"While we acknowledge that it may be possible, under certain conditions, to clone some proximity cards, we believe access control systems that use Prox are secure when they are combined with proper procedures and policies, and where necessary, additional layers of security such as surveillance cameras, keypad readers and/or fingerprint readers, to name a few," says HID Global president and CEO Denis R. Hébert in the letter.
HID and IOActive came to virtual blows earlier this month over a planned presentation by an IOActive researcher at Black Hat DC. IOActive yanked the HID-related presentation data from its briefing due to concerns of a patent lawsuit from HID. HID maintained that it did not pressure IOActive to stop the presentation, but that it had asked IOActive not to reveal the source code and schematics, and to provide solutions to the flaws the presentation was to highlight.
Neither side budged after meeting face-to-face at a Black Hat press conference.
Meanwhile, Hébert says in the letter to HID customers that the human element is "critical to security as well," and recommends several steps to secure access cards from being hacked, to quote:
- Require immediate reporting of lost or stolen cards (so they can be deleted from the system)
- Prohibit sharing or lending of cards
- Encourage employees to shield their cards from public view when not at work (this makes sense from a privacy perspective as well if a name and picture are printed on the card)
- Encourage reporting of suspicious activity at the facility
- Discourage "tailgating" where one employee uses a card to gain access and others follow without using their own cards.
— Kelly Jackson Higgins, Senior Editor, Dark Reading