Flaw in HID door controllers lets attackers unlock doors, deactivate alarms

Trend Micro researcher Ricky Lawshae has unearthed a critical vulnerability in HID’s VertX and Edge door controllers. Exploiting the flaw is easy, and could result in attackers gaining complete control of the device, meaning they could unlock doors and switch off alarms controlled through it.

HID’s access control systems are ubiquitous, and keep unwanted individuals out of many rooms and spaces in a huge number of office buildings, government complexes, hospitals, aeroports, etc.

These vulnerable devices are part of those systems: the controllers check the information sent by the card readers once an access card is swiped through them, and control all the functions of the door.

“In recent years, these door controllers have been given network interfaces so that they can be managed remotely. It is very handy for pushing out card database updates and schedules, but as with everything else on the network, there is a risk of remotely exploitable vulnerabilities,” Lawshae noted.

The command injection vulnerability he located affects discoveryd, an integrated service that lets existing access control setups quickly discover and integrate new controllers. This is done by the remote management system sending a special UDP packet.

But discoveryd can also change the blinking pattern of the status LED on the controller, and does so by sending a packet to the service. Unfortunately, a lack of any sanitization of the user-supplied input can be exploited to send a Linux command that will get executed by the Linux shell on the device. What’s more, discoveryd runs as root, meaning that any malicious code sent to it will be executed with root privileges.

“This means that with a few simple UDP packets and no authentication whatsoever, you can permanently unlock any door connected to the controller,” warns Lawshae.

“And you can do this in a way that makes it impossible for a remote management system to relock it. On top of that, because the discoveryd service responds to broadcast UDP packets, you can do this to every single door on the network at the same time!”

Fortunately, the flaw has already been fixed, and HID has pushed out a firmware fix. In addition to this, they also pushed out notices about the fix to development partners who sell these controllers and registered users of their developers site.

Hopefully customers will react implement the fix quickly once they realize how serious the issue is.