A significant percentage of organizations whose door access controllers have been analyzed by a cybersecurity researcher have failed to take any action to protect them against hacker attacks.
The research was conducted by Shawn Merdinger, who in 2010 showed how S2 Security door access controllers used by schools, hospitals, and other organizations could have been remotely hacked.
A decade later, Merdinger was jailed after sending threatening emails to people at several universities during a mental health crisis. After being released and staying sober, he launched a cybersecurity research project named Box of Rain — described as a “project of personal redemption” — whose goal is to show that many organizations are still impacted by physical access control vulnerabilities.
The project focused on S2 door access systems made by LenelS2 (S2 Security before it was combined with Lenel), and targeted management interfaces exposed on the web and protected with default ‘admin/admin’ credentials.
As part of the project, the researcher last year documented nearly 40 instances of buildings that had hackable door controllers. They mostly belonged to organizations in the education and healthcare sectors, with some owned by churches, courthouses, sports teams, power utilities, and law enforcement.
The findings were reported last year to the US cybersecurity agency CISA and other agencies in hopes that they would notify the impacted organizations and that the exposed systems would be protected. In some cases the researcher reached out to impacted organizations directly.
In recent weeks, roughly one year after the findings were first responsibly disclosed, Merdinger has reviewed the vulnerable instances to see how many organizations have taken action.
The researcher has determined that roughly half of the access controllers he discovered last year are now offline, or the findings are no longer relevant. Half a dozen of the instances are still exposed to the internet, but their password has been changed and they are no longer accessible with default credentials.
According to Merdinger, ten organizations have failed to take any action and their doors are still vulnerable to hacker attacks because they are exposed to the internet and continue to use default credentials.
The exposed web interface can allow a threat actor to open doors or schedule them to open at specified times, learn when certain people leave or arrive, add arbitrary people to the staff list, and cause disruptions to prevent the doors from opening. These controllers can also be leveraged to launch further attacks on the impacted organization’s network.
SecurityWeek previously highlighted one of Merdinger’s findings, which involved a US healthcare facility that changed the password of the exposed system only after we published an article. CISA was contacted at the time, but the agency refused to comment.
Building access systems are known to be affected by vulnerabilities and it can take vendors a long time to release patches, even when there is evidence of malicious exploitation.
Merdinger believes a handful of the systems he reviewed in recent weeks — all belonging to medical facilities — may have been compromised by malicious actors, because the web interface loads very slowly.
Overall, the researcher has been displeased with the responses — or lack of responses — to his disclosure attempts, both from government agencies and from impacted vendors.
Related: Unpatched Sceiner Smart Lock Vulnerabilities Allow Hackers to Open Doors
Related: Axis Door Controller Vulnerability Exposes Facilities to Physical, Cyber Threats
Related: Nexx Ignores Vulnerabilities Allowing Hackers to Remotely Open Garage Doors