Google Found Software House Vulnerability Allows Inside Attacker To Open Doors

By IPVM Team, Published on Sep 04, 2018

A vulnerability in Software House IP-ACM modules allows an attacker to potentially unlock doors, or perform other actions, on affected systems. Many affected systems are unable to fixed with a software patch, requiring hardware replacement instead.

IPVM spoke with Software House executives to get more details on this exploit, in this report we provide an assessment of the risk in vulnerable systems, and what Software House recommends for affected users.

[Note: this post was first published in January 2018 but was updated in September 2018 when it was disclosed that a Google employee discovered the vulnerability, making it mainstream news.]

Vulnerability ******** - *** *********** *********

****** *** *** ****** *** vulnerability ** ** *** iStar ***** ******, ******** House ****** **** ****** itself ** *** ***** the ************* ****. *******, the **-*** ******** **** ****** ** *** ****** ********* affected. 

***** ** *** *** network ********** ******* *** IP-ACM **** ****** *** the ***** ***** ******* controller ** *******, ** attacker *** ***** ****** to *** ******* ******* the ******* ***** ******* packets ******* ** * specific ******* (**** ** a **** **** *******), and **** ***** ****** those ******* ** *** network ** ***** *** door ** **** ** will. 

*** *** ******* **** organizations ***** ***** ******* should ****** **** *** network **** *** **-*** to ***** ***** ************** is *** ********** ** potential *********. *** *******, unused ***** ** ******** handling **** ******* ****** be ********, *** **** security ******** **** ** MAC ******* ******* ****** be *****.

*** ********* ******* ***** how * ******* ******* using ** ***** ***** and **-*** **** ******* would ** ***********:

Replay ****** ******

** * ****** ******, an ******** ******** ******* with * ******* ******** for ******* ********** (*.*.: *********), *** **** ******* those **** ******* ** the *******, **** *** result ***** ******* ********* duplicate **** ** ********, and ****** ** **** as ** **** **** sent ** *** ******** source. ****** ******* *** occur **** **** ************** are *********, ******* *** attacker **** *** **** to **** *** ******** data ********* ** *** packets, **** *** ******** outcome ** *** ****** receiving **** (*.*.: * series ** ******* **** says "**** **** ****", or "***** **** ****'* password").

****** ******* *** ** prevented ** ***** *** only ******* **********, *** also * ****** *** or ******* ** *** each ******* ********. *********, if ** ******** ******* a ******** **** ** ID/key **** *** ******* been ****, *** ******** will **** ** ****** it. *******, ***** **** reduces *** ******* ** use ****** *******, ** often ******** **** ********* and ***** ************ ********* (such ** ***** ******* a **** ********** *** an ****** ******* ******) more *******. 

Current **-**** *** ***********

****** **** ************* ******** software ************ **** *** IP-ACM ** ****** *******, due ** **** ** memory *** ********** *********. JCI ** ** *** process ** ********* ** IP-ACM ** ****** **** increased ********* ** *********** patched ********. ********* **** need ** **** *** V1 **-*** ***** *** V2 ***** ** **** want ** ****** **** vulnerability. *** ****** ********* wishing ** ****** *** their *********** ****** ******* their ********** *** ******** House ******* ********* *** additional ******* *** ***********.

Low **** / ******** **********

************ ********** **** ************* requires ****** ** *** Ethernet ******* ******* *** IP-ACM *** ***** ***** to ******* ******* ** be ******** *****. **** would ********* ******* ****** access ** * ********** port ** *** ******, an **-**** ***, ** other ****** **** ******** more **** **** * PC ** *** **** network, *** ***** ** fundamentally ********** ** ******* remotely *** * *** or ****-********** *****. **** reduces *** ******* ** exploit *******, *** ****** it ** **** ** an ******* ******. 

******* *** ****** ****** on ****** ** ******* packets **** *** *******, the ******* **** ** exploit ** ***. ***** this **** *** **** that ******** ******* ****** be *******, ** **** reduce *** ****** ******* and **** ** ********* attackers ************ ****** **** customers ****** *** ****** their ***** **** ***** being ******** ******** ** hackers. 

