KEN KIRSCHENBAUM, ESQ
ALARM - SECURITY INDUSTRY LEGAL EMAIL NEWSLETTER / THE ALARM EXCHANGE
You can read all of our articles on our website. Having trouble getting our emails?  Change your spam controls and whitelist ken@kirschenbaumesq.com 

****************************** 

Comments on Keyfobs easily compromised 
/ ISC / send us email addresses

September 17,  2024
**************************
Keyfobs easily compromised from article on September 12, 2024
**************************
Ken
          The ease of copying of 125Khz prox cards has been well known for over a decade now, and the general advice for integrators has been to not offer them for some time. That being said, because they are a little cheaper than more secure credentials in the 13.56Mhz category, they are still offered and used in new installs. Some readers may have also been aware of the recent DEFCON talk on extracting the encryption key that HID uses to secure some of their higher end credentials, which technically could allow them to be cloned. There is an interesting legal angle to this in that the encryption keys can technically be copyrighted by their respective organizations, which means even if they are extracted and leaked, building commercial offerings around card cloning has more potential ramifications than the prox card cloning. This, coupled with the fact that the technical complexity of cloning these cards is more involved, makes it unlikely that card cloning would present a significant risk to users. Also, HID and other organizations offer the ability for customers to use custom encryption keys, making universal card copying approaches essentially nonexistent. For anyone interested in the technical side, I have a post on my blog here: https://www.pelicanzero.com/does-the-hid-seos-hack-matter/ (note you need a membership to read it, but a free account works).
Brian Karas
*********************
Ken,
          Years ago, before the use of cards and keyfobs, people were issued brass keys to allow them access to restricted spaces.  Back then, a brass key could be duplicated a thousand times.  I see no difference here.  There may be very legitimate reasons why a person may want to have a duplicate copy of a card/fob (i.e. two different sets of car keys, etc.).  Ideally, a user of a card/fob should request an additional card/fob from the issuer so they are aware of multiple copies.  However, just like a brass key, if a fob is lost or stolen, disabling that fob will also disable any copies; disabling an enrolled fob is much easier and less costly than re-keying a lock(s) and issuing new keys.  If super-tight security is an issue, biometric authentication should be included which would prevent unauthorized use of copies.  As long as a proposed system is not represented as unable to be compromised, I don’t see an issue here.
Andy Wilson
Fireworks, LLC
*************************
Response
*************************
          Thank you both for contributing and sharing your knowledge and expertise.
*************************

Help this forum grow - and thanks to those who have already responded
********************
          Thanks to those who have sent in lists.  How about you guys at the central stations, manufacturers, service providers and vendors????  If you are on The Alarm Exchange you should welcome exposure this forum provides.  Send in your lists.  Thanks
          This forum is, I believe, the largest distribution in the security and fire alarm, low voltage and electronic integration industries, and certainly the most read on a daily basis. 
          First, let me assure you that the K&K email list is used exclusively for distribution of the articles, which is distributed by two separate bulk mailing services, as many of you know because you get both emails daily.  Emails are sent every day to the alarm industry; there is no charge for the articles.  The classified section, The Alarm Exchange, which is also free, is updated daily as needed, and I believe it’s the largest and most active classifieds in the industry, visited by the most in the industry. K&K does not sell or share the email list with anyone, for any reason.  We retain only emails, no names or other information. It’s free; you can subscribe all the addresses you want and you can always unsubscribe, though you won’t be able to re-subscribe that address.  So your email is secure.
          Now here’s the ask.
          I’d like to make the forum even more available by increasing the distribution, so here’s the “ask” and sweetener added in:
          Send me emails of those in this industry, one email on each line, and we will add them to the list.  Whether it’s your association list, for vendors to the industry your alarm dealer list, employee list, central station list, send it to me pasted on your email or as WORD or XL attachment.  [this is not request for alarm customers list - the forum isn't for alarm customers]
          K&K will give you $100 credit against K&K contracts or Concierge Program for every 100 emails.  You can use the credit yourself or if an association raffle it off or use it for promotional purposes.  We will honor the credit to your “assignee”.  Thanks in advance for your efforts and assistance.
***************************

ISC East - private meetings -schedule now
*************************
       I'm considering going to ISC EAST if there is sufficient interest in private meetings during the day.  If you're interested in a private [yes, it's free] meeting please contact Stacy Spector,Esq at 516 747 6700 x 304 or SSpector@Kirschenbaumesq.comConcierge Clients will have priority.  Thanks.
********************

K&K Holiday Party - Save the date:  December 12, 2024
********************
STANDARD FORMS  Alarm /  Security / Fire and related Agreements
 click here: www.alarmcontracts.com
***************************

CONCIERGE LAWYER SERVICE PROGRAM FOR THE ALARM INDUSTRY You can check out the program and sign up here: https://www.kirschenbaumesq.com/page/concierge or contact our Program Coordinator Stacy Spector, Esq at 516 747 6700 x 304.
***********************
ALARM ARTICLES:  You can always read our Articles on our website at ww.kirschenbaumesq.com/page/alarm-articles  updated daily             
********************
THE ALARM EXCHANGE - the alarm industries leading classified and business exchange - updated daily
*************************
Wondering how much your alarm company is worth?  
Click here:  https://www.kirschenbaumesq.com/page/what-is-my-alarm-company-worth
******************************
Getting on our Email List / Email Articles archived: 
    Many of you are forwarding these emails to friends or asking that others be added to the list.  Sign up for our daily newsletter here: Sign Up.  You can read articles and order alarm contracts on our web site www.alarmcontracts.com
**************************

Ken Kirschenbaum,Esq
Kirschenbaum & Kirschenbaum PC
Attorneys at Law
200 Garden City Plaza
Garden City, NY 11530
516 747 6700 x 301
ken@kirschenbaumesq.com
www.KirschenbaumEsq.com