In open letter to its customers, RFID vendor HID Global stands by its products, offers protective measures

RFID vendor HID Global Corp. , which has been embroiled in controversy over threats of a patent lawsuit against IOActive for an RFID cloning hack, has issued an open letter to its customers on its Website that acknowledges cloning of some RFID-based cards is indeed possible, but that its Prox-based RFID products are secure. (See HID, IOActive Butt Heads Again and Black Hat Cancels RFID Demo.)

"While we acknowledge that it may be possible, under certain conditions, to clone some proximity cards, we believe access control systems that use Prox are secure when they are combined with proper procedures and policies, and where necessary, additional layers of security such as surveillance cameras, keypad readers and/or fingerprint readers, to name a few," says HID Global president and CEO Denis R. Hébert in the letter.

HID and IOActive came to virtual blows earlier this month over a planned presentation by an IOActive researcher at Black Hat DC. IOActive yanked the HID-related presentation data from its briefing due to concerns of a patent lawsuit from HID. HID maintained that it did not pressure IOActive to stop the presentation, but that it had asked IOActive not to reveal the source code and schematics, and to provide solutions to the flaws the presentation was to highlight.

Neither side budged after meeting face-to-face at a Black Hat press conference.

Meanwhile, Hébert says in the letter to HID customers that the human element is "critical to security as well," and recommends several steps to secure access cards from being hacked, to quote:

  • Require immediate reporting of lost or stolen cards (so they can be deleted from the system)

  • Prohibit sharing or lending of cards

  • Encourage employees to shield their cards from public view when not at work (this makes sense from a privacy perspective as well if a name and picture are printed on the card)

  • Encourage reporting of suspicious activity at the facility

  • Discourage "tailgating" where one employee uses a card to gain access and others follow without using their own cards.

HID's Hébert also says RFID shielding products can provide another level of security and privacy for HID cards "when they are not being used."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights