Vulnerability Directory For Access Control Cards

Author: Brian Rhodes, Published on Aug 14, 2017

Knowing which access credentials are insecure can be unclear, especially because most look and feel the same. Even the most insecure 125 kHz types are still widely supported, and using 13.56 MHz smartcards is no sure guarantee the format has not been hacked.

In this report, we take a deeper look at:

  • Why To Stop Using 125 kHz Formats
  • Which 13.56 MHz Formats are Uncracked (So Far)
  • The Cracked 13.56 Types Still Widely Used
  • Why No Formats Are Uncrackable
  • Thousands Are Working On Hacks
  • High Technology Skills Needed
  • Steps To Defend Against Hacks

We cover these points inside.

125 kHz Riskiest of All

While the vulnerability of specific 13.56 MHz formats is mixed, older 125 kHz are highly vulnerable to pragmatic copying with cheap and widely available components. We covered the risk in our Hack Your Access Control With This $30 HID 125kHz Card Copier test, and then how to address the vulnerability with the Hackable 125kHz Access Control Migration Guide.

Common 125 kHz Formats Are Insecure

The list of vulnerable, unencrypted 125 kHz formats used in access is substantial, easily reaching into millions of credentials still in use daily. The common formats include:

******* ***** ****** *********** *** ******** *** ** *******, ********** because **** **** *** **** *** ****. **** *** **** insecure *** *** ***** *** ***** ****** *********, *** ***** 13.56 *** ********** ** ** **** ********* *** ****** *** not **** ******.

** **** ******, ** **** * ****** **** **:

  • *** ** **** ***** *** *** *******
  • ***** **.** *** ******* *** ********* (** ***)
  • *** ******* **.** ***** ***** ****** ****
  • *** ** ******* *** ***********
  • ********* *** ******* ** *****
  • **** ********** ****** ******
  • ***** ** ****** ******* *****

** ***** ***** ****** ******.

125 *** ******** ** ***

***** *** ************* ** ******** **.** *** ******* ** *****, older *** *** *** ****** ********** ** ********* ******* **** cheap *** ****** ********* **********. ** ******* *** **** ** our**** **** ****** ******* **** **** $** *** ****** **** Copier****, *** **** *** ** ******* *** ************* **** *********** ****** ****** ******* ********* *****.

Common *** *** ******* *** ********

*** **** ** **********, *********** *** *** ******* **** ** access ** ***********, ****** ******** **** ******** ** *********** ***** in *** *****. *** ****** ******* *******:

[***************]

Formats *** *** *******

*** **** ** ******* ****** ******* ********* *** ******* ** hacked ** ***** *** ******** ***** **** *****:

*** ****** **

***'* ****** **.** *** ****** *** *** ** ** ****** and ********* ** ******* ***** ********** *****. *******,**** **** ******* ******* ******* '**** *************', *** ******** ******* [*,*,*] ***** '** ** *****' ** ********** ** ******** *****.

****** ******* ***(********* ****)

**** ******** *** **.** *** ****** *** **** ****** ******* outside ***** *******, ** ***-********** ****** ******* *******, *** **** less-expensive ****-************** ****** *********** *** *******, *** **** ***-*** *** encryption *** ******* **** *******.

****** ******* ***(********* ****)

**** '**** ***' *** ****** ****** ** ***** ******** ********** related ** *** *********** ** ********** ** *** **********, *** does *** *********** ******** ************. ** *******, ******* ******** ** use *** *** **** **** ***, ******** *** *** *********** is **** *** *** ********* ** ********* ** ****** *******.

Formats ************ *******

*** ******* ****** ** ******** ** *** ****** ******** ** integrators *** ********. *** ******* ***** **** ** **** ** systems **** **** ******, *** *********** **** ** '******' ** access *************:

****** ******* *******

********* ********* ****** ******* ******* *** *********** ****, **** *** *** **** ****** ********** ** *** PACS ******, **** **** ***** ******** *** **.** *** ********* format ** ****. *******, *** ****** ** ********** ******** ******** keys ******** *** ******* ** *********** **********. *** ****** ** still ********* **** *********** *******.

*** ****** ***** (*** **/**** *******)

*** ****** ** ********** '****' **** ***'* ******** **.** *** format ***** ******** ******* *** ***** *** *** ********** ******* in *** '***** ** ********' *****. **** ******** ********** ********** *********** *** ** ******* on *** *****. *** ***** ***** ***** ********** ***********, ******** the **** ****** **/**** ****** *** * ********* ****** *** multiple ****** ** ********** ** ******* ******* ********.

