For HID, its iCLASS SE CP1000 Encoders and other products associated with this device have been considered the gold standard in secure access control. However, that changed this week when HID released a public service announcement to its customers that the ubiquitous HID iCLASS SE CP1000 Encoder has been assigned a CVSS 7.2/10.0 by the National Vulnerability Database (NVD), which provides specific CVSS scores of publicly known vulnerabilities for security hardware and software. A numerical (0-10) score represents the severity of an information security vulnerability, with 10 being considered severe. The HID rating of 7.2 is deemed high on the scale.
HID Shares PSA With Customers
The PSA distributed by HID states in the vulnerability overview that: “Certain configurations available in the communication channel for encoders could expose sensitive data when reader configuration cards are programmed. This data could include credential and device administration keys.
In addition to the iCLASS SE CP1000 Encoder, some HID readers are capable of being configured to act as encoders. Some HID iCLASS SE readers may have been purchased with this configuration enabled.”
HID says that the following products may also be configured as an encoder and prone to compromise:
- HID iCLASS SE Readers
- HID iCLASS SE Reader Modules HID iCLASS SE Processors
- HID OMNIKEY 5427CK Readers HID OMNIKEY 5127CK Readers
- HID OMNIKEY 5023 Readers HID OMNIKEY 5027 Readers
The iCLASS SE Encoder has been an industry staple for providing a solid solution for encoding and managing credentials and configuring readers. Using the encoder, the end-users can add a layer of security to card credentials, independent of card technology.
When customers deploy the Secure Identity Objects (SIOs) to card credentials, it can enhance overall system security by enabling cards and readers to establish that they are part of a trusted access control population. Both reader and device establish trust through mutual recognition of the SIO before permitting access. The system will deny access to any device that does not contain the SIO, such as cloned or other unauthorized credentials.
An Industry Staple
The iClass SE CP1000 Encoders, along with HID’s13.56 MHz HID SE and Seos credentials have been used in critical infrastructure for high security. However, the 13.56 MHz HID SE and Seos have recently been revealed as being just as vulnerable as the previously exposed 125 kHz credentials in degradation attacks on several HID readers.
An industry insider offered this assessment preferring to remain anonymous.
“I would imagine that this vulnerability has been common knowledge among some customers and certainly by HID. My guess is that two of three very big customers were affected by this vulnerability, and they (HID) had no choice but to release this information to the remaining customers.”
An HID spokesperson countered that it was informed of the issues through the company’s Responsible Disclosure Form hosted on the HID Security Center.
“Once the researcher reported these issues, we initiated an investigation to assess the validity and implications for our products and customers. Our goal has always been to protect the security of our customers through a responsible disclosure process, which includes the availability of fully tested and verified remediation actions,” says the spokesperson.
HID also states in its distributed PSA that: “iCLASS SE CP1000 Encoders and other products listed above that have been configured as encoders, can be used to read data from reader configuration cards and credentials. Reader configuration cards contain credential and device administration keys. The credential keys could be used to create credentials for a system associated with those keys when combined with information from a valid credential for that same system. The device administration keys could be used to maliciously modify the configurations of readers associated with those keys.
A compromised encoder or reader could be used to read PACS data from a credential.”
Vulnerability Details
When asked about the vulnerability implications to the iCLASS SR/iCLASS SE/SEOS credential, which has an SIO (Secure Identity Object) that stores access control information -- also known as the PACS payload -- being compromised and the fact that the cloning issues are not new, were there any danger of card-only attack vectors, HID’s spokesperson was direct.
“The SIO, or PACS payload, has not been compromised, meaning that the credentials mentioned are not broken. Should a bad actor obtain credential keys and possess extensive domain-specific knowledge and custom-made tools, they could potentially create a new card with the same PACS info. Without these keys, this knowledge, and these tools, these cards cannot be duplicated, meaning there are no known card-only attack vectors.”
HID also addressed the question of the fix seemingly having been to extract the SIO with one of the methods outlined by several groups and write that data onto a Picopass or a T557. We asked if so, isn’t that downgrading from a secure credential to a lesser secure legacy format?
“In sum, yes, the scenario you described could be considered as downgrading from a secure credential to a lesser secure legacy format. The issue in question was disclosed to us by a third-party researcher through our vulnerability disclosure program,” says the HID spokesperson.
What Are the Remedies?
HID addressed the current issue admitting that there currently is no patch available to resolve the vulnerability and that users should be aware that even when a patch is available, malicious actors could possess their own compromised encoders or readers. HID warns that these devices could be used to extract data from customers’ reader configuration cards or credentials and advises users to take the following steps to mitigate these threats.
- Protect your reader configuration cards -- A malicious encoder or reader must be physically close to the reader configuration cards to communicate with them and extract information. Elite Key and Custom Key customers who have kept their configuration cards secure should continue to be vigilant and restrict access to those cards.
Customers using the HID standard key and other customers who are concerned their keys may be compromised should consider steps to update the readers and credentials with new keys. To assist in this effort, HID will be introducing a free upgrade to the Elite Key program. Contact your HID representative for more information.
- Protect your credentials and disable legacy technologies
Reading the PACS data from a credential is not enough to clone the credential for modern technologies like Seos and DESFire. These technologies use a credential key for authentication. However, if a system’s readers still support legacy technologies (i.e., HID Prox, Mifare Classic, etc.), then it may be possible to insert the credential information into a legacy technology credential that would be accepted by those readers. Users are encouraged to disable legacy credential technologies in their readers.
Further, physical credentials should always be kept safe by their users, and site managers should remind their users to be vigilant with their credentials and report missing or stolen cards.
- Harden your iCLASS SE Readers from configuration changes
iCLASS SE Readers using firmware version 8.6.0.4 or higher can use the HID Reader Manager application to prevent the readers from accepting configuration changes from configuration cards. After this is complete, users may then securely destroy their reader configuration cards.
If you need assistance, or if the reader firmware has not been updated to 8.6.0.4 or higher, contact HID Technical Support.
- Harden your HID OMNIKEY Readers, HID iCLASS SE Reader Modules, HID iCLASS SE Processors from configuration changes
Contact HID to receive a “Shield Card” that will prevent further configuration changes using reader configuration cards. After this is complete, users may then securely destroy their reader configuration cards.
The anonymous source also added: “This puts all parties in a tough position. There is no patch to fix this problem. Users would have to go reader by reader and reprogram them to eliminate this vulnerability. That is a very laborious proposition and almost an impossible task.”
Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazines Security Technology Executive, Security Business and Locksmith Ledger International and the top-rated website SecurityInfoWatch.com. Steve can be reached at [email protected]