This was part of yesterday afternoon’s links-which-matter…
HID, makers of fine contactless door security systems… have failed to study history.
Blackhat Federal is going on this week and there was to be a presentation on security issues with HID contactless readers… essentially that you can MacGyver them with $20 in eBay’d parts.
HID had an attack of legal-itis.
Yet again, Jeff Moss had to haul out the razors and remove pages from the books and recall the CDs.
“I’m not sure if it was part of HID’s strategy to drop a bomb at the last minute, but it really screwed up our conference strategy,” he said.
I know that I derailed several hundred thousand dollars in spending on Cisco gear based on their behaviour in 2005. I guess it’s time to treat HID with the same disdain that they treat their customers.
In the meantime, for all of you out there using HID contactless equipment, please review your access logs and consider turning on anti-pass-back and velocity monitoring. If you run an infrastructure critical site, seriously consider the need to add a second factor to all outdoor readers (as I can now stand behind a tree and clone your cards)… and find a different manufacturer for the replacement readers.
And I might even be standing in a creek behind a tree when I do it.
🙂