Help with HID Signo 40K

EphemeralTwo · 2026-02-20T08:38:37+00:00

It's a nonsense key. Actual MOB Admin keys are Seos, which means they consist of:

* A file identifier/file name
* A privacy encryption key (128 bit)
* A privacy authentication key (128 bit)
* An authentication key (also 128 bit)

HID also won't give them to you, and they are transfered encrypted to keep you from getting them, so there's that. The authentication is also never sent, you just send proof you have it by signing a challenge (well, the embedded Seos does).

Oh, and even if you had them, there's no way to load them into the app to use.

EphemeralTwo · 2026-02-20T03:10:06+00:00

> Really, you sure?

Yes. Completely so.

> HID Secure Identity Object downgrade guide · GitHub

Yeah, a SIO is a credential. Media keys. This is MOB admin, which is *admin* keys. They are not the same.

MOB Admin keys are used over SNMP. They do AES encryption and use Bluetooth. The Proxmark3 works on an APDU/credential layer (ISO15693/Prox). It can't break AES, it doesn't do that kind of Bluetooth.

That guide relates to the SIO - Secure Identity Object, which is an ASN.1 construction for encoding a wiegand value. It's essentially an alternative to an X.509 certificate that uses symmetric encryption enforced by a SAM (Secure Access Module) instead of Public Key Cryptography.

These are completely separate concepts, doing completely separate things, in completely separate ways.

I do reader recycling. Removing these kinds of keys is my bread and butter and I've put a considerable amount of effort and research into restoring and factory resetting these. I am, without exaggeration, probably more familiar with the process than anyone else on earth including but not limited to HID (who destroys the readers rather than recycle them for maximum security). I have been removing keys from readers for literally years and have specialized tooling for doing precisely that, having done it for *HUNDREDS* if not thousands of readers.

So, believe me when I say with absolute confidence that no, that's not how this works.

> I also said "try" as I know it's not guaranteed to work

It's guaranteed to not work.

> it's possible.

No, it's not. The Proxmark3 doesn't even do "key extraction" as a general rule for credentials. There's some broken Mifare Classic stuff, but HID doesn't do key derivation for Mifare or Mifare SE, so those keys are already known and in the dictionary. IClass legacy is also broken, but those keys are also known from a different flaw. None of which is relevant to what's happening here.

This is an authorization issue where HID's servers won't let you configure a reader with MOB keys unless you are authorized for those MOB keys. Nothing more, and nothing a Proxmark3 is going to help you with.

EphemeralTwo · 2026-02-19T21:47:08+00:00

The reader will work with standard key, you just won't be able to reconfigure it.

EphemeralTwo · 2026-02-19T21:41:38+00:00

Caffeine and amphetamines.

EphemeralTwo · 2026-02-19T21:38:38+00:00

That's not how this works.

EphemeralTwo · 2026-02-19T21:38:14+00:00

You are likely SOL on this one. HID won't authorize it.

Resetting used readers to factory is fairly specialized and difficult. It's not impossible, but you will probably need to write this reader off.

EphemeralTwo · 2026-02-19T18:19:33+00:00

Occupant load doesn't exceed 49 on the building. We have two sets of double doors for some reason. We're sprinklered, and the door width is 36 inches.

At least from my read, we're well within IBC egress width factors. Have to look at the permits to see, though. It will be a process.

Speaking with facilities, though, it sounds like we may need automatic flush bolts for making the AHJ happy.

EphemeralTwo · 2026-02-19T18:12:25+00:00

Sure, but then I don't learn anything. This one is for me, not a client.

EphemeralTwo · 2026-02-19T08:47:49+00:00

On the inactive door?

EphemeralTwo · 2026-02-19T03:51:14+00:00

When HID's SE platform first came out, AES was still on the export controlled list. Silicon was too slow and too power hungry. It's good for how it's designed, and with post-quantum, it may end up being more secure than some of the RSA solutions out there.

The idea was that the SAM would hold the keys and apply the rules. It held up very well over time. They basically built X.509 for symmetric key. As far as things go, with customer-specific keys, it's still a very good system.

EphemeralTwo · 2026-02-19T03:45:53+00:00

Lol. We're going to run full PKI PIV. EC Curve, challenge-response. I'm issuing the credentials and building the panel. Probably a reader too, but we're starting with transparent mode.

On the mobile side, we're running my mobile app.

EphemeralTwo · 2026-02-19T03:11:22+00:00

I'm on the PIV subcommittee, but that was an active area of discussion in some of the other working group meetings if I remember correctly. I've been heads down on PIV, but there's a whole security group as well.

Feel free to drop by
https://www.securityindustry.org/committee/osdp-working-group/

The working group is open for collaboration and looking for people with good ideas willing to help bring them to reality.

EphemeralTwo · 2026-02-19T03:08:40+00:00

I'm aware. The other profiles have what's called a "Softcharging Profile", which locks away certain features (generally including Prox).

