Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Researcher Says Healthcare Facility’s Doors Hackable for Over a Year

A researcher analyzing building access control vulnerabilities says a US healthcare facility has yet to patch security holes one year after being notified.

Door access control vulnerabilities

A researcher says a US healthcare facility has failed to address a serious vulnerability that has been making it possible for threat actors to hack the doors of one of its buildings for at least the past year. The healthcare organization, on the other hand, has denied the findings. 

The research was conducted by Shawn Merdinger, who in 2010, at the DEFCON conference, showed how S2 Security door access controllers used by hospitals, schools, fire stations, businesses and other entities could be hacked. A decade later, Merdinger was jailed after sending threatening emails to people at several universities during a mental health crisis.

After being released and staying sober, he launched a cybersecurity research project — he describes it as a “project of personal redemption” — whose goal is to show that physical access control vulnerabilities still impact many organizations. 

As part of the project, named Box of Rain, the researcher has documented nearly 40 instances of buildings that last year had hackable door controllers. He is now going through all the findings again to determine which of the buildings are still vulnerable considering that more than a year has passed. The researcher claims the findings were responsibly disclosed to impacted organizations and US government agencies. 

While some organizations have since addressed the security holes after being notified, others have not. One case that stands out, the research says, impacts a building apparently belonging to Los Angeles-based healthcare organization Cedars-Sinai. 

The problem, according to the researcher, is that the S2 door access system associated with the impacted facility is exposed to the internet, it’s easily discoverable, and its web interface can be accessed using default ‘admin/admin’ credentials.  

The researcher says a hacker could leverage this weakness to open doors or schedule doors to open at specified times, add or modify staff privileges (an adversary can be added), learn when certain people arrive or leave, disrupt the system and prevent doors from opening, and use the compromised access controller for further attacks on the network. 

Products from S2 Security, which several years ago was combined with Lenel and became LenelS2, have been known to be affected by vulnerabilities, but in this case the access controllers are at risk due to their exposure on the web and the use of default credentials, rather than an actual product vulnerability. 

Advertisement. Scroll to continue reading.

The researcher said the web interface associated with the Cedars-Sinai building was still accessible with default credentials as of the morning of September 24.

SecurityWeek can confirm that the web interface associated with an S2 controller is accessible at the IP address indicated by the researcher, but we have not attempted to log in. The evidence provided by the researcher, however, is credible. 

Merdinger’s report includes a screenshot of an activity log associated with the vulnerable door controller, showing the time when various Cedars doctors had accessed the building. 

SecurityWeek has reached out for comment to CISA and Health-ISAC, both of which, Merdinger claims, received his reports but apparently failed to take action. The researcher has provided screenshots of emails showing Health-ISAC had been looking into the findings. Health-ISAC has not responded to SecurityWeek and CISA said it will not be commenting. 

Cedars-Sinai has also been contacted, but the healthcare organization said the issues found by Merdinger do not affect its facilities.  

Building access systems are known to be affected by many vulnerabilities and in some cases it has taken vendors several years to patch them, even when there was evidence of malicious exploitation.

UPDATE: Shortly after this article was published, Merdinger informed SecurityWeek that the password for the system used by Cedars-Sinai was changed.

Related: Unpatched Sceiner Smart Lock Vulnerabilities Allow Hackers to Open Doors

Related: Axis Door Controller Vulnerability Exposes Facilities to Physical, Cyber Threats

Related: Nexx Ignores Vulnerabilities Allowing Hackers to Remotely Open Garage Doors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.