Vulnerabilities discovered by researchers in Dormakaba physical access control systems could have allowed hackers to remotely open doors at major organizations.
The security holes were discovered by experts at SEC Consult, a cybersecurity consulting firm under Atos-owned Eviden, in Dormakaba’s Exos central management software, a hardware access manager, and registration units that enable entry via a keypad, fingerprint reader, or chip card.
Several types of vulnerabilities were identified, including hardcoded credentials and encryption keys, weak passwords, lack of authentication, insecure password generation, local privilege escalation, data exposure, path traversal, and command injection issues.
The vulnerable product is mainly used by large enterprises in Europe, including industrial companies, energy providers, logistics firms, and airport operators.
Exploitation of the flaws identified by SEC Consult researchers could have allowed threat actors to directly unlock doors, obtain access PINs, or conduct further attacks in the compromised environment.
“A few thousand customers were potentially affected, with a small subset having high-security requirements,” Dormakaba told SecurityWeek.
In total, more than 20 vulnerabilities were discovered and reported to the vendor, which over the past year and a half has been working to release patches and hardening guidelines.
Dormakaba has also been working with major customers to ensure that their access systems are no longer vulnerable.
According to the vendor, “To exploit the vulnerabilities, an attacker needs prior access to the customer-specific infrastructure (network or hardware). As a result, exploitation would only be possible from within the customer’s own protected network.”
However, SEC Consult has identified a few dozen internet-exposed systems that were vulnerable and could have been targeted by hackers to open doors directly from the web.
Dormakaba stated that it’s “not aware of any cases where the identified vulnerabilities have been exploited.”
The cybersecurity firm has published a video showing how an attacker could have exploited the vulnerabilities to open doors using specially crafted requests:
Related: Payment System Vendor Took Year+ to Patch Infinite Card Top-Up Hack: Security Firm
Related: Researcher Says Healthcare Facility’s Doors Hackable for Over a Year
Related: Organizations Slow to Protect Doors Against Hackers: Researcher
