Google Found Software House Vulnerability Allows Inside Attacker To Open Doors

By IPVM Team, Published Sep 04, 2018, 08:47am EDT

A vulnerability in Software House IP-ACM modules allows an attacker to potentially unlock doors, or perform other actions, on affected systems. Many affected systems are unable to fixed with a software patch, requiring hardware replacement instead.

IPVM spoke with Software House executives to get more details on this exploit, in this report we provide an assessment of the risk in vulnerable systems, and what Software House recommends for affected users.

[Note: this post was first published in January 2018 but was updated in September 2018 when it was disclosed that a Google employee discovered the vulnerability, making it mainstream news.]

Vulnerability ******** - *** *********** *********

****** *** *** ****** *** vulnerability ** ** *** iStar ***** ******, ******** House ****** **** ****** itself ** *** ***** the ************* ****. *******, the **-*** ******** **** ****** ** *** ****** ********* affected. 

***** ** *** *** network ********** ******* *** IP-ACM **** ****** *** the ***** ***** ******* controller ** *******, ** attacker *** ***** ****** to *** ******* ******* the ******* ***** ******* packets ******* ** * specific ******* (**** ** a **** **** *******), and **** ***** ****** those ******* ** *** network ** ***** *** door ** **** ** will. 

*** *** ******* **** organizations ***** ***** ******* should ****** **** *** network **** *** **-*** to ***** ***** ************** is *** ********** ** potential *********. *** *******, unused ***** ** ******** handling **** ******* ****** be ********, *** **** security ******** **** ** MAC ******* ******* ****** be *****.

*** ********* ******* ***** how * ******* ******* using ** ***** ***** and **-*** **** ******* would ** ***********:

Replay ****** ******

** * ****** ******, an ******** ******** ******* with * ******* ******** for ******* ********** (*.*.: *********), *** **** ******* those **** ******* ** the *******, **** *** result ***** ******* ********* duplicate **** ** ********, and ****** ** **** as ** **** **** sent ** *** ******** source. ****** ******* *** occur **** **** ************** are *********, ******* *** attacker **** *** **** to **** *** ******** data ********* ** *** packets, **** *** ******** outcome ** *** ****** receiving **** (*.*.: * series ** ******* **** says "**** **** ****", or "***** **** ****'* password").

****** ******* *** ** prevented ** ***** *** only ******* **********, *** also * ****** *** or ******* ** *** each ******* ********. *********, if ** ******** ******* a ******** **** ** ID/key **** *** ******* been ****, *** ******** will **** ** ****** it. *******, ***** **** reduces *** ******* ** use ****** *******, ** often ******** **** ********* and ***** ************ ********* (such ** ***** ******* a **** ********** *** an ****** ******* ******) more *******. 

Current **-**** *** ***********

****** **** ************* ******** software ************ **** *** IP-ACM ** ****** *******, due ** **** ** memory *** ********** *********. JCI ** ** *** process ** ********* ** IP-ACM ** ****** **** increased ********* ** *********** patched ********. ********* **** need ** **** *** V1 **-*** ***** *** V2 ***** ** **** want ** ****** **** vulnerability. *** ****** ********* wishing ** ****** *** their *********** ****** ******* their ********** *** ******** House ******* ********* *** additional ******* *** ***********.

Low **** / ******** **********

************ ********** **** ************* requires ****** ** *** Ethernet ******* ******* *** IP-ACM *** ***** ***** to ******* ******* ** be ******** *****. **** would ********* ******* ****** access ** * ********** port ** *** ******, an **-**** ***, ** other ****** **** ******** more **** **** * PC ** *** **** network, *** ***** ** fundamentally ********** ** ******* remotely *** * *** or ****-********** *****. **** reduces *** ******* ** exploit *******, *** ****** it ** **** ** an ******* ******. 

