RFID vendor HID Global Corp. , which has been embroiled in controversy over threats of a patent lawsuit against IOActive for an RFID cloning hack, has issued an open letter to its customers on its Website that acknowledges cloning of some RFID-based cards is indeed possible, but that its Prox-based RFID products are secure. (See HID, IOActive Butt Heads Again and Black Hat Cancels RFID Demo.)
"While we acknowledge that it may be possible, under certain conditions, to clone some proximity cards, we believe access control systems that use Prox are secure when they are combined with proper procedures and policies, and where necessary, additional layers of security such as surveillance cameras, keypad readers and/or fingerprint readers, to name a few," says HID Global president and CEO Denis R. Hébert in the letter.
HID and IOActive came to virtual blows earlier this month over a planned presentation by an IOActive researcher at Black Hat DC. IOActive yanked the HID-related presentation data from its briefing due to concerns of a patent lawsuit from HID. HID maintained that it did not pressure IOActive to stop the presentation, but that it had asked IOActive not to reveal the source code and schematics, and to provide solutions to the flaws the presentation was to highlight.
Neither side budged after meeting face-to-face at a Black Hat press conference.
Meanwhile, Hébert says in the letter to HID customers that the human element is "critical to security as well," and recommends several steps to secure access cards from being hacked, to quote:
- Require immediate reporting of lost or stolen cards (so they can be deleted from the system)
- Prohibit sharing or lending of cards
- Encourage employees to shield their cards from public view when not at work (this makes sense from a privacy perspective as well if a name and picture are printed on the card)
- Encourage reporting of suspicious activity at the facility
- Discourage "tailgating" where one employee uses a card to gain access and others follow without using their own cards.
HID's Hébert also says RFID shielding products can provide another level of security and privacy for HID cards "when they are not being used."
Kelly Jackson Higgins, Senior Editor, Dark Reading