{"id":2676,"date":"2012-10-25T19:19:58","date_gmt":"2012-10-25T23:19:58","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/?p=2676"},"modified":"2021-07-05T16:08:28","modified_gmt":"2021-07-05T20:08:28","slug":"attacking-electronic-door-access-control-systems2","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/attacking-electronic-door-access-control-systems2\/","title":{"rendered":"Attacking Electronic Door Access Control Systems"},"content":{"rendered":"

\"Attacking<\/a>DarkReading<\/a><\/em> pointed out research by independent security researcher, Shawn Merdinger<\/a>, into vulnerabilities within embedded door access control systems. The researcher investigated the inner workings of electronic door access controls (EDAC). Mr. Merdinger disclosed some of his findings at the 2010 CarolinaCon conference<\/a>.<\/p>\n

\"S2<\/a>The DarkReading<\/em> article Attacking Electronic Door Access Control Systems reports that the researcher found several flaws in the S2 Security NetBox<\/a>. According to the firm’s website, more than 9,000 customers in 50 countries worldwide use S2 Security Corporation\u2019s integrated security management platforms. Among the flaws in the system, he found an unauthenticated factory reset and unauthorized access to backup data. The author says the first issue is obviously a pretty serious one that could lead to a potential denial of service, but it\u2019s the last one that turns heads.<\/p>\n

According to the CarolinaCon presentation<\/a>, the backup files are stored in a location with predictable file names that do not need authentication to access. Inside a software dump of the electronic door access control system, an attacker can find goodies like the configuration and something that might come in handy like the administrator\u2019s password hash. From there, the attacker can do pretty much anything he or she wants, including unlocking doors at will.<\/p>\n

\"door<\/a>The article further states that Mr. Merdinger found that the door access control database also has the user names, passwords, and IP addresses for the network cameras and digital video recorders (DVRs). Now the attacker can watch the facility, learn traffic patterns, and plan for a physical penetration of the facility. The stolen credentials will allow the attacker to turn off cameras and\/or recordings during their assault on the facility. To make matters worse, Mr. Merdinger points out that marketing folks for these products will actually state that it\u2019s safe to put these management systems on the Internet. And apparently, people do, because in the presentation he demonstrates production systems that are online with a Shodan<\/a> search.<\/p>\n

DarkReading<\/em> acknowledges that the presentation doesn\u2019t stop at showing the scary stuff. It takes the next step that most audiences are dying to see, but don\u2019t always get, and that\u2019s how to fix these things as both the vendor and the customer. The blog recommends the video, the detailed paper, and his updated presentation<\/a> from Hack in the Box 2010<\/a> (in Dubai<\/a>) on attacking electronic door access control systems.<\/p>\n

Related articles<\/h6>\n