HID Door