Connect with us

Hi, what are you looking for?



Hackers Can Remotely Unlock Doors via Flaw in HID Controllers

Researchers at Trend Micro have identified a serious vulnerability in door controllers developed by access control and secure identity solutions provider HID. The vendor has released a firmware update to address the issue and pointed out that the flaw does not affect HID readers. 

Researchers at Trend Micro have identified a serious vulnerability in door controllers developed by access control and secure identity solutions provider HID. The vendor has released a firmware update to address the issue and pointed out that the flaw does not affect HID readers. 

Ricky Lawshae of Trend Micro analyzed HID’s VertX and Edge controllers, which allow organizations to remotely control a door’s functions, including locking and unlocking, and activating and deactivating alarms.

HID door controllers can be hacked

The researcher discovered that the controllers include a service called discoveryd, which responds to UDP packets on port 4070. When a request is sent to the service, it responds with MAC address, device type, firmware version, and details about the door (e.g. North Exterior Door). Lawshae also found that the service can be used to change the blinking pattern of the status LED on the device via a call to a function named system().

According to Trend Micro, the service fails to sanitize user-supplied input going to system(), allowing an attacker to inject arbitrary commands into a packet sent to the vulnerable service. Since the discoveryd service runs as root, malicious hackers can remotely execute arbitrary code with root privileges and compromise the system.

Once they compromise the HID controller, attackers can disable alarms and unlock doors. Worryingly, Trend Micro said a door can be permanently unlocked, without the possibility to relock it from a remote management system.

Such an attack is easy to launch since the malicious UDP packets can be sent without any authentication. Furthermore, because the vulnerable service responds to broadcast UDP packets, malicious requests can be sent simultaneously to all the doors found on a network.

The Zero Day Initiative (ZDI), which assigned a CVSS score of 10 to this vulnerability, said the issue was reported to the vendor on February 25. HID released a firmware update to address the security bug and informed channel partners about its availability. The company told SecurityWeek that the vulnerability exists in older products and affects only a small portion of its customer base.

Advertisement. Scroll to continue reading.

HID Global has provided the following statement:

HID Global has fixed the Discovery Protocol Security vulnerability that affects the company’s EDGE and VertX controllers. This firmware patch is now released. The vulnerability, which was disclosed by the Zero Day Initiative team in March, does not affect HID Global’s readers. Responding rapidly to the disclosure by the Zero Day Initiative team, HID Global developed a firmware update that protects end-user customers against the vulnerability. The company recommends that all EDGE and VertX controllers be updated to this latest firmware. HID Global has shared this information, including the update, with HID partners who have developed solutions based on the EDGE and VertX controllers.


The disclosure and resolution of the Discovery Protocol Security vulnerability is an example of a positive collaboration between HID Global and the security researcher community. HID Global values the insight and commitment of security researchers , like the Zero Day Initiative team, which brought the vulnerability to HID Global’s attention and worked with the company for responsible disclosure of both the vulnerability and the fix.”

Trend Micro researchers said they had not verified the fix and noted that it could take some time until the update is installed on customers’ devices.

Several researchers have spent time analyzing the cyber security of physical security products. Last year, Maxim Rupp reported finding a serious vulnerability in Chiyu Technology fingerprint access controllers that could allow hackers to make it easier to open the doors protected by these devices.

In early January, Rapid7 disclosed an unpatched flaw in Comcast’s Xfinity Home Security system that could allow thieves to break into homes without triggering the alarm.

*Updated with additional information and statement from HID

Related: Learn More at the ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.