No ******* *** ***********

******* ** ****** ** '**********' ** '**********' ***** **** *** often ********* ***** **** *** ******** ** *** ******, ** credential ******* ****** ** ****** ** '***********'. ***** ***** ******** from ******* *** ********* ******* *** ********* ** ******** ******* essentially '******* *** ***** ******' ** ********* *****, ******* ** hack **** *** ******* *** **********.

** ****** ****, *********, ** ********** ****** ****** ******* *********** secure, *** ******** ********-****** ***************** ******** ********* ** *******.

Cracking ********* ******* ** ****** *********

*** ********* *** ****** ****** ** ***** ********* ******* ********* use ******** ***** *********** **** ******* ******** ***********, ********** ***********, and ********* ***** ** ****.

*** ** *** **** ******* ********** **** ******* *****, *** open-sourced*********,*** **** ********** ** *** ***** ****:

** ****** ** ******* *** ***** ***** **** *** ********* is *** ****** *** *********. ** *** *** *** ******* fairly ******** **** ***********, ******** ***********, **** ** ****** *** ISO *********, **** ****** **** ******** ***** *** **** *********** than ******** **** ! ***** **** ** *** ********** *** basic ********** ****** **** *** **** ********** ***** *** ******.

*** ***** ******* *** *** **** ******** *****, **** ****** not ****** * '***** *** *****' **** ******, *** ****** a *** ** ********** **** ******* **********, ********, *** ******** that **** ** ********** ******** *** ****** ********** *******:

**** *** ***** *********** *** *** *******, *** *****, *****-****, and **** ** *** ******* *********, **** ***$** **** *** *** ******** ****** **** ********* *******:

*******, *** *** '***** *** *****' ******* *** ***** ** access *******. *** *******, ** ****** ********** (**.*****) ********** *** *** **** **** ****** ****** *******, ******* *** claims ** ******* ********, ********* *******:

The ******* ********* ** *****

******* ** *** '*********' ********* ** ********* ********** ** ******* mechanical *****, ***** *** ********* ****** *** ******** *********** *** contribute ** ******* ****** ***********.

*** ** *** ****** ****** ***** ***** ***** ****** ** the******** ********** *********, **** ********* ** ***** *** ******** ** ***** ***** month, ***** ************* ******* ** ******* ******** *** ******* *** multiple ******* (********* ******, ******, *****, *** *** ***********) **** place.

***** ****** *********, **** ****** ********* *** **** ** ******. Multiple ******* ******** *** ** ***** ** ******, * ***** and ***** ****** ************* ****** ** ***** ************. ***** ***** are **** ******** ** ********** ********, ** ******* *** ***:

******* *******

Significant ****** *** ** ********

******* ********* *** ********* **** ** ******, ** **** ******** access *** ************ ** ********* ** ***** ******. *** *******, one ** *** **** ******** **** ******* ** ********** ******* keys **** ****** ******* ******** ********** ****** * ******* ** splicing *** ****** **********.

*** **** ****** *******, *** ********** *** **** ****** ** use **** ****** ** * **** ************* ********* *** ****, as *** ****** ***** ** ****** ******** ** ***********.

*** **** ******** *** **** ******* ***** ***** ***** ** processing. **** ******* *** **** ** *** ** * ******* (with *********** ***), ***** ****** **** ******** ***** ** **** **** (**** the***** ***** **** ******* ****).

High ***** **.** ****** **** ** ***** *******

*** *** *********** ** **** **** *** **** ***** *** devoted ****** **** ** ***** ********** *******, *** ******* **** to ********** ****** ******* ** ******** *** ******* ***** ***** takes ****.

*******, *** $** *** *** ****** *** ** **** ** seconds *** ****-********, ** ***** ******* ****** ** *******. *** for **.** *** *******, **** ***** ******* ******, ***** ** time, ******** ****, *** ******** ************ ** ******* ** ***** required.

*** **** ********* ******* ******* *******: ******** ***** ************** ******* of **** ****, '**** ***' **** **** ********, ** *** reissue ***********, *** **** ***** **** **** *** ********* ** installed ******* *** ***********.

Comments (14)

***** **** ******** **** ** ****** ***** :) ***** ** still *** ************* ** ****** ** ********** ***** **** ** also *** *****. ******* ************ *** *** ** ******* ********* a *** ... ** ***** ***** ** *** **** *** to *** **********.

