Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Vulnerabilities in HID Mercury Access Controllers Allow Hackers to Unlock Doors

Access control products using HID Mercury controllers are affected by critical vulnerabilities that can be exploited by hackers to remotely unlock doors.

Access control products using HID Mercury controllers are affected by critical vulnerabilities that can be exploited by hackers to remotely unlock doors.

The vulnerabilities were discovered by researchers at XDR firm Trellix, which launched earlier this year following the merger of McAfee Enterprise and FireEye.

The issues were found in products from LenelS2 — a subsidiary of HVAC giant Carrier that specializes in physical security solutions — but Trellix said it received confirmation from HID Global that all OEM partners that use certain hardware controllers are affected.

Trellix researchers identified a total of eight vulnerabilities, seven of which have been assigned “critical” or “high” severity ratings. The flaws can be exploited for remote code execution, command injection, denial-of-service (DoS), information spoofing, and writing arbitrary files.

Most of these vulnerabilities can be exploited without authentication, but exploitation requires a direct connection to the targeted system. Sam Quinn, senior security researcher at Trellix, told SecurityWeek that these systems should not be exposed to the internet.

“Best practices are that these [systems] are behind a firewall and not directly connected to the internet, but it’s possible this practice is not always the case in the wild. Users should be sure installation guidelines are followed,” Quinn explained.

The cybersecurity firm’s analysis involved hardware hacking and reverse engineering of software. Its researchers then created a proof-of-concept (PoC) exploit that shows how an attacker can unlock any door and subvert monitoring systems. A video shows the exploit in action.

Trellix told SecurityWeek that it plans on releasing a series of detailed technical blogs describing these vulnerabilities in the upcoming weeks.

Carrier has released an advisory to inform customers about the availability of patches (firmware updates) and mitigations.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also published an advisory to inform organizations about the risk posed by the vulnerabilities.

Related: Hackers Can Open Doors by Exploiting Vulnerabilities in Hörmann Device

Related: Unpatched Flaws in Building Access System Allow Hackers to Create Fake Badges

Related: Vulnerability in IDEMIA Biometric Readers Allows Hackers to Unlock Doors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.