Knock, knock: Digital key flaw unlocks door control systems | Cyber Security

0
Want create site? Find Free WordPress Themes and plugins.

Attackers could be able to unlock doors in office buildings, factories and other corporate buildings at will, thanks to a in a popular controller, discovered by a Google researcher.

David Tomaschik, who works as senior security engineer and tech lead at Google, uncovered the flaw in devices made by Software House, a Johnson Controls company. Forbes reports that he conducted his research on Google’s own door system.


Tomaschik, who described his project at a talk in August at DEF CON’s IoT Village, explored two devices. The first was iStar Ultra, a Linux-based door controller that supports hardwired and wireless locks. The second was the IP-ACM Ethernet Door Module, a door controller that communicates with iStar.

When a user presents an RFID badge, the door controller sends the information to the iStar device, which checks to see if the user is authorised. It then returns an instruction to the door controller, telling it to either unlock the door or to deny access.

Software House’s website still promotes the original version of its IP-ACM as a “highly secure option to manage their security”. But judging from Tomaschik’s research, that’s a bit wide of the mark.

The devices were using encryption to protect their network communication – however, digging through their network traffic, Tomaschik found that Software House had apparently been rolling its own crypto rather than relying on tried and tested solutions.

The devices were sending hardcoded encryption keys over the network, and were using a fixed initialization vector, which is an input to the cryptographic function that creates the . Moreover, the devices didn’t include any message signing, meaning that an imposter could easily send messages pretending to be from a legitimate device, and the recipient wouldn’t check.

This key unlocked the kingdom, so to speak. It enabled him to impersonate Software House devices on the network, doing anything that they could. This included the power to unlock doors, or stop others from unlocking them.

To engineer such an attack, all an intruder would need is access to the same IP network used by the Software House devices. If a company hasn’t carefully segmented and locked down its network and lets these devices communicate over a general office network, and if the attacker can gain access to that, then it presents a potential intrusion point.