Hackers could remotely open garage doors and gates by exploiting vulnerabilities found in a gateway device made by Hörmann, researchers warned on Wednesday.
Hörmann is a Germany-based company that specializes in home and industrial doors. The company’s products are sold in more than 50 countries across North America, Europe and Asia, and according to Wikipedia, it’s the fourth largest door manufacturer in the world.
Customers who want to control garage doors, entrance gates and other smart systems from a smartphone are provided the BiSecur gateway device, a wireless access control system that includes a Hörmann key fob and comes with Wi-Fi and Ethernet interfaces.
Researchers at Austria-based cybersecurity company SEC Consult have discovered a total of 15 vulnerabilities in the gateway device, including issues related to encryption, poorly protected communications, and the associated mobile application.
The flaws can be exploited for both attacks that require access to the local network and attacks that can be launched remotely from the internet. Based on its research, SEC Consult has created an open source Python-based communication library for BiSecur devices.
In one attack scenario described by SEC Consult for SecurityWeek, an attacker who is able to connect to the local network can open doors connected to the Hörmann gateway by executing a small script. The attack does not require authentication and it can be conducted from a mobile phone.
Another scenario involves an attacker on the local network rendering the door-opening hardware unresponsive. In order to restore the system, a manual reset of the device is required, but the device is typically behind the door, which in case of an attack cannot be opened by the victim.
As for attacks that can be launched remotely over the internet, the vulnerabilities found by SEC Consult only allow unauthenticated hackers to impersonate a device and send false status information to the owner. For instance, they can notify the victim via the app that their garage door is opening or that it’s open, when in fact it’s not.
A remote attacker can also impersonate a device over the internet and cause Hörmann’s servers to send the victim’s device username and password to the attacker instead of the door opener.
These remote attacks require the attacker to extract the client certificate and private key from any Hörmann door opener hardware, and then use the extracted key to connect to the vendor’s server. The attacker can then run a script to switch the identity of their device to the targeted user’s device, which is possible due to Hörmann’s failure to ensure that certificates matched the device.
SEC Consult says it has not checked how many potentially vulnerable systems are exposed to the internet due to legal reasons — doing so required accessing the vendor’s servers — but the vulnerable product has been on the market for years and is highly popular.
SEC Consult says Hoermann has taken steps to address the vulnerabilities after being notified. SecurityWeek has reached out to the vendor for comment and will update this article if it responds.
This is not the first time researchers have found vulnerabilities in the Hoermann BiSecur device. Back in 2017, experts showed how hackers could have cloned a legitimate transmitter to take control of gates and doors.
UPDATE 11/04/2020: Hörmann has provided SecurityWeek the following statement:
Hörmann was notified by SEC Consult of potential security risks posed by the BiSecur gateway and responded right away. The option for registering on the official BiSecur portal was disabled immediately and production of the BiSecur gateway temporarily suspended. The product developers reviewed these vulnerabilities with top priority and very quickly fixed all relevant security risks.
On the one hand, the algorithm of the test code for registering the BiSecur gateway has been changed. The test code is now longer, more cryptic and is assigned random values. All customers that registered a gateway via the portal before these security risks came to light have been notified that a new test code is required. These users were sent a new test code by mail with due regard for the necessary security requirements.
On the other hand, the method for assigning passwords has been updated in the BiSecur app. After a last minute update, a 10-character password with upper- and lowercase letters, numbers and special characters is now required.
The BiSecur gateway software was also updated. It now has readout protection for both controllers.
Hörmann is constantly working to optimise the quality, safety and security of all its products. The discovery of potential vulnerabilities by SEC Consult proved to be helpful in terms of improving the overall BiSecur system.
Related: Vulnerabilities Impact Multiple Rittal Products Due to Use of Same Firmware
Related: Critical Vulnerabilities Expose Pepperl+Fuchs Industrial Switches to Attacks