HID’s Statement about Security Flaws “Meltdown” & “Spectre”
Last week, cyber security researchers revealed two major security flaws that allegedly affect processing chips in a large number of devices. The world was taken by surprise, and virtually every tech company has had to look at the potential impact of these flaws on their products. Taking the security of HID products extremely seriously, we are in the process of doing a thorough investigation of these flaws, which are known as “Meltdown” and “Spectre.”
Given this complex situation that has shaken the world of computer security, we have analyzed all HID products for these two vulnerabilities in processors, and we present our initial findings here. While we design defense-to-attack into our product development practices and the vast majority of our products are not vulnerable to Meltdown or Spectre, the third-party operating systems that are beyond our control may be. Consequently, we urge customers to be sure to install the latest patches for the operating systems of their devices.
We would encourage all customers to review the following information carefully. HID’s Technical Support team is available if you have any questions or require further clarifications. For detailed technical conversations, you can also email [email protected]. If you want to communicate something in a confidential manner, we urge you to visit the security pages at www.hidglobal.com/security-center where you will find HID’s guidelines and responsible disclosure policy.
We have arranged the following information in generic “product groupings” and have addressed specific areas. If you cannot locate your product of interest, please do not hesitate to contact us.
All HID products, drivers, etc installed on Windows, Linux or MacOS
All products, drivers, interfaces, applications etc. that HID has authored rely on the underlying operating system principles of third-parties, and the associated processor hardware, and, therefore, MAY be vulnerable to Spectre and Meltdown, depending on the platform that you have installed these on. We urge you to contact the developer of the operating system to obtain and install the latest patches provided.
All HID products, drivers, etc installed on iOS or Android
All “apps” that HID has authored rely on the underlying operating system principles of a third-party, and processor hardware, and therefore MAY be vulnerable to Spectre and Meltdown, depending on the platform that you have installed these on. We urge you to visit your device manufacturer website for their input on next steps you should take.
All HID products delivered through Web Presence
All of our hosted infrastructure has industry-standard best practices applied, preventing malware of any kind from being applied and/or installed. For the Spectre or Meltdown vulnerabilities to be exploited, malware would have to be installed into our systems. Despite our defense in depth, we are actively working with our vendors to understand patching approaches to the underlying third-party computing platforms to providing protection from Spectre and Meltdown vulnerabilities
We utilize industry-standard security modules (HSM) and we are working with our vendors to understand their position. We will update customers in the event we have relevant information, but at this stage we are a “closed system” and the attack surface is small and heavily protected.
All HID products delivered as a Virtual Machine
HID products delivered as a virtual machine may be susceptible to Spectre and Meltdown vulnerabilities, because the virtual machine is running on a third-party virtualization platform. Therefore, it is the third-party platform that will require patching and updating. We urge you to contact the provider of your virtualization platform for further information and patches.
All HID Products delivered as an Appliance
All of our products delivered as appliances have industry-standard best practices applied in order to prevent malware of any kind being installed. Malware would have to be installed for the Spectre or Meltdown vulnerabilities to be exploited. Nevertheless, HID is actively working with our vendors to understand patching approaches to the underlying computing platforms and we will update this post in the event that have more information
Specific Point Product Discussions
HID Lumidigm Fingerprint Sensors
Our Lumidigm devices are not vulnerable to the Spectre or Meltdown attacks; however, the third-party operating system support in the connected host may be vulnerable depending upon your patch level. We urge customers to ensure that the latest operating system patches available are installed in these upstream computing platforms.
HID Fargo Card Printers
Our current shipping printers are not vulnerable to Spectre or Meltdown attacks.
Cards and Credentials (including ActivID tokens)
None of our physical card or credential technologies are susceptible to either of Spectre of Meltdown
Controllers
The Spectre and Meltdown issues do not affect our “VertX Evo”, “EDGE EVO”, and “EDGE EVO Solo” controllers.
Similarly, our Mercury controller product lines are not vulnerable to Spectre or Meltdown attacks
Credential Encoders
HID credential encoders themselves are not vulnerable to either Meltdown or Spectre attacks; however, the host systems may be and we urge customers to upgrade to the latest patch level available.
Embedded Modules
None of our embedded range of products are susceptible to Spectre or Meltdown; however, because these are connected devices, any upstream devices may be vulnerable. We urge customers who are using connected devices to check the patch level of the host device system and to make appropriate decisions on patching based on upstream third-party system processor platforms.
Readers – Physical Access
None of our physical access reader products are affected by the Spectre or Meltdown vulnerabilities. However, our reader products are connected upstream and we urge customers to check these upstream devices for vulnerability and to upgrade all third-party operating system patch levels to guard against any potential threats.
Readers – Logical Access
None of our logical access reader range of products are susceptible to Spectre or Meltdown. However, these are (typically) USB-connected devices and the host may be susceptible. We urge customers to check the patch level of the host device system and to make appropriate decisions on patching based on upstream, third-party system processor platforms.