IPVM Drives HID Security Improvements

Following a series of IPVM reports explaining HID's long-standing unfixed vulnerabilities (see 1, 2, 3), HID has pushed a "major, mandatory update."

While we appreciate HID's response to the publicity IPVM generated, and this shows the power of public reporting and advocacy, HID still needs to do more.

Many initially criticized IPVM's reporting as being "old news" or the fault of buyers, not sellers. We disagreed and are glad to see HID take some action, at least.

The fact that HID has left these critical vulnerabilities unfixed, continuing to sell them (including in its own proprietary cracked original iClass) for over a decade despite HID incredulously marketing that "security comes first" is a problem for the industry and a danger to the public.

IPVM began a major expansion into access control last year, and we are pursuing the same model that we have improved video surveillance, fever screening, and weapons screening markets, etc.

By combining our technical expertise and willingness to explain and advocate for change publicly, IPVM makes markets better.

HID has shown this by its years of inaction and followed now by its own self-description "urgent action":

Many large, powerful companies tend to ignore fixing problems, preferring to downplay them, minimize publicity, and have their marketing allies and organizations cover for them.

We respect that HID is taking some action. Warning the public more clearly is good. Disabling some features that put users at risk is good.

However, HID still needs to do more. The underlying problem is that, despite Prox and its own proprietary iClass both being cracked for more than a decade, HID still sells and profits greatly from both of them.

This "major, mandatory upgrade" will help alert and motivate some HID users to take corrective action, but HID should do the right thing and set an end-of-life and end-of-sale date for both Prox and legacy iClass, to discontinue cracked, insecure products.