Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Organizations Slow to Protect Doors Against Hackers: Researcher

Door access controllers remain vulnerable to remote hacker attacks for extended periods of time, a researcher has found.

Door access control vulnerabilities

A significant percentage of organizations whose door access controllers have been analyzed by a cybersecurity researcher have failed to take any action to protect them against hacker attacks. 

The research was conducted by Shawn Merdinger, who in 2010 showed how S2 Security door access controllers used by schools, hospitals, and other organizations could have been remotely hacked. 

A decade later, Merdinger was jailed after sending threatening emails to people at several universities during a mental health crisis. After being released and staying sober, he launched a cybersecurity research project named Box of Rain — described as a “project of personal redemption” — whose goal is to show that many organizations are still impacted by physical access control vulnerabilities. 

The project focused on S2 door access systems made by LenelS2 (S2 Security before it was combined with Lenel), and targeted management interfaces exposed on the web and protected with default ‘admin/admin’ credentials. 

As part of the project, the researcher last year documented nearly 40 instances of buildings that had hackable door controllers. They mostly belonged to organizations in the education and healthcare sectors, with some owned by churches, courthouses, sports teams, power utilities, and law enforcement.

The findings were reported last year to the US cybersecurity agency CISA and other agencies in hopes that they would notify the impacted organizations and that the exposed systems would be protected. In some cases the researcher reached out to impacted organizations directly. 

In recent weeks, roughly one year after the findings were first responsibly disclosed, Merdinger has reviewed the vulnerable instances to see how many organizations have taken action.

The researcher has determined that roughly half of the access controllers he discovered last year are now offline, or the findings are no longer relevant. Half a dozen of the instances are still exposed to the internet, but their password has been changed and they are no longer accessible with default credentials.

Advertisement. Scroll to continue reading.

According to Merdinger, ten organizations have failed to take any action and their doors are still vulnerable to hacker attacks because they are exposed to the internet and continue to use default credentials. 

The exposed web interface can allow a threat actor to open doors or schedule them to open at specified times, learn when certain people leave or arrive, add arbitrary people to the staff list, and cause disruptions to prevent the doors from opening. These controllers can also be leveraged to launch further attacks on the impacted organization’s network. 

SecurityWeek previously highlighted one of Merdinger’s findings, which involved a US healthcare facility that changed the password of the exposed system only after we published an article. CISA was contacted at the time, but the agency refused to comment.

Building access systems are known to be affected by vulnerabilities and it can take vendors a long time to release patches, even when there is evidence of malicious exploitation

Merdinger believes a handful of the systems he reviewed in recent weeks — all belonging to medical facilities — may have been compromised by malicious actors, because the web interface loads very slowly.  

Overall, the researcher has been displeased with the responses — or lack of responses — to his disclosure attempts, both from government agencies and from impacted vendors. 

Related: Unpatched Sceiner Smart Lock Vulnerabilities Allow Hackers to Open Doors

Related: Axis Door Controller Vulnerability Exposes Facilities to Physical, Cyber Threats

Related: Nexx Ignores Vulnerabilities Allowing Hackers to Remotely Open Garage Doors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.