Security experts at Trend Micro have discovered a serious flaw in door controllers developed by the HID access control systems manufacturer that could be exploited by hackers to send one malicious UDP request to a door and automatically unlock it and/or deactivate the alarm if the door has that feature enabled.
HID door controllers have the appearance of a black box that is located next to securitized doors. Users can swipe their card to open the door, once the door is unlocked the LED turns green.
Some HID door controllers also offer the possibility to connect the devices to a local network in order to allow system administrators to manage them.
The expert Ricky “HeadlessZeke” Lawshae from Trend Micro discovered that the models of door controllers VertX and Edge are affected by a design flaw in their management protocol.
The experts discovered that HID door controllers run a special daemon dubbed discoveryd, which listens on port 4070 for UDP packets that carry on instruction for the door controllers
“HID’s two flagship lines of door controllers are theirVertX and Edge platforms. In order for these controllers to be easily integrated into existing access control setups, they have a discoveryd service that responds to a particular UDP packet. ” states TrendMicro.
“A remote management system can broadcast a “discover” probe to port 4070, and all the door controllers on the network will respond with information such as their mac address, device type, firmware version, and even a common name (like “North Exterior Door”).”
The expert also discovered another security issue related to the above service that also implements a debugging function that allows a remote administrator to instruct HID door controllers to blink its LED for a number of times.
The admin can instruct a specific controller to blink by sending a “command_blink_on” command with the door’s ID. The researcher noticed that by appending a Linux command after the ID, wrapped in backticks, the device will execute it due to improper input sanitization.
In response to a blink command, the Discoveryd service builds up a path to /mnt/apps/bin/blink and calls system() to run the blink program passing the number of blink as an argument.
“A command injection vulnerability exists in this function due to a lack of any sanitization on the user-supplied input that is fed to the system() call. Instead of a number of times to blink the LED, if we send a Linux command wrapped in backticks, like `id`, it will get executed by the Linux shell on the device.”
The attacker can exploit The system() call, which runs with root privileges, to instruct the door controllers to execute a generic command with one single UDP packet.
If you use the HID door controllers, you need to urgently download the latest firmware versions.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.