*** ** ****** **** *** ****** ** * *** ** people (****** ********). ** ****** ***'* ******** *** ***** ******* to **** *************** *** *** "***** *** *****" **** ** that **** ** **********.

*** ***** **** ** ******** ** ********* ** ********* ***** day. ********* ******** **** *** ********** ** ** **** ****** peer ****** *** ******** ****** ****** *** ****.

***

***** *** *** ** *** ********** :

****://***.*************.***/****-***-***-********

*** ******** **** ******** ********* (************) *** *** *** ** sim **** **** "***" *******. ** **** *** ****, *** high ******** ***** ***** *******...

*****

*** ***** **** ** ******** ** ********* ** ********* ***** day. ********* ******** **** *** ********** ** ** **** ****** peer ****** *** ******** ****** ****** *** ****.

**** ** *** *** '*****' ********* ******'* '***** ** ********'****** *****. ** ******** **** **** ******* ****** ** * particular ***** ** **** ** * ***** ***********, ****** ******* used ** ***** ***** **** ************ (**: *** ****, ***/***** passes) ***/**** ** ******** ******* ******** ******.

***** *** *** ******* *** **** ** *** *******.

* ***** ** **** ****.

***** *******,

*. *****'* ****** *****. * **** ** ** **** ************ iClass *********** *** * ******** ******** *******. ** ***** * bit ** ****** *** *** *** **** *** **** ***** require ******** ******* ***** *******.

**** **** *******, * ****** ** ******* ******, ***** **** links ** *** ********* ***** ****** ** **** ** ******, ( * ***** *** ******** ***** ** **** **** *******) and ****** *** *********** ****** **** *** ****** ***** *** weak ** *** ** *** ******** ** *** ********** *******, which ** *** **** ***.

**** ******* ** ******** *** **** ** **** ******, *** cryptographic ****** *** ** ******, *** *** ******* *** ** do **** ** ** ****** *** ****.

*** **** ****** **** ** *** ********* ** ********* ***/*, a ****** ******** ** ** **** ** *** ***** ******* on *** ******** *****, *** ***** ** *** *********.

**** *** ******* ****** ******** ** ** **** **** *****, which *** ** ******** *** ****, *** **** ** * XP *******( **** ******** *** **). * **** ******** **** package ** **** ** **** **** ********, *.*. ** ********** site ***** ***, ******* ***********, *** ******.

****** *** *** ******** ****!

** *** **** * ***** ** *** ********* ********** ****** SE **** ***?

** ******** ******** ******, * ****** ******* ******** *** **** partially **********, *** ***** ** * **** '*****'.

** *** *** ****, ** ** *** ***** * ***** is ***** ******** *** ****?

****** ** ** ********* * ****** *********** ** ******** *******. In ****** *** ******** ********* *** *** ** ***** ***** similar ******* ** *** **** *** *** ********* *******, *** then ***** ** * ****** *********** *** *********, ***** ** currently **** *** ******* ** *** ******. ****** *** ******* utilise * ****** ************** ******, ***** ***** ** ********** ** Side ******* *******, ** ***** **** *** ****** ****. *** from ** ************* ***** ******* * ****** ********.

******* *** ****** *********** ** ***** ******** ** *** **** and *** ******* **** ******** **** **** ** *** **** for *** ** *********** ** ********, *** **** *** ** achieved **** *** ***** ****.

********, **** *** ********* *** ** ***** *** ****** *** be ******** ***** * ********, *** ****** **** *** *** contents, *** *** ***'* **** ** ** ******* **** **** you **** *** ****** ** **** ***** ******** ** *** back ** *** ****....

**** ** ******* ** *** ******, *** *********** ******* ******, except **** *** *********** ** *** ******* *** ********* *** CSN, ** ******* * ******* ** *** ******** ** ******* soft ******* *************** ** ********, *** ****** ***** ** ** focussed ** ******** ***/* **********. ** *** *********** **** *** likely ** ****** ******.

********** ****** ** ***** * *** ******* **** ******** *******, and **** ******** **** *** ****** ******** **** *** ************* have ******** **** *** **** ** ****** *** ******** ****** on.

* ***** ******* ***** ********** **** * *****'* *** ****** to **** ** *****, *** ***** * **** **** **** allowed ****** *********, ********* *** ****** *** *** **********.

** * ******** ****, **** **** * **** *** **** looks **** ****, *** * ** **** ********* **** *** won't **** *** ******* ** ******, ** **** **** *********** under ***, ** **-*** ***** **** ** ******** **.

