Researchers at Trend Micro have identified a serious vulnerability in door controllers developed by access control and secure identity solutions provider HID. The vendor has released a firmware update to address the issue and pointed out that the flaw does not affect HID readers.
Ricky Lawshae of Trend Micro analyzed HID’s VertX and Edge controllers, which allow organizations to remotely control a door’s functions, including locking and unlocking, and activating and deactivating alarms.
The researcher discovered that the controllers include a service called discoveryd, which responds to UDP packets on port 4070. When a request is sent to the service, it responds with MAC address, device type, firmware version, and details about the door (e.g. North Exterior Door). Lawshae also found that the service can be used to change the blinking pattern of the status LED on the device via a call to a function named system().
According to Trend Micro, the service fails to sanitize user-supplied input going to system(), allowing an attacker to inject arbitrary commands into a packet sent to the vulnerable service. Since the discoveryd service runs as root, malicious hackers can remotely execute arbitrary code with root privileges and compromise the system.
Once they compromise the HID controller, attackers can disable alarms and unlock doors. Worryingly, Trend Micro said a door can be permanently unlocked, without the possibility to relock it from a remote management system.
Such an attack is easy to launch since the malicious UDP packets can be sent without any authentication. Furthermore, because the vulnerable service responds to broadcast UDP packets, malicious requests can be sent simultaneously to all the doors found on a network.
The Zero Day Initiative (ZDI), which assigned a CVSS score of 10 to this vulnerability, said the issue was reported to the vendor on February 25. HID released a firmware update to address the security bug and informed channel partners about its availability. The company told SecurityWeek that the vulnerability exists in older products and affects only a small portion of its customer base.
HID Global has provided the following statement:
HID Global has fixed the Discovery Protocol Security vulnerability that affects the company’s EDGE and VertX controllers. This firmware patch is now released. The vulnerability, which was disclosed by the Zero Day Initiative team in March, does not affect HID Global’s readers. Responding rapidly to the disclosure by the Zero Day Initiative team, HID Global developed a firmware update that protects end-user customers against the vulnerability. The company recommends that all EDGE and VertX controllers be updated to this latest firmware. HID Global has shared this information, including the update, with HID partners who have developed solutions based on the EDGE and VertX controllers.
The disclosure and resolution of the Discovery Protocol Security vulnerability is an example of a positive collaboration between HID Global and the security researcher community. HID Global values the insight and commitment of security researchers , like the Zero Day Initiative team, which brought the vulnerability to HID Global’s attention and worked with the company for responsible disclosure of both the vulnerability and the fix.”
Trend Micro researchers said they had not verified the fix and noted that it could take some time until the update is installed on customers’ devices.
Several researchers have spent time analyzing the cyber security of physical security products. Last year, Maxim Rupp reported finding a serious vulnerability in Chiyu Technology fingerprint access controllers that could allow hackers to make it easier to open the doors protected by these devices.
In early January, Rapid7 disclosed an unpatched flaw in Comcast’s Xfinity Home Security system that could allow thieves to break into homes without triggering the alarm.
*Updated with additional information and statement from HID
Related: Learn More at the ICS Cyber Security Conference