All About HID
HID Global is one of the most prominent manufacturers of access control credentials and readers. Their technologies span both low frequency (125 kHz) and high frequency (13.56 MHz) systems, with varying levels of security. Here in the UK, HID alongside EM410X and MIFARE are among the most common PAC vendors used.
Introduction
HID Global (originally Hughes Identification Devices) produces a wide range of RFID and NFC credentials used in access control systems worldwide. HID offers both low-frequency and high-frequency solutions, each with distinct characteristics and security properties.
Types of HID Technologies
HID technologies can be broadly categorized by frequency and security level:
Low Frequency (125 kHz) Technologies
HID Prox
- ProxCard / ProxCard II — Original HID low-frequency technology operating at 125 kHz. Uses proprietary encoding schemes (H10301, H10302, etc.) with facility codes and card numbers. No cryptography - data is stored in plaintext, and readers generally only utilise card UIDs for authentication. Easily cloned and emulated.
- Indala — Originally developed by Indala Corporation (acquired by HID). Also operates at 125 kHz with proprietary formats. Similar security profile to Prox - no encryption, easily clonable.
- AWID — Another 125 kHz format sometimes used in HID-compatible systems. Again uses plaintext storage, and UID dependent authentication. Easily clonable.
High Frequency (13.56 MHz) Technologies
HID iCLASS
- iCLASS — High-frequency technology using 13.56 MHz. Uses DES encryption for authentication (though often with weak key management). Supports multiple application areas on a single card. Security depends heavily on implementation - can be vulnerable if default keys are used.
- iCLASS SE (Secure Element) — Enhanced version with improved key management and secure element technology. More secure than standard iCLASS, but still potentially exploitable depending on configuration - for example legacy backwards compatibility with weaker protocols.
- iCLASS Elite — Advanced iCLASS variant with stronger cryptographic features. Designed for higher security applications.
HID Seos
- Seos — Modern high-frequency credential technology using AES-128 encryption. Supports secure messaging and key diversification. Designed to be highly secure and resistant to cloning attacks. Can be used in cards, fobs, and mobile devices.
Identification Through the Reader
HID seems to love the look of their own logo, so it's often very easy to identify a reader as HID due to stickers or branding. Specific readers either have markings or telltale unit design.
iCLASS SE
In this particular case the sticker gives it away, but SE readers tend to have a distinct LED strip on the top.
Seos
Similar to the iCLASS SE, but with a different profile and dual tone design. Still features the LED strip on the top.
ProxCard
Usually have those aesthetic ridges in the reader face, with the HID branding engraved.
Indala
Very distinctive rdiged design with the Indala logo and four red dot array as an LED indicator.
AWID
A minimalist design with a single LED indicator on the top left, with the AWID logo engraved.
A Word on Frequency Detection
As previously mentioned in other articles, a really useful tool for your arsenal is an RFID field detector. They have an LF and RF coil hooked up to separate LED indicators, which shows you what frequency the reader you present it to operates on.
- 125 kHz (Low Frequency): Indicates Prox, Indala, or other LF technologies.
- 13.56 MHz (High Frequency): Indicates iCLASS, Seos, or other HF technologies.
HID Technology Comparison
| Technology | Frequency | Clonable? | Emulatable? | Notes |
|---|---|---|---|---|
| ProxCard / ProxCard II | 125 kHz (LF) | Clonable | Emulatable | No encryption, easily cloned. |
| Indala | 125 kHz (LF) | Clonable | Emulatable | Similar to Prox, no encryption. |
| AWID | 125 kHz (LF) | Clonable | Emulatable | Plaintext format, clonable. |
| iCLASS | 13.56 MHz (HF) | Deployment-dependent | Partially Emulatable | Vulnerable if default keys used; secure if properly configured. Uses DES encryption. |
| iCLASS SE | 13.56 MHz (HF) | Deployment-dependent | Partially Emulatable | Improved key management, but still potentially exploitable. Uses enhanced DES encryption. |
| iCLASS Elite | 13.56 MHz (HF) | Not clonable | Partially Emulatable | Stronger cryptographic features, more secure. Uses DES or AES encryption. |
| Seos | 13.56 MHz (HF) | Not clonable | Not emulatable | Modern, secure credential with key diversification. Uses AES-128 encryption. |
Cloning HID Technologies
Low Frequency (Prox, Indala)
Low-frequency HID technologies are the easiest to clone due to their lack of encryption and full reliance on UID authentication. For this reason, it is no more complicated than cloning any other low frequency RFID tag. You can use a T5577 to emulate pretty much any low frequency RFID credential.
High Frequency (iCLASS)
iCLASS credentials are more challenging due to DES encryption. Cloning success depends on the specific implementation of the credential and reader, alongside whether default keys are in use.
Conclusion
HID technologies span a wide range of security levels, from easily clonable low-frequency Prox cards to highly secure Seos credentials. Low-frequency technologies (125 kHz) are generally insecure and easily cloned, while high-frequency technologies (13.56 MHz) vary significantly in security depending on the specific implementation and encryption used. When encountering HID credentials, identifying the frequency and specific technology is the first step in assessing exploitability. Always remember that proper authorization is required before testing any access control system.
← Back to Home