**** * ***** **** ********* ** ** ******* ***, *** we **** ** ***** ** ********* ******** **** ** ***** counters **** ** ********* **** ** ****, *** ******* ***'* put **** ** *******.

***********. **** *** *******, ** ***** ** *** ********** ** divulging *******, *** ****** ********** ***** ** ** ******* *******. Even ***'* ** ****** **** ** ****** ***-********* ********* *** often ***** *** *********** ** *********.

****** *** *** ********!

* ***** ******, **** ********* ** ** ***** **** ******, is ******* ***** *** ** ***** ** ***** ****** *** i-Class ** ******. ***** ***** *** **** ** **** **** both *** ******** *-***** ******** (********* ******* **** * **** number ********* **** * *) *** *** ***** *-***** ** platform **** *** * **** ****** ********* **** * *. The **** ***** **** **** *** *** ***** ****** ******* are ******** *** ****** ******* ** *** ****** *** ** disabled ** ******. **** *** *** ****** **** **** ******* on *** ****** ** **********. ** ** ******** *********** **** any *** **** **** *** ** ******* *********** **** *-***** SE ******* **** *** ****** ****** ********.

* ***** ***** **** **** ** *** **** (** *****). But *** ******* **** ******** *************** ** ****** ** **** it ***** ** ** **** *******, ******** ** ******* ** Mifare *******, *** ****** *** ** *** ******* **** ********. Why ***** *** ******** ** *** * **** ** *** DES ************** ***** * ******* ** * **** ( ****** read & *****), **** * ****** *** *** *** ****** (EV1/2) ** ********* **** ******** ****, ***** *** ****** ****?

********** **** *** ************ ** **** ******* ******* **** ** Proxmark, ***** *** ******** * ****, ******** *** ********** ** a ****** *** *** ****.

**** ** *** *** ******** *** *******, *** ***** ** you *******, *** *** ******* **** ******* ***/* *** *** cards *** *******.

** *** *** ******** *** *******, **** **** ** ******* OSDP.

* ***** *** ****** **** ** *** **** ** *** list ** "*** *** *******".
** ** **** ***** **** ****** ******* (***** ** ********** with **** *** **** **** ********** *** *** ******** ** physical ****** *******) ** *** *** *******.

* ***** **** *** **** ****** **** ** **** **** open **** *** *********, ***** ******* ** *** ********* **** complete ******** *********** ***** ***** ****** *** ** *********. ***** is ** "******** ** *********" ***** ** ***, ** ** based ** ****** *** ******. ** *** **, ** ***** much **** ********** **** * **** **** ********** ****** *********** HID *********.

***, *'* ** ******, ** ***'* **** *** ********* ****, Mifare ****** ***** ** *********** ****, ** ******* ** *** own ******* *** **.

*********, ** ** *********** **** *** **** *** ********** ******* NXP *** ***, *** ** * ********, ************ *** ******** of ***** **** ********* **** ** ****** **** *** *******, whereas *** ******* *** ************ ***** *********. *** ****** ******** was ******** ** ****** ****** *** **** ********** ** ********. Therefore **** ** *** * ***** **********.

**** ********** ** *** ***** ** *** ******** *** ***** to, *.*. *** *** ******* ** ********** ******* *** ** selling ** *** ***** *** ***********.

* *** *** ****** ***** ** ***** ****** **** *** Access ******* ************, ** *** **** ********** ******* ****** **** and ******* ** ********** *****, ********* ** ********** ** *** cost ** *** **** *** * ********* ****, *** *** readers *** ** **** *********. *** **** ****** ** *** Mifare **** ** ** *** ********* **** *******, *** *** problem **** ******* **** ********* ******** ****** ******** ****** *******, providing * **** **** *** ************.

***** *** *** *** ******* ***** ***, **** *** *** for **.

** ** *** **** ***** ** *** **** **** ***** is ** ******* *************, ******* **** *** ** ********** ** be * "**** ****".
***-**** ******* (***** *** **** *****) ** **** ** ****** are ******** ** ****, *** ******* ** ****** ***** *** companies *** ********* **** *******, ** *** **** **** ********* cost ***********.

* **** **** ******* ** **** ******* ** ******** ****** control ** ******* ***** **** ****. **** *** ***** ***** DESFire ** ***** "*******" ****** *** * **** ** ***** that **** ** **** ** ****. * ***** ********** ***, is ***** ********* **** **** ********** *******?

