Digital key flaw unlocks door control systems – Naked Security


Attackers could unlock doors in office buildings, factories and other corporate buildings at will, thanks to a flaw in a popular gate controller discovered by a Google security researcher.

David Tomaschik, who works as a senior security engineer and chief technology officer at Google, discovered the flaw in the devices created by Software House, a Johnson Controls company. Forbes It informs that it carried out its investigation on the own system of control of doors of Google.

Tomaschik, who described his project at a talk in August at the IoT Village of DEF CON, explored two devices. The first was iStar Ultra, a Linux-based gate controller that supports both wired and wireless locks. The second was the IP-ACM Ethernet Gate Module, a gate controller that communicates with iStar.

When a user presents an RFID credential, the door controller sends the information to the iStar device, which verifies if the user is authorized. He then returns an instruction to the door controller, telling him to unlock the door or deny access.

The Software House website still promotes the original version of its IP-ACM as a "highly secure option for managing its security". But judging from Tomaschik's research, that's a bit broad.

The devices used encryption to protect the communication of their network. However, when investigating the traffic of his network, Tomaschik discovered that Software House apparently had implemented its own encryption instead of relying on proven and proven solutions.

The devices sent encoded encryption keys through the network and used a fixed initialization vector, which is an input to the cryptographic function that creates the key. In addition, the devices did not include any signature of messages, which means that an impostor could easily send messages that pretended to come from a legitimate device and that the recipient would not see them.

This key opened the kingdom, so to speak. It allowed him to pass himself off as Software House devices on the network, doing everything he could. This included the power to unlock doors, or prevent other people from unlocking them.

To design such an attack, all an intruder would need is access to the same IP network used by the House of Software devices. If a company has not segmented and carefully blocked its network and allows these devices to communicate through a general office network, and if the attacker can access that, then it presents a possible point of intrusion.