In this report, we examine the situation and what end-users / partners should do, including comments from HID / Mercury based on a review of its partner presentation with LenelS2, comments from the company, and our own research and analysis.
IPVM is closely following this situation and developments, including any updates on the upcoming transition to the "Black" boards. Also, see:
***small ****** ** **** ******, *** ******** ** ** ******** ***** ** ** * ******* ** *.** ******** ** *** ***** ** **** **** ******* *** ** **** ** **** ******* *** *********** ****. This will need ** ** ******** ** *** ****** *.* ********. So just something to note as you are looking at your deployment today as you move forward, and where those *********** **** ** **. [Emphasis Added]
HID / ******* ********** ******** **'* *********
**** ******** **** *** / ******* after *** ********** ** ******* *** accuracy ** *** **'* **********, ** any ******* ****** *.**.* (**** ****) is ********** ** *********** / **.* *** ******* **** 2022. *** ********** ***** ** ******* the **'* ********** ** "* ******" were **********, ******:
***** ****** ***** **** ***** ***a ****** of LP customers currently on firmware version 1.3x [Emphaisis added]
To summarize as long as the board is on 2.0 or greater firmware, there is no known vulnerability and the reason most red boards are vulnerable today is due to not being upgraded.
From a vulnerability standpoint, there does not appear to be an active reason to upgrade to black boards at this time based on HID's statements. Even if the end user has vulnerable red boards, this can be corrected with a less expensive firmware update rather than the need to purchase and install new hardware.
From a vulnerability standpoint, there does not appear to be an active reason to upgrade to black boards at this time based on HID's statements.
Based on their statements, that is correct - but as I explain / examined here Tech Details of HID's Mercury Upcoming "Black" Boards, there are several improvements made to the "black" boards / MP Series boards for security, e.g., TLS 1.3 support, Secure Boot, etc, while not novel / new, it is a step forward.
Even if the end user has vulnerable red boards, this can be corrected with a less expensive firmware update rather than the need to purchase and install new hardware.
Yes, that is also correct, but as I note in the report, HID / Mercury did not clarify what will happen in practice if or when a problem occurs on a board that is not on the 2.x FW, and in most cases, firmware updates are not occurring (as this report / Mercury and HID confirm).
Unrelated to your specific comments, but important: One thing to watch closely is HID/Mercury and its partners ensuring / allocating proper stock. This in itself could become an issue as the "black" boards' production ramps up and the red board's production slows down / stops.
In any event, I will be watching this closely and providing updates as I find / hear more. As I noted in the report, feel free to email me directly to discuss any issues / problems confidentially at Jermaine@ipvm.com
Thanks for the replies and I agree with all. The reason I wanted to summarize is because I am seeing/hearing a lot of confusion with end users about what is actually needed to be done in light of this because we have customers with hundreds or possibly thousands of red boards who are thinking they need to now replace them immediately.
The reality is that they need to ensure they are on the latest firmware supported by their software vendor, at least 2.0 or greater. Beyond that there is no immediate need to replace boards.
I also share the concern stock allocations as production shifts to black boards. We've already had recent examples of where public perception drives purchasing in ways to make the projects false. I personally am advising anyone with projects from June to end of year to get their orders in ASAP to ensure they are able to be fulfilled and not end up with delays on their projects. There might be some added cost to do so but it will be better than not being able to occupy a space or have to use keys for initial opening.
The reason I wanted to summarize is because I am seeing/hearing a lot of confusion with end users about what is actually needed to be done in light of this because we have customers with hundreds or possibly thousands of red boards who are thinking they need to now replace them immediately.
UI#1, Thanks for the additional comments.
There is indeed much confusion with all involved elements of this move, the upcoming black boards, etc. But given how this has been communicated (or the lack of) to date, it is quite challenging - especially publically.
I will continue to closely follow / update my reporting / on this series as I find / learn more. My main objective is to provide an accurate, detailed analysis and understanding of the situation as it rolls out - which includes communicating with Mercury / HID, its partners, and any others who are open to speaking and can provide additional insights.
Prior to me sourcing this presentation, these details had not been communicated publically (it was a presentation where you were granted access. I was actually denied - but sourced a recording).
Again, for anyone interested, feel free to email me at Jermaine@ipvm.com
