- there is no ability to order readers with a custom configuration from the factory.

That, to me, is unconscionable and completely unacceptable. While I didn't see where the test covered this, it's even more unconscionable because of the fact that "templates" can be created that allows you to deploy from the mobile app to a reader without selecting individual options within each reader -- you go through and select the options you want, apply it to a template, and then as you connect to each reader, you can simply apply the template you've created without having to manually configure each option within the reader.

If the option to create a template exists, why can't we send that template to HID and they apply it at the factory? I would even understand if there was an additional per-reader charge for a custom configuration, but even that isn't an option!

My team and I have been extremely vocal about this issue to HID and they assure us this will be changing, but the fact that it was even launched is a massive oversight by HID.

Agree: 4
Disagree: 1
Informative: 1
Unhelpful: 2
Funny

You know, I usually don't pay any attention to the "votes" I get on a topic, but I'm baffled at how this got a disagree and two unhelpful votes.

Does someone actually think it's preferable that these readers can't be ordered with a set configuration from the factory?

Agree
Disagree
Informative
Unhelpful
Funny

I believe that's what this page will be used for: (soon if not already)

Product Configurator | HID Global

Agree
Disagree
Informative
Unhelpful
Funny

In the past, that's been a tool to help zero-in orders to specific (already available) part numbers. See our post: HID Product Configurator Examined.

I'll ask HID to confirm, but I don't think that HID is planning for custom configuration orders through this configurator.

Agree
Disagree
Informative
Unhelpful
Funny

Adding to what Brian said, that page has been around for a long time, including with the iClass SE-series readers. All it did for the iClass SE-series is help you generate a "standard config" part number, or tell you to contact HID because you want a custom part number.

Since the majority of the options for the Signo readers are configurable within the readers themselves, I'd wager that website is even less helpful for the Signo than it was for the iClass SE...but hopefully I'll be wrong.

Agree
Disagree
Informative
Unhelpful
Funny

I just created an entire set of custom configurations and was able to obtain custom part numbers within a day. It does require obtaining a custom part number but if it is something that you will need often, it is a easy way to ensure integrators order the reader pre-configured without having to deal with the reader manager app in the field.

Agree
Disagree
Informative
Unhelpful
Funny

Could you list the issues that the early firmware versions had that delayed your testing?

Agree
Disagree
Informative
Unhelpful
Funny

The default reader firmware was R10.0.0.31, HID issued a service pack named R10.0.1.3. Some of the most significant issues:

  • Mobile credential keys could not register correctly in Signo 40K.
  • OSDP worked in Mercury LP but did not in other controllers (Axis, Verkada)
  • Changes were made in the Reader Manager App that were not saved in the reader
  • Keypad color was fixed Red (not changeable)

The update fixed above issues.

Agree
Disagree
Informative
Unhelpful
Funny

I like the rugged feel of the iClass SE units, how do the Signo's hold up to minor abuse? The one thing I always wanted was a metal (aluminum or stainless) for the iClass SE units as the plastic mounting bracket is a weak point--makes it too easy to pull one off the wall.

Agree
Disagree
Informative
Unhelpful
Funny

The textured ABS material holds up to minor abrasions/scratches fairly well. It can get gouged or nicked if bluntly hit, but the material hides cosmetic damage well.

The material doesn't carry oils or show streaks.

The mounting bracket is plastic, but it is fairly thick (~0.125") and prying attacks could happen but it would take more than a casual blow to knock loose.

We did not expose the readers to ice/cold weather or extended UV exposure.

Agree
Disagree
Informative
Unhelpful
Funny

Thanks for the info. I still support a bunch of Prox 5355 keypad units on the side of buildings in west Texas, fully exposed to the weather, with very few failures. The new bracket design does seem to be significantly stronger due to the side flanges which should give it alot more resistance to a pull-off.

I wonder if there is enough space between the bracket and the reader to use a pan head screw with a washer? Just the 6-32 flat head screw doesnt provide much holding force...

Agree
Disagree
Informative: 1
Unhelpful
Funny

I wonder if there is enough space between the bracket and the reader to use a pan head screw with a washer? Just the 6-32 flat head screw doesnt provide much holding force...

For standard panheads, there will be. The back of the reader is recessed at least 0.125" (maybe more) from the bracket.

The bracket holds the reader secure around the sides of the reader not a few tabs along the back.

Agree
Disagree
Informative
Unhelpful
Funny

Here are some raw pictures I just took of the bracket/standoff distance for clarity. Let me know if you want a different image and I'll try to oblige:

IPVM Image

IPVM Image

IPVM Image

Agree
Disagree
Informative: 1
Unhelpful
Funny

Yeah .... while it would be nice for certain applications to have a metal bracket, if that bracket was metal it could possibly snuff out the read range

Agree: 1
Disagree
Informative
Unhelpful
Funny

Two things here:

1. To me, the mounting plate of the Signo feels considerably more substantial than the mounting of the iClass SE readers. As Brian notes, the mounting plate is a heavy, rigid plastic and seems much less susceptible to breaking or bending than the old iClass SE mounts.

2. The Signo readers supposedly have an "auto-tuning" feature to help alleviate interference from surrounding metal mounting (i.e. mullions, etc). I've not had the chance to test this extensively, but there are even some options in the Reader Manager app on signal tuning to help alleviate this. Would be interesting to see how that works, especially with a metal bracket like you mention.

3. I don't have a Signo reader in front of me at the moment (will be back to my desk later), but I would caution Brian's statement regarding the space behind the reader. There is a tamper switch on the back of the reader and a "knob" on the plate (shown on the right side of Brian's first picture) that depresses the tamper switch -- and to my recollection, the back of the reader is EXTREMELY tight to the mounting plate once it's depressed -- I don't recall there being much room there at all. Maybe enough room for a wash, but...I seem to recall it being tight.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Brian,

In your video I was waiting for you to turn over the Brivo reader. Does it use the same Wavelynx stamped metal mounting bracket as the Isonas RC-04 readers that Wavelynx makes?

Thanks

Agree
Disagree
Informative
Unhelpful
Funny

Does it use the same Wavelynx stamped metal mounting bracket as the Isonas RC-04 readers that Wavelynx makes?

Yes it does.

Agree
Disagree
Informative
Unhelpful
Funny

I am not a fan of the reader manager app. Not the easiest to navigate. Definitely could use some help.

Agree
Disagree
Informative: 2
Unhelpful
Funny

The best thing about Signo is the mullion mount keypad reader. This has been like the elusive unicorn!

Agree: 1
Disagree
Informative: 3
Unhelpful
Funny

Interesting, thanks. Are you quoting/selling that model more than the others?

Agree
Disagree
Informative
Unhelpful
Funny

I have problems getting the sales staff to quote what I tell them. You know old habits are hard to break. We are only selling that model when necessary, probably just a few of those. The mullion keypad is great when the application demands it but is not as user friendly as a standard keypad reader.

Agree
Disagree
Informative: 1
Unhelpful
Funny: 1

Brian, another context to this, we have numerous accounts in the childcare and shipping/logistics business that use a mullion keypad reader for exterior access because the doors for most of their buildings are storefront style.

By having both you can issue the parents/truckers pin codes and the staff can use access cards like they do for the doors on the interior of the facility. At the moment we sell a lot of the IEI keypad readers for this reason, but they only support 26 bit Weigand so going forward it will be problematic to use them.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Openpath and Proxy ... are you listening? There is still a very reasonable and sizeable use case for having embedded keypads on readers, even if they are BLE enabled readers.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Hey there - James here from Openpath. We've got the keypad reader on our roadmap so we hear you and appreciate the feedback.

Agree
Disagree
Informative: 1
Unhelpful
Funny

I really like the fact these are available in just the two different sizes.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Quick Clarification:

IF a client does not want the bells/whistles of mobile/NFC but wants iclass security, the new SIGNO readers are roughly $10 more than the basic iClassSE reader. Personally I think this represents excellent value; just wanted to clarify the pricing differential between the new and old.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Important to know that IF you want to program the readers with the Mobile App, then you must register the account with HID. IMO this is currently a cumbersome process at best, requiring end-user involvement in a process that they may not see as important in the first place. In other words, hard to get them to "finish their part" with HID in order to complete the installation.

Yes, for large accounts with elevated security concerns, this process provides a layer of "tamper-proof-ness". However, for integrators whose business is dominated by smaller accounts where operations trumps security in many cases, I have already experienced this as a road-block to a smooth installation.

I am hopeful this evolves into a strong Managed Services portal that we can use to provide a value-added service to our accounts, for a fee. Currently......not so much.

I have voiced my concern to our HID rep and he encourages others to do the same with their reps.

Agree
Disagree
Informative
Unhelpful
Funny

"Important to know that IF you want to program the readers with the Mobile App, then you must register the account with HID. IMO this is currently a cumbersome process at best, requiring end-user involvement in a process that they may not see as important in the first place. In other words, hard to get them to "finish their part" with HID in order to complete the installation."

As far as I know, this is not true. You do need an account with HID to use the reader manager software but you do not need to register the site with HID.

If you do not register the site to get a MOB key you can still use Signo readers with Reader Manager by cycling power on the reader.

Agree
Disagree
Informative
Unhelpful
Funny

Looks like HID issued a Product Security Adversary for the Signo Readers.

Agree
Disagree
Informative
Unhelpful
Funny

Thanks. Here's the link: HID-PSA-2020-02

The risk includes some non-Signo iClass SE reader models too, the report describing the risk states:

Nordic Semiconductor has identified a fault injection attack that may allow an unauthorized individual to bypass the APPROTECT feature of the nRF52 chipset family and reactivate the debug interface on all nRF52 chipsets. An attack of this nature may enable an attacker to write to the device’s memory, allow the attacker to read the memory of the nRF52 device, or allow the installation of a malicious variation of the device’s firmware on the device.

Gaining physical access to the reader's nRF52 chip can enable an attacker to exploit the weakness. Further details of the risk or exposed data are not included in this notice, but I'll ask HID to comment.

If anything, this reinforces the importance of connecting and monitoring the reader's tamper switch.

Agree
Disagree
Informative
Unhelpful
Funny

Brian:

Can you share what HID says about this and when it will be fixed, our infosec team sent me the same advisory but also included the security researchers report.

https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/

I guess this has been known since June and effects all Signos that have shipped.

As explained to me, the issue is that the Signo reader (being a radio device (~300ft)) can have its firmware replaced by rogue software without physical damage to the device and there is likely no way to detect or audit it in our supply chain or after it has been placed on a wall.

This means that like the weigand sniffing attack, someone can capture credentials, store, transmit them from within a rogue reader. This is a problem for our datacenter folks.

What concerns me about installing Signo today is that it appears the problem can't be fixed with a future software update... and identifying and replacing compromised signo's in the future maybe a problem. Its already tough to justify $300+install on a new reader anyway.

On the positive, good of HID to put out the notice, at least we can get in front of it, would have been worse if we had already deployed.

Maybe some of that black epoxy inside the reader can make this go away :-)

Hopefully HID has good news on a fix.

Agree
Disagree
Informative
Unhelpful
Funny

I just read through both pages of the report and I can say you had it explained to you incorrectly. As the researcher shows (and is mentioned in the HID advisory) you have to have physical access to the debug on the chip. So they'd have to literally disassemble the reader to be able to access/update the firmware for any attack to be effective. Yes, once they have access to load their own firmware, they could include software that might be able to actually grab unencrypted credential data being sent to the ACS.

Quite honestly though, it's going to be easier to gain access using social engineering techniques (i.e. bribe the integrator staff) then go through the trouble of reverse engineering the reader, onsite.