******* *** ****** ****** on ****** ** ******* packets **** *** *******, the ******* **** ** exploit ** ***. ***** this **** *** **** that ******** ******* ****** be *******, ** **** reduce *** ****** ******* and **** ** ********* attackers ************ ****** **** customers ****** *** ****** their ***** **** ***** being ******** ******** ** hackers. 

Comments (8)

Undisclosed Integrator #1

01/17/18 02:47pm

most IP-based POE controllers utilize 128 or 256 bit encryption between IP door controllers and the host software/master controller.  Is this article saying that Software House does not have 128/256 bit encryption built into their communication protocol? The controller to master communication is most likely a proprietary protocol (which makes it somewhat less prone to a hack agreed), but to not have even an optional setting where an encryption key can be set in the IP door controllers is not so good.

How is this supposed to meet specifications like the NIST spec for access control devices used on government facilities?

Agree
Disagree: 2
Informative
Unhelpful
Funny
Avatar

Brian Karas

IPVM | In reply to Undisclosed Integrator #1 | 01/17/18 02:59pm

Yes, the connection between the devices is encrypted.

Encrypted communications do not prevent replay attacks, they just prevent the attacker from knowing the specific protocol. You need to do additional things like adding session ID's to the commands to prevent replay attacks. I tried to cover this in the "Replay Attack Basics" section, without getting too deep into the details.

Think of it like this, I can teach you to ask "Where is the bathroom" in Japanese. You would not understand the specific words (analogous to a simple form of encryption), but you would know that making the "sounds" of asking "Where is the bathroom" to a Japanese person would cause them to point you to the bathroom. You do not fully understand the protocol (language), but you can repeat phrases to get a desired outcome. 

Expanding on the above example, if you wanted to prevent someone from using a "replay" of words like this, you would add additional information to the phrase, like "Where is the bathroom. This is request #1". The person you asked would then determine if somebody else had already made request #1, and if so they would refuse to answer your query, knowing that it was most likely a fake or duplicate. Adding the unique session ID prevents you from making an unauthorized request and getting a response.

 

Agree: 2
Disagree
Informative: 13
Unhelpful
Funny
Avatar

Michael Gonzalez

Integrated Security Technologies, Inc.
In reply to Brian Karas | 01/17/18 07:51pm

Alternatively, you can also wait for the 2nd or 3rd generation of a new product before jumping on the upgrade bandwagon. That's generally how I sidestep these inevitable new problems. Glad I made that choice now... 

Agree: 6
Disagree
Informative
Unhelpful
Funny

Undisclosed End User #4

In reply to Michael Gonzalez | 09/04/18 10:54pm

This illustrates a big frustration.  Integrators and End Users are often underpaid beta testers, we pay them (manufacturers) for the privilege of being such...

Agree: 5
Disagree
Informative
Unhelpful
Funny: 1

Randy Lines

01/18/18 05:28pm

Time to reset my assumptions and up my crypto game! I have assumed their would be a session ID or time stamp to their encrypted packets. One thing that remains the same is that it is the implementation of encryption not the math where the bulk of vulnerabilities live. 

Great article!

 

Agree: 3
Disagree
Informative
Unhelpful
Funny

Undisclosed #2

09/03/18 07:44pm

This made Forbes:  https://www.forbes.com/sites/thomasbrewster/2018/09/03/googles-doors-hacked-wide-open-by-own-employee

but the story doesn't mention that some devices have to be replaced.

 

 

Agree
Disagree
Informative: 2
Unhelpful
Funny

Undisclosed #3

In reply to Undisclosed #2 | 09/04/18 12:26am

From the Forbes story:

"Tomaschik said Software House had come up with solutions to fix the problem, though to switch to TLS, it’d require a change of hardware at the customer site. That’s because the Software House systems didn’t have enough memory to cope with the installation of new firmware, Tomaschik said."

Agree
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed #2

In reply to Undisclosed #3 | 09/04/18 12:42am

Oops

Agree
Disagree
Informative
Unhelpful
Funny: 1
Read this IPVM report for free.

This article is part of IPVM's 6,958 reports, 927 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports