HID Global Encoders
MonitorCVSS 5.9ICS-CERT ICSA-24-037-01Feb 6, 2024
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
HID Global iCLASS SE and OMNIKEY reader products contain a credential extraction vulnerability that allows an attacker with physical access to reader configuration cards to extract sensitive data including credential material and device administration keys. These extracted keys could be used to create unauthorized credentials or malicious configuration cards that the readers will accept. The vulnerability exists because reader configuration cards can be read without authentication and do not adequately protect stored cryptographic material.
What this means
What could happen
An attacker with physical access to a reader configuration card can extract credentials and device administration keys, potentially allowing them to create unauthorized access credentials or misconfigure the reader systems.
Who's at risk
This affects organizations using HID access control systems, particularly facilities with physical access badge and reader systems. Impacted products include iCLASS SE and OMNIKEY reader families used in badge access control systems at government buildings, utilities, airports, data centers, and corporate campuses. Any facility using HID readers for physical access control should assess their exposure.
How it could be exploited
An attacker with physical access to a reader configuration card can read sensitive data from it, including credential material and administration keys. These keys could then be used to create malicious configuration cards that the readers will accept, allowing unauthorized access or reader reconfiguration.
Prerequisites
- Physical access to reader configuration cards
- Ability to interface with the card using standard HID card readers or reading equipment
No authentication required to read configuration cardsNo patch available for most products (end-of-life readers)Physical access required but cards are portableAffects credential material and administration keys
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (8)
1 with fix7 EOL
ProductAffected VersionsFix Status
iCLASS SE CP1000 Encoder: vers:all/*All versionsNo fix (EOL)
iCLASS SE Readers: vers:all/*All versionsfirmware version 8.6.04 or higher
iCLASS SE Processors: vers:all/*All versionsNo fix (EOL)
OMNIKEY 5427CK Readers: vers:all/*All versionsNo fix (EOL)
OMNIKEY 5127CK Readers: vers:all/*All versionsNo fix (EOL)
OMNIKEY 5023 Readers: vers:all/*All versionsNo fix (EOL)
OMNIKEY 5027 Readers: vers:all/*All versionsNo fix (EOL)
iCLASS SE Reader Modules: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3WORKAROUNDUse HID Reader Manager to disable configuration changes from configuration cards on supported readers (firmware 8.6.04+)
HARDENINGSecurely destroy all reader configuration cards after disabling configuration changes
HARDENINGFor OMNIKEY and iCLASS SE Reader Modules/Processors without fixes, restrict physical access to reader configuration cards
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate iCLASS SE Readers to firmware version 8.6.04 or higher
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: iCLASS SE CP1000 Encoder: vers:all/*, iCLASS SE Processors: vers:all/*, OMNIKEY 5427CK Readers: vers:all/*, OMNIKEY 5127CK Readers: vers:all/*, OMNIKEY 5023 Readers: vers:all/*, OMNIKEY 5027 Readers: vers:all/*, iCLASS SE Reader Modules: vers:all/*. Apply the following compensating controls:
HARDENINGStore reader configuration cards in a physically secure location with access controls
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0234a434-c4ce-4f94-b8be-a7e40f777343Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.