HID Global Encoders

Monitor5.9ICS-CERT ICSA-24-037-01Feb 6, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

HID Global iCLASS SE and OMNIKEY reader products contain a credential extraction vulnerability that allows an attacker with physical access to reader configuration cards to extract sensitive data including credential material and device administration keys. These extracted keys could be used to create unauthorized credentials or malicious configuration cards that the readers will accept. The vulnerability exists because reader configuration cards can be read without authentication and do not adequately protect stored cryptographic material.

What this means

What could happen

An attacker with physical access to a reader configuration card can extract credentials and device administration keys, potentially allowing them to create unauthorized access credentials or misconfigure the reader systems.

Who's at risk

This affects organizations using HID access control systems, particularly facilities with physical access badge and reader systems. Impacted products include iCLASS SE and OMNIKEY reader families used in badge access control systems at government buildings, utilities, airports, data centers, and corporate campuses. Any facility using HID readers for physical access control should assess their exposure.

How it could be exploited

An attacker with physical access to a reader configuration card can read sensitive data from it, including credential material and administration keys. These keys could then be used to create malicious configuration cards that the readers will accept, allowing unauthorized access or reader reconfiguration.

Prerequisites

Physical access to reader configuration cards
Ability to interface with the card using standard HID card readers or reading equipment

No authentication required to read configuration cardsNo patch available for most products (end-of-life readers)Physical access required but cards are portableAffects credential material and administration keys

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (8)

1 with fix7 EOL

ProductAffected VersionsFix Status

iCLASS SE CP1000 Encoder: vers:all/*All versionsNo fix (EOL)

iCLASS SE Readers: vers:all/*All versionsfirmware version 8.6.04 or higher

iCLASS SE Processors: vers:all/*All versionsNo fix (EOL)

OMNIKEY 5427CK Readers: vers:all/*All versionsNo fix (EOL)

OMNIKEY 5127CK Readers: vers:all/*All versionsNo fix (EOL)

OMNIKEY 5023 Readers: vers:all/*All versionsNo fix (EOL)

OMNIKEY 5027 Readers: vers:all/*All versionsNo fix (EOL)

iCLASS SE Reader Modules: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDUse HID Reader Manager to disable configuration changes from configuration cards on supported readers (firmware 8.6.04+)

HARDENINGSecurely destroy all reader configuration cards after disabling configuration changes

HARDENINGFor OMNIKEY and iCLASS SE Reader Modules/Processors without fixes, restrict physical access to reader configuration cards

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate iCLASS SE Readers to firmware version 8.6.04 or higher

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: iCLASS SE CP1000 Encoder: vers:all/*, iCLASS SE Processors: vers:all/*, OMNIKEY 5427CK Readers: vers:all/*, OMNIKEY 5127CK Readers: vers:all/*, OMNIKEY 5023 Readers: vers:all/*, OMNIKEY 5027 Readers: vers:all/*, iCLASS SE Reader Modules: vers:all/*. Apply the following compensating controls:

HARDENINGStore reader configuration cards in a physically secure location with access controls

CVEs (1)

CVE-2024-22388

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0234a434-c4ce-4f94-b8be-a7e40f777343