Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Hackers Can Remotely Unlock Doors via Flaw in HID Controllers

Researchers at Trend Micro have identified a serious vulnerability in door controllers developed by access control and secure identity solutions provider HID. The vendor has released a firmware update to address the issue and pointed out that the flaw does not affect HID readers. 

Researchers at Trend Micro have identified a serious vulnerability in door controllers developed by access control and secure identity solutions provider HID. The vendor has released a firmware update to address the issue and pointed out that the flaw does not affect HID readers. 

Ricky Lawshae of Trend Micro analyzed HID’s VertX and Edge controllers, which allow organizations to remotely control a door’s functions, including locking and unlocking, and activating and deactivating alarms.

HID door controllers can be hacked

The researcher discovered that the controllers include a service called discoveryd, which responds to UDP packets on port 4070. When a request is sent to the service, it responds with MAC address, device type, firmware version, and details about the door (e.g. North Exterior Door). Lawshae also found that the service can be used to change the blinking pattern of the status LED on the device via a call to a function named system().

According to Trend Micro, the service fails to sanitize user-supplied input going to system(), allowing an attacker to inject arbitrary commands into a packet sent to the vulnerable service. Since the discoveryd service runs as root, malicious hackers can remotely execute arbitrary code with root privileges and compromise the system.

Once they compromise the HID controller, attackers can disable alarms and unlock doors. Worryingly, Trend Micro said a door can be permanently unlocked, without the possibility to relock it from a remote management system.

Such an attack is easy to launch since the malicious UDP packets can be sent without any authentication. Furthermore, because the vulnerable service responds to broadcast UDP packets, malicious requests can be sent simultaneously to all the doors found on a network.

The Zero Day Initiative (ZDI), which assigned a CVSS score of 10 to this vulnerability, said the issue was reported to the vendor on February 25. HID released a firmware update to address the security bug and informed channel partners about its availability. The company told SecurityWeek that the vulnerability exists in older products and affects only a small portion of its customer base.

HID Global has provided the following statement:

Advertisement. Scroll to continue reading.

HID Global has fixed the Discovery Protocol Security vulnerability that affects the company’s EDGE and VertX controllers. This firmware patch is now released. The vulnerability, which was disclosed by the Zero Day Initiative team in March, does not affect HID Global’s readers. Responding rapidly to the disclosure by the Zero Day Initiative team, HID Global developed a firmware update that protects end-user customers against the vulnerability. The company recommends that all EDGE and VertX controllers be updated to this latest firmware. HID Global has shared this information, including the update, with HID partners who have developed solutions based on the EDGE and VertX controllers.

 

The disclosure and resolution of the Discovery Protocol Security vulnerability is an example of a positive collaboration between HID Global and the security researcher community. HID Global values the insight and commitment of security researchers , like the Zero Day Initiative team, which brought the vulnerability to HID Global’s attention and worked with the company for responsible disclosure of both the vulnerability and the fix.”

Trend Micro researchers said they had not verified the fix and noted that it could take some time until the update is installed on customers’ devices.

Several researchers have spent time analyzing the cyber security of physical security products. Last year, Maxim Rupp reported finding a serious vulnerability in Chiyu Technology fingerprint access controllers that could allow hackers to make it easier to open the doors protected by these devices.

In early January, Rapid7 disclosed an unpatched flaw in Comcast’s Xfinity Home Security system that could allow thieves to break into homes without triggering the alarm.

*Updated with additional information and statement from HID

Related: Learn More at the ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.