Google Found Software House Vulnerability Allows Inside Attacker To Open Doors

By: IPVM Team, Published on Sep 04, 2018

A vulnerability in Software House IP-ACM modules allows an attacker to potentially unlock doors, or perform other actions, on affected systems. Many affected systems are unable to fixed with a software patch, requiring hardware replacement instead.

IPVM spoke with Software House executives to get more details on this exploit, in this report we provide an assessment of the risk in vulnerable systems, and what Software House recommends for affected users.

[Note: this post was first published in January 2018 but was updated in September 2018 when it was disclosed that a Google employee discovered the vulnerability, making it mainstream news.]

************** ** ******** ***** IP-ACM ************* ** ******** ** potentially ****** *****, ** perform ***** *******, ** affected *******. **** ******** systems *** ****** ** fixed **** * ******** patch, ********* ******** *********** instead.

**** ***** **** ******** House ********** ** *** more ******* ** **** exploit, ** **** ****** we ******* ** ********** of *** **** ** vulnerable *******, *** **** Software ***** ********** *** affected *****.

[****: **** **** *** first ********* ** ******* 2018 *** *** ******* in ********* **** **** it *** ********* **** a ****** ******** ********** the *************, ****** ** mainstream ****.]

[***************]

Vulnerability ******** - *** *********** *********

****** *** *** ****** *** vulnerability ** ** *** iStar ***** ******, ******** House ****** **** ****** itself ** *** ***** the ************* ****. *******, the **-*** ******** **** ****** ** *** ****** ********* affected. 

***** ** *** *** network ********** ******* *** IP-ACM **** ****** *** the ***** ***** ******* controller ** *******, ** attacker *** ***** ****** to *** ******* ******* the ******* ***** ******* packets ******* ** * specific ******* (**** ** a **** **** *******), and **** ***** ****** those ******* ** *** network ** ***** *** door ** **** ** will. 

*** *** ******* **** organizations ***** ***** ******* should ****** **** *** network **** *** **-*** to ***** ***** ************** is *** ********** ** potential *********. *** *******, unused ***** ** ******** handling **** ******* ****** be ********, *** **** security ******** **** ** MAC ******* ******* ****** be *****.

*** ********* ******* ***** how * ******* ******* using ** ***** ***** and **-*** **** ******* would ** ***********:

Replay ****** ******

** * ****** ******, an ******** ******** ******* with * ******* ******** for ******* ********** (*.*.: *********), *** **** ******* those **** ******* ** the *******, **** *** result ***** ******* ********* duplicate **** ** ********, and ****** ** **** as ** **** **** sent ** *** ******** source. ****** ******* *** occur **** **** ************** are *********, ******* *** attacker **** *** **** to **** *** ******** data ********* ** *** packets, **** *** ******** outcome ** *** ****** receiving **** (*.*.: * series ** ******* **** says "**** **** ****", or "***** **** ****'* password").

****** ******* *** ** prevented ** ***** *** only ******* **********, *** also * ****** *** or ******* ** *** each ******* ********. *********, if ** ******** ******* a ******** **** ** ID/key **** *** ******* been ****, *** ******** will **** ** ****** it. *******, ***** **** reduces *** ******* ** use ****** *******, ** often ******** **** ********* and ***** ************ ********* (such ** ***** ******* a **** ********** *** an ****** ******* ******) more *******. 

Current **-**** *** ***********

****** **** ************* ******** software ************ **** *** IP-ACM ** ****** *******, due ** **** ** memory *** ********** *********. JCI ** ** *** process ** ********* ** IP-ACM ** ****** **** increased ********* ** *********** patched ********. ********* **** need ** **** *** V1 **-*** ***** *** V2 ***** ** **** want ** ****** **** vulnerability. *** ****** ********* wishing ** ****** *** their *********** ****** ******* their ********** *** ******** House ******* ********* *** additional ******* *** ***********.

