Gallagher has released a security advisory following the public exposure of the Default Gallagher MIFARE DESFire and MIFARE Plus keys.
This act means cards using the default keys could be cloned or emulated, resulting in a site’s security becoming compromised. Customers who have followed Gallagher’s long-standing hardening guide, which recommends the use of site-specific keys, are not affected by this disclosure.
“Ensuring the continued security of our customers’ sites is our top priority,” said Mark Junge, Gallagher’s global general manager for security. “Following the discovery of this exposure, we immediately began communicating with our global team, our network of channel partners, and our customers regarding the mitigation options available to them – including our key migration feature released in Command Centre v8.30 earlier this year.”
“Communicating information about any security risks, as well as providing timely advice and recommendations is of vital importance to us. Our published hardening guide has for many years provided in-depth advice of defensive measures for customers to aid in mitigating possible risk,” Junge said.
The vulnerability only affects sites using a default MIFARE DESFire or MIFARE Plus key. It does not affect Gallagher MIFARE DESFire with a site-specific key, Gallagher Mobile Connect credentials, US Government FIPS201 PIV cards, GovPass, or MIFARE Plus with a site-specific key.
Concerned customers should contact their channel partner or local Gallagher representative for further support and advice.
#sen.news