** *** *** ** ***, ** *** *** ** *** day * ***** * ***** **** * ***** ** ******* NXP-based ***** **** *** ****** *****. ********* ******** - * never ******* ** ******* *** **** ********* ******* *** ** HID (*'** ***** * ****** ** *****), *'* ***** ** speak **** ****** ****** ** ****** **** *** **** ****** me **, *** **** ***'*, *** *'* *** **** ** works **** *** **** **** ** *********. * **** ** trust ****, **** ***'* ***** ** *** ***** ******. ** for ***-***** ******** *'* ***** *** * **** ************ ******, just * ***, *** ** ** ********* **** ********** *** me, ****'* *** ** ** **** *********** *** ** *** I *** ********* ** ** *********. ** *** *** ** the *** * **** *** *** * ****** ****** *** I ****** ******** ***** *** ** ***** ******* ** ******.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

PoE Powered Access Control Tutorial on Jan 19, 2018
Powering access control with Power over Ethernet is becoming increasingly common.  However, access requires more power than cameras, and the...
Chinese Government Hikvision Surveillance System On US Government Network on Jan 18, 2018
Hikvision, the Chinese government-owned manufacturer, has publicly claimed that their products are running on a US government network. Moreover,...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events and the future of the video surveillance market, is now available,...
Hikvision Removed From US Army Base, Congressional Hearing Called on Jan 12, 2018
Hikvision has been removed from a US Army Base and a US congressional committee is planning a hearing on cybersecurity risks and specifically,...
Hikvision Declares 'Never Click On Links In Emails' on Jan 09, 2018
Hikvision is stepping up its cybersecurity efforts with a clear recommendation - to never click on links in emails: It is a surprising change...
Multicasting Surveillance Tutorial on Jan 04, 2018
Network bandwidth can be a concern for some surveillance systems. While improvements in video codecs, such as smart codecs for H.264 and H.265,...
Directory Of 92 Video Analytics Suppliers on Jan 04, 2018
This directory provides a list of video analytics providers to help you see and research what options are available. Video...
Access Control Course Winter 2018 on Jan 04, 2018
Learn more below about the Winter 2018 IPVM Access Control Course. Register here. IPVM offers the most comprehensive access control course in the...
Cabling Best Practices Guide on Jan 03, 2018
Surveillance cabling can be a major problem. Poorly installed and maintained networks are often costly, lengthy, frustrating ordeals to...
Multi-Imager Camera Guide on Jan 02, 2018
Multi-imager usage continues to grow, with most manufacturers now offering at least one model, making them an attractive option for covering wide...

Most Recent Industry Reports

PoE Powered Access Control Tutorial on Jan 19, 2018
Powering access control with Power over Ethernet is becoming increasingly common.  However, access requires more power than cameras, and the...
If You Have 4 Cameras, You Can Throw Them Away, If You Have 400, They Throw You Away on Jan 19, 2018
Do users care about anything but price? Do user care about cybersecurity? Do users care about trusting their supplier? These have become...
Chinese Government Hikvision Surveillance System On US Government Network on Jan 18, 2018
Hikvision, the Chinese government-owned manufacturer, has publicly claimed that their products are running on a US government network. Moreover,...
Winter 2018 Camera Course on Jan 18, 2018
Learn video surveillance and get certified. Register now. Save $50 on the course, ending this Thursday the 18th, plus get access to 2 class times...
VSaaS Usage Statistics 2018 on Jan 18, 2018
VSaaS has been a 'next big thing' for more than a decade. The prospect of managing, storing and streaming video from the cloud rather than...
Vivint Streety Video Strengthens Door Knocking on Jan 17, 2018
Vivint is famous (or infamous depending on your perspective) for mastering large scale door to door selling. The company has skyrocketed from a...
Axis: "It’s A Question Of Trust And Who You Want To Be Associated With" on Jan 17, 2018
Who do you trust? Who do you want to be associated with? Axis is raising hard questions to start 2018. In this note, we examine these questions,...
Software House Vulnerability Allows Inside Attacker To Open Doors on Jan 17, 2018
A vulnerability in Software House IP-ACM modules allows an attacker to potentially unlock doors, or perform other actions, on affected systems....
'Defiant' Hikvision 'Strikes Back' At WSJ And US on Jan 16, 2018
The fight is on. Hikvision and their owner, the Chinese government, 'strikes back' against the Wall Street Journal and US politicians raising...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events and the future of the video surveillance market, is now available,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact