DarkReading pointed out research by independent security researcher, Shawn Merdinger, into vulnerabilities within embedded door access control systems. The researcher investigated the inner workings of electronic door access controls (EDAC). Mr. Merdinger disclosed some of his findings at the 2010 CarolinaCon conference.
The DarkReading article Attacking Electronic Door Access Control Systems reports that the researcher found several flaws in the S2 Security NetBox. According to the firm’s website, more than 9,000 customers in 50 countries worldwide use S2 Security Corporation’s integrated security management platforms. Among the flaws in the system, he found an unauthenticated factory reset and unauthorized access to backup data. The author says the first issue is obviously a pretty serious one that could lead to a potential denial of service, but it’s the last one that turns heads.
According to the CarolinaCon presentation, the backup files are stored in a location with predictable file names that do not need authentication to access. Inside a software dump of the electronic door access control system, an attacker can find goodies like the configuration and something that might come in handy like the administrator’s password hash. From there, the attacker can do pretty much anything he or she wants, including unlocking doors at will.
The article further states that Mr. Merdinger found that the door access control database also has the user names, passwords, and IP addresses for the network cameras and digital video recorders (DVRs). Now the attacker can watch the facility, learn traffic patterns, and plan for a physical penetration of the facility. The stolen credentials will allow the attacker to turn off cameras and/or recordings during their assault on the facility. To make matters worse, Mr. Merdinger points out that marketing folks for these products will actually state that it’s safe to put these management systems on the Internet. And apparently, people do, because in the presentation he demonstrates production systems that are online with a Shodan search.
DarkReading acknowledges that the presentation doesn’t stop at showing the scary stuff. It takes the next step that most audiences are dying to see, but don’t always get, and that’s how to fix these things as both the vendor and the customer. The blog recommends the video, the detailed paper, and his updated presentation from Hack in the Box 2010 (in Dubai) on attacking electronic door access control systems.
Related articles
- New Access Control Technology Holds the Key to Safer Schools: Unique RFID-based System Addresses the Shortcomings of Expensive and Inefficient Alternatives (prweb.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.