Low **** / ******** **********

************ ********** **** ************* requires ****** ** *** Ethernet ******* ******* *** IP-ACM *** ***** ***** to ******* ******* ** be ******** *****. **** would ********* ******* ****** access ** * ********** port ** *** ******, an **-**** ***, ** other ****** **** ******** more **** **** * PC ** *** **** network, *** ***** ** fundamentally ********** ** ******* remotely *** * *** or ****-********** *****. **** reduces *** ******* ** exploit *******, *** ****** it ** **** ** an ******* ******. 

******* *** ****** ****** on ****** ** ******* packets **** *** *******, the ******* **** ** exploit ** ***. ***** this **** *** **** that ******** ******* ****** be *******, ** **** reduce *** ****** ******* and **** ** ********* attackers ************ ****** **** customers ****** *** ****** their ***** **** ***** being ******** ******** ** hackers. 

Comments (8)

most IP-based POE controllers utilize 128 or 256 bit encryption between IP door controllers and the host software/master controller.  Is this article saying that Software House does not have 128/256 bit encryption built into their communication protocol? The controller to master communication is most likely a proprietary protocol (which makes it somewhat less prone to a hack agreed), but to not have even an optional setting where an encryption key can be set in the IP door controllers is not so good.

How is this supposed to meet specifications like the NIST spec for access control devices used on government facilities?

Yes, the connection between the devices is encrypted.

Encrypted communications do not prevent replay attacks, they just prevent the attacker from knowing the specific protocol. You need to do additional things like adding session ID's to the commands to prevent replay attacks. I tried to cover this in the "Replay Attack Basics" section, without getting too deep into the details.

Think of it like this, I can teach you to ask "Where is the bathroom" in Japanese. You would not understand the specific words (analogous to a simple form of encryption), but you would know that making the "sounds" of asking "Where is the bathroom" to a Japanese person would cause them to point you to the bathroom. You do not fully understand the protocol (language), but you can repeat phrases to get a desired outcome. 

Expanding on the above example, if you wanted to prevent someone from using a "replay" of words like this, you would add additional information to the phrase, like "Where is the bathroom. This is request #1". The person you asked would then determine if somebody else had already made request #1, and if so they would refuse to answer your query, knowing that it was most likely a fake or duplicate. Adding the unique session ID prevents you from making an unauthorized request and getting a response.

 

Alternatively, you can also wait for the 2nd or 3rd generation of a new product before jumping on the upgrade bandwagon. That's generally how I sidestep these inevitable new problems. Glad I made that choice now... 

This illustrates a big frustration.  Integrators and End Users are often underpaid beta testers, we pay them (manufacturers) for the privilege of being such...

Time to reset my assumptions and up my crypto game! I have assumed their would be a session ID or time stamp to their encrypted packets. One thing that remains the same is that it is the implementation of encryption not the math where the bulk of vulnerabilities live. 

Great article!

 

This made Forbes:  https://www.forbes.com/sites/thomasbrewster/2018/09/03/googles-doors-hacked-wide-open-by-own-employee

but the story doesn't mention that some devices have to be replaced.

 

 

From the Forbes story:

"Tomaschik said Software House had come up with solutions to fix the problem, though to switch to TLS, it’d require a change of hardware at the customer site. That’s because the Software House systems didn’t have enough memory to cope with the installation of new firmware, Tomaschik said."

Oops

Login to read this IPVM report.

Related Reports

Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Video Analytics 101 on Mar 16, 2020
This guide teaches the fundamentals of video surveillance...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Delayed Egress Access Control Tutorial on Feb 04, 2020
Delayed Egress marks one of the few times locking people into a building is...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud...
Convergint Coronavirus Cuts on Mar 25, 2020
One of the world's largest security integrators, Convergint, has made a major...
Vintra Presents FulcrumAI on Jul 02, 2020
Vintra presented its FulcrumAI object recognition and mask detection offering...
Startup Videoloft Presents Cloud Storage on May 27, 2020
Videoloft presented offsite cloud storage at the May 2020 IPVM Startups...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Defendry Presents AI Active Shooter Security System on Jul 14, 2020
Defendry presented its Active Shooter security system at the May 2020 IPVM...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...