Cyber, Physical Security Attack
Tuesday, April 5, 2016 @ 04:04 PM gHale
This is an instance where cyber security and physical security come together as there is a vulnerability in HID door controllers that can allow you to unlock a door.
By sending a malicious UDP request to a door, it is possible to automatically unlock it and/or deactivate the alarm if the door has that feature enabled.
HID manufactures door controllers, which are the black boxes next to locked security doors where someone can come in, swipe their card, an LED turns green, and the door automatically opens.
In some newer versions, these door controllers can also connect to the local network and allow system administrators to manage the devices from their local command center.
Trend Micro’s Ricky Lawshae found two of these door controllers, VertX and Edge, have a design vulnerability in their management protocol that allows someone to run remote commands on the device, all with root privileges.
These two devices are running a special daemon called discoveryd, which answers to UDP network packets on port 4070 with information on the device, like its lock state, alarm state, firmware version, device type, MAC address, and a generic name (like “Door for East Corridor”), Lawshae said.
Besides reporting on the device’s status, this service also includes a debugging function that allows a remote admin to tell the device to blink its LED for a number of times.
This operation takes place when the IT manager sends a “command_blink_on” command with the door’s ID. Lawshae said by placing Linux command after the ID, wrapped in backticks, like `command`, due to improper input sanitization, the command will execute on the device.
Since this LED function is fed to the system() call, which then runs as root, an attacker can instruct the device to do whatever they wish, all via one single UDP packet.
Additionally, leaving out the ID, the attacker can control all doors inside a building at the same time. If this operation ends up automated in a network flood-like action, the doors will stay open or closed until the UDP packet spam ends, and only then the IT administrators will be able to open or close the door controllers.