Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Can Open Doors by Exploiting Vulnerabilities in Hörmann Device

Hackers could remotely open garage doors and gates by exploiting vulnerabilities found in a gateway device made by Hörmann, researchers warned on Wednesday.

Hackers could remotely open garage doors and gates by exploiting vulnerabilities found in a gateway device made by Hörmann, researchers warned on Wednesday.

Hörmann is a Germany-based company that specializes in home and industrial doors. The company’s products are sold in more than 50 countries across North America, Europe and Asia, and according to Wikipedia, it’s the fourth largest door manufacturer in the world.

Customers who want to control garage doors, entrance gates and other smart systems from a smartphone are provided the BiSecur gateway device, a wireless access control system that includes a Hörmann key fob and comes with Wi-Fi and Ethernet interfaces.Hörmann gateway vulnerabilities

Researchers at Austria-based cybersecurity company SEC Consult have discovered a total of 15 vulnerabilities in the gateway device, including issues related to encryption, poorly protected communications, and the associated mobile application.

The flaws can be exploited for both attacks that require access to the local network and attacks that can be launched remotely from the internet. Based on its research, SEC Consult has created an open source Python-based communication library for BiSecur devices.

In one attack scenario described by SEC Consult for SecurityWeek, an attacker who is able to connect to the local network can open doors connected to the Hörmann gateway by executing a small script. The attack does not require authentication and it can be conducted from a mobile phone.

Another scenario involves an attacker on the local network rendering the door-opening hardware unresponsive. In order to restore the system, a manual reset of the device is required, but the device is typically behind the door, which in case of an attack cannot be opened by the victim.

As for attacks that can be launched remotely over the internet, the vulnerabilities found by SEC Consult only allow unauthenticated hackers to impersonate a device and send false status information to the owner. For instance, they can notify the victim via the app that their garage door is opening or that it’s open, when in fact it’s not.

A remote attacker can also impersonate a device over the internet and cause Hörmann’s servers to send the victim’s device username and password to the attacker instead of the door opener.

These remote attacks require the attacker to extract the client certificate and private key from any Hörmann door opener hardware, and then use the extracted key to connect to the vendor’s server. The attacker can then run a script to switch the identity of their device to the targeted user’s device, which is possible due to Hörmann’s failure to ensure that certificates matched the device.

SEC Consult says it has not checked how many potentially vulnerable systems are exposed to the internet due to legal reasons — doing so required accessing the vendor’s servers — but the vulnerable product has been on the market for years and is highly popular.

SEC Consult says Hoermann has taken steps to address the vulnerabilities after being notified. SecurityWeek has reached out to the vendor for comment and will update this article if it responds.

This is not the first time researchers have found vulnerabilities in the Hoermann BiSecur device. Back in 2017, experts showed how hackers could have cloned a legitimate transmitter to take control of gates and doors.

UPDATE 11/04/2020: Hörmann has provided SecurityWeek the following statement:

Hörmann was notified by SEC Consult of potential security risks posed by the BiSecur gateway and responded right away. The option for registering on the official BiSecur portal was disabled immediately and production of the BiSecur gateway temporarily suspended. The product developers reviewed these vulnerabilities with top priority and very quickly fixed all relevant security risks.

On the one hand, the algorithm of the test code for registering the BiSecur gateway has been changed. The test code is now longer, more cryptic and is assigned random values. All customers that registered a gateway via the portal before these security risks came to light have been notified that a new test code is required. These users were sent a new test code by mail with due regard for the necessary security requirements.

On the other hand, the method for assigning passwords has been updated in the BiSecur app. After a last minute update, a 10-character password with upper- and lowercase letters, numbers and special characters is now required.

The BiSecur gateway software was also updated. It now has readout protection for both controllers.

Hörmann is constantly working to optimise the quality, safety and security of all its products. The discovery of potential vulnerabilities by SEC Consult proved to be helpful in terms of improving the overall BiSecur system.

Related: Vulnerabilities Impact Multiple Rittal Products Due to Use of Same Firmware

Related: Critical Vulnerabilities Expose Pepperl+Fuchs Industrial Switches to Attacks

Related: SEC Consult Open Sources Hardware Analysis Tool

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.