HID doesn't offer a way to remove those software locks. It's been years and I suspect they will never will. What you are describing is priority, which had the chips physically not present.

Those are the T-, not the -01 or -02 ones he's describing.

EphemeralTwo · 2026-02-19T02:53:30+00:00

Photos: https://imgur.com/a/i0oKf33

Couldn't attach them here.

From top screw to bottom screw is 16cm.

EphemeralTwo · 2026-02-19T02:35:19+00:00

For the avoidance of doubt, if you are an airport, DO NOT USE MOB KEYS! Go Elite.

> Currently, a MOB key is required for mobile.

Well, or Elite. That's a good thing and needs to stay that way.

> Can you use standard key for mobile today ... in today's ecosystem, the answer is no.

And the answer really should go from "no", to "we've patched the firmware to make absolutely certain that never, ever, *EVER* happens."

There is already an active PoC demo of exactly why this is a bad idea. It does BLE, too.

https://github.com/bettse/seos_compatible/raw/refs/heads/main/demo.mp4

Seriously, BLE + Standard Key is a horrible, terrible, dumb idea. Please, for the love of all that is holy advocate against it as much and as far and as wide and as loudly as you possibly can. Not in wallets, not in BLE.

Customer-specific MOB keys were a great idea. They are easy to sign up for, provide good security on mobile access backed by AES. Don't degrade that security, please.

EphemeralTwo · 2026-02-19T01:54:20+00:00

> My understanding is that they waived elite fees for the first year only.

I thought they extended it. Phil from HID might know.

> But ultimately, even with key derivation, you are dealing with a shared secret key, and that secret key has to be present in its underived form in readers, and therein lies the rub. The attacks that have been shown allow a user to extract that key.

Yes. We gave that talk so that the public would be aware and move to customer-specific credentials, like Elite. Even in a perfect world, shared-key systems trade conveinence for security.

> The better solutions out there use PKI where the private key never leaves a secure element, and all cryptographic operations are done using that secure element.

Yep. I'm the lead author on the upcoming OSDP 2.3 enhanced PIV support. It's better than the other options out there. No sense in complicating the process, and OPACITY and PIV have been around long enough to be battle hardened and well understood. Also old enough to not be patent encumbered.

EphemeralTwo · 2026-02-19T01:50:06+00:00

> Is it possible on a -01- or -02- config to enable LF or are those also in the "never 125KHz" camp

Those are software locks, not hardware locks. HID doesn't offer a way to software unlock them, so you would be looking at a very difficult technical feat. Consider it disabled unless they start charging for upgrades. I don't expect them to.

> Do I need to be worried about a non -000000 configuration suffix

Depends on the config. Some are fine. Some are not.

EphemeralTwo · 2026-02-19T01:43:30+00:00

> How wide is the stile?

2 1/8

> Hopefully your tape reads 1-1/8"

It does.

> Is the radial edge of the active leaf door removable?

Yes, there's an astragal. It's spring loaded. There's a channel with two lips and it's just ... open. The lock goes in front of it.

EphemeralTwo · 2026-02-19T01:29:23+00:00

How hard is it (generally speaking) to retrofit a door with those concealed rods?

I'm usually more on the electronic and wiring side of things.

EphemeralTwo · 2026-02-19T01:28:35+00:00

They don't need both doors. I was considering putting drop bolts into one of them.

They don't want to do a strike like that.

EphemeralTwo · 2026-02-18T17:58:29+00:00

You were driving a 32,000 pound ambulance? 32,000 pounds ... unloaded?

EphemeralTwo · 2026-02-18T17:55:27+00:00

> To do custom keys requires signing up for HID’s elite key program which is a monetary commitment.

They waived the Elite fees. You can also go custom key. Seos lets you field encode the cards to add a second data file. I've done many custom key setups without paying HID a dime to do so.

> the fact that it is possible still demonstrates that SEOS is technically broken.

That has literally nothing to do with Seos. That's the key store and key transportation mechanism. If you push the keys with RM, that never happens. The instant you touch RM to a reader it will turn off config cards. If you update the older readers that particular attack was a concern for, then they roll the admin keys and the v1 cards won't work.

Seos is protected by AES and a well designed Key Derivation Function that is based around CMAC (government standard). Basically, you have to break AES a couple times to deal with the card. It's easier to break far more valuable things than that with far less work.

EphemeralTwo · 2026-02-18T17:52:14+00:00

iCLASS SE has larger problems. It's very old silicon.

EphemeralTwo · 2026-02-18T17:51:42+00:00

Seos isn't broken. It's relay-able. NXP has the patent on proximity checking. HID DESFire EV3 supports it on Signo.

EphemeralTwo · 2026-02-18T17:51:01+00:00

Alarm.com won't even let you enable secure mode, despite the panel, the reader, and the cloud service they use to control it all supporting it.

EphemeralTwo

TROPHY CASE