HID Access Controller Hacker Vulnerability

Seems like you still need to get over the hurdle of getting on the same network as the controllers. Granted, that may not be impossible, but it makes this significantly harder to execute than the hotel lock exploit for example.

A member emailed me another, more detailed account of the flaw:

Remotely unlock doors exploiting a flaw in HID Door Controllers

The highlights:

  1. The exploit mimics HID's 'discoveryd' traffic running on port 4070 (UDP).
  2. Use HID's autodiscovery command to have all HID devices attached to that segment self-identify
  3. Potentially use that information to force the onboard LED to blink on demand, revealing 'a lack of any sanitization on the user-supplied input that is fed to the system() call.'
  4. From there, the articles make statements like "To make matters worse, the discovery service runs as root, so whatever command we send it will also be run as root, effectively giving us complete control over the device", but there is no account of this actually being done.

Not to say this isn't a big problem, just the salacious headlines so far really mean hackers have made the unit blink on command, not open doors remotely.

The article above suggest a firmware fix has been released, or is in the process of being released by HID. I'll investigate that and report back.