Comments (8)

most IP-based POE controllers utilize 128 or 256 bit encryption between IP door controllers and the host software/master controller.  Is this article saying that Software House does not have 128/256 bit encryption built into their communication protocol? The controller to master communication is most likely a proprietary protocol (which makes it somewhat less prone to a hack agreed), but to not have even an optional setting where an encryption key can be set in the IP door controllers is not so good.

How is this supposed to meet specifications like the NIST spec for access control devices used on government facilities?

Yes, the connection between the devices is encrypted.

Encrypted communications do not prevent replay attacks, they just prevent the attacker from knowing the specific protocol. You need to do additional things like adding session ID's to the commands to prevent replay attacks. I tried to cover this in the "Replay Attack Basics" section, without getting too deep into the details.

Think of it like this, I can teach you to ask "Where is the bathroom" in Japanese. You would not understand the specific words (analogous to a simple form of encryption), but you would know that making the "sounds" of asking "Where is the bathroom" to a Japanese person would cause them to point you to the bathroom. You do not fully understand the protocol (language), but you can repeat phrases to get a desired outcome. 

Expanding on the above example, if you wanted to prevent someone from using a "replay" of words like this, you would add additional information to the phrase, like "Where is the bathroom. This is request #1". The person you asked would then determine if somebody else had already made request #1, and if so they would refuse to answer your query, knowing that it was most likely a fake or duplicate. Adding the unique session ID prevents you from making an unauthorized request and getting a response.

 

Alternatively, you can also wait for the 2nd or 3rd generation of a new product before jumping on the upgrade bandwagon. That's generally how I sidestep these inevitable new problems. Glad I made that choice now... 

This illustrates a big frustration.  Integrators and End Users are often underpaid beta testers, we pay them (manufacturers) for the privilege of being such...

Time to reset my assumptions and up my crypto game! I have assumed their would be a session ID or time stamp to their encrypted packets. One thing that remains the same is that it is the implementation of encryption not the math where the bulk of vulnerabilities live. 

Great article!

 

This made Forbes:  https://www.forbes.com/sites/thomasbrewster/2018/09/03/googles-doors-hacked-wide-open-by-own-employee

but the story doesn't mention that some devices have to be replaced.

 

 

From the Forbes story:

"Tomaschik said Software House had come up with solutions to fix the problem, though to switch to TLS, it’d require a change of hardware at the customer site. That’s because the Software House systems didn’t have enough memory to cope with the installation of new firmware, Tomaschik said."

Read this IPVM report for free.

This article is part of IPVM's 6,599 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
FLIR Markets Windows Temperature Screening, Violates IEC And Causes Performance Problems on Jul 17, 2020
FLIR, one of the largest thermal screening manufacturers, is marketing...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
FaceFirst Problems And Layoff on Oct 01, 2020
FaceFirst, a US company and one of the oldest ongoing facial recognition...
Chilean Official Investigated for Motorola And Hikvision Contracts on Sep 17, 2020
A corruption investigation is underway in Chile after a crime prevention...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
Startup Monitoreal Presents Home Object Detection AI on Aug 24, 2020
Monitoreal presented its on-premise only object detection AI at the 2020 IPVM...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Startup Visual One Presents Object Detection and Smart Search on Aug 26, 2020
Visual One, a Y Combinator backed startup led by a PhD in machine learning...
Startup Cawamo Presents Live Alerts With Edge AI and Cloud VMS on Sep 15, 2020
Cawamo, an Israeli edge-to-cloud analytics and VMS startup, presented its...

Recent Reports

Bedside Cough and Sneeze Detector (Sound Intelligence and CLB) on Oct 28, 2020
Coronavirus has increased interest in detecting symptoms such as fever and...
Fever Tablet Thermal Sensors Examined (Melexis) on Oct 28, 2020
Fever tablet suppliers heavily rely on the accuracy and specs of...
Verkada Fires 3 on Oct 28, 2020
Verkada has fired three employees over an incident where female colleagues...
Recruiters Online Show LIVE Thursday! on Oct 27, 2020
IPVM's 7th online show resumes Thursday with 12 recruiters presenting...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...