Agree
Disagree
Informative
Unhelpful
Funny

nRF52 Debug Resurrection (APPROTECT Bypass) Part 1 - LimitedResults

see this excerpt, the words in bold are emphasis they made:

In this blogpost, a low-cost fault attack has been successfully achieved on nRF52840. It allows an attacker having physical access to bypass the APPROTECT to reactivate the SWD debug interface permanently

If I understand the risk, it is making a reader permanently nonfunctional by tampering with firmware.

I gather that this particular chip is used in several consumer devices (the author proves the vulnerability on his own wireless mouse: )

IPVM Image

so the risk is fairly widespread, but not serious in the sense it leads to doors being hacked open directly.

Again, I'll push HID on that point and followup with their response.

Agree
Disagree
Informative
Unhelpful
Funny

Hi Brian - in your testing where you able to get a non-HID Desfire/ev2 card to work with the signo? The HID Desfire with SIO works in our setup but not non-HID desfire cards... we haven't been able to get any info on putting our own desfire key/appid into the reader. HID manager doesn't seem to have a place for it. thanks in advance.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Interesting question. Our test indeed used (factory default) HID keys, but I'll ask how to write custom DESFire keys to the app for non-HID DESFire.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Hello William:

HID responded to this question, I believe this is the concise answer:

Currently, for custom data implementations of MIFARE DESFire on HID Signo readers, system administrators must securely transfer cryptographic key material to HID via a key ceremony so that it can be securely programmed into Signo readers during production. Once this is complete, customers can order Custom Profile HID Signo readers pre-configured for their specific implementation.

Here is their full response:

Here is the detailed response to the inquiry. Let me know if you have additional questions:

As illustrated in the graphic below, HID Signo readers can be ordered with one of four “Profiles”.

IPVM Image

During the initial release of HID Signo, we established 3 credential profile options, Seos, Smart and Standard. HID Signo readers with either “Smart Profile” or “Standard Profile” fully support MIFARE DESFire credentials using the Secure Identity Object (SIO) data model. The goal for initial firmware launch was to support the most common and secure use cases.

HID offers MIFARE DESFire cards preprogrammed with the SIO and tools that enable customers to program 3rd party MIFARE DESFire cards with an SIO as part of the in-field issuance process. These credentials and tools make it relatively simple to implement security best practices for cryptographic key management across both credentials and readers.

We understand that custom data applications on MIFARE DESFire are desired by some customers. Recently, we expanded the HID Signo capability to support a wider range of credential technologies and custom data models through the introduction of the Custom Profile option. This enables HID Signo readers to support the custom data/key approach on MIFARE DESFire as referred to within the IPVM post.

Currently, for custom data implementations of MIFARE DESFire on HID Signo readers, system administrators must securely transfer cryptographic key material to HID via a key ceremony so that it can be securely programmed into Signo readers during production. Once this is complete, customers can order Custom Profile HID Signo readers pre-configured for their specific implementation.

Agree
Disagree
Informative
Unhelpful
Funny

Thanks Brian - appreciate the review and the followup.

I think I understand - that Signo WILL support generic DESFire cards purchased from any vendor, not just HID, correct ?

eg our procurement wants freedom to negotiate pricing with different vendors (a reason we would not go seos).

I understand that for signo to support non-HID SIO desfire cards that we must pre-select the desfire keys in advance, send them to hid and hid will program them into the reader at the factory, correct?

q. will there be a configuration card, hid manager template or osdp way to change these keys in the future (key cycling, acquisitions etc), or do we have to replace the reader again ?

we have been looking at wavelynx and lenel blue diamond as a replacement and they both seem to offer a config card to set the desfire keys and allow use of non-vendor desfire.

maybe a suggestion back to HID is to allow field updates so they can compete with the other readers.

appreciate the information, its been tough cutting through the marketing...

Agree: 1
Disagree
Informative
Unhelpful
Funny
Subscribe to IPVM Research to read the full report.
Why do I need to subscribe?
The IPVM Research Service includes products tests and shootouts plus competitive and financial analysis, helping decision-makers better evaluate purchasing, partnering, developing, and/or competing against companies in physical security.
Already have an account?
Loading Related Reports