HID Should Stop Selling And Supporting 125 kHz
HID should stop selling and supporting 125 kHz credentials. Not only have such credentials been cracked for many, many years, but new devices simplify exploiting HID reader's "standard" support for them, allowing "high security" SE / Seos credentials to be attacked as well.
Since HID claims to offer "unparalleled security," it should live up to its branding and ensure that the government, enterprise, and critical infrastructure users that depend on it are not exploited.
HID, is, by far, the largest access control credential and reader provider. Its dominance allows it to have unparalleled power and expose unparalleled risks. By stopping to sell and support 125 kHz, its end users' security can substantially be improved.
No reader that supports "high security" SE / Seos should support 125 kHz since such support inherently allows executing the downgrade attack.
Over the years, some have argued that 125 kHz credentials usage only harms those who use 125 kHz credentials, but these new devices show that the damage extends to readers that still support 125 kHz.
No "Transition" / Over A Decade
While some argue for a "transition," 125 kHz cards have been cracked for far more than a decade. Even ten years ago, HID acknowledged:
There is no security, they’ve been hacked, there’s no protection of data, no privacy, everything is in the clear
Indeed, five years ago, we called on HID to stop selling 125 kHz cards. At that time, HID assured:
Our field teams disclose these known vulnerabilities in virtually every 1-on-1 customer (channel partner, consultant, or end customer) meeting regarding readers/credentials. These conversations are always followed by discussion of steps to mitigate the vulnerability through credential migration.
Now, five years later, the situation is even worse. Not only does HID continue to sell 125 kHz cards, but these new devices expand the danger to its "high security" credentials.
Instead of HID proactively warning its customers, HID has hidden this, responding to IPVM's concerns, saying they know of "no security incidents" using this and telling individual customers to go and disable the insecure settings they set as the default for "standard profile" readers.
Software Vs. Hardware Approach
If this industry, and HID, truly want to live up to being a security provider in a software world, HID should adopt the practice of software companies to fix or EOL products that have been proven for well over a decade to have "no security", as HID itself admitted a decade ago.
Need End of Life
Standard security practices are to end-of-life fundamentally flawed products such as IE, ActiveX, Flash, etc. HID could, at least, set an end-of-life date to stop selling or supporting 125 kHz credentials. The switch from 125 kHz credentials is in "transition," but there is no set date for completing the transition, delaying the move to more secure access control. By setting an end-of-life date, HID can drive the transition to more secure credentials, reducing the vulnerabilities of access control systems.
Problems Worsening
Exploiting 125 kHz credentials is getting more accessible, with services like MrKeyFob and devices like Flipper Zero with Seader that can read SE / Seos cards and then copy them to 125 kHz cards with a few steps. Historically, the SE / Seos attack was exploited using harder-to-use hardware (i.e., Proxmark3) that needed to be connected to a computer running special software.
HID Primary Responsibility, Not Integrators
Since this is HID's product, this is HID's primary responsibility. Plus, given HID's unique scale, integrators look to HID for guidance and the correct secure methods to employ. A decade ago, or even 5 years ago, HID could have claimed a transition, but HID shows no intentions of placing security over profits, even after all these years.
On the positive side for HID, doing this would indeed reinforce and show that it is a long-term market leader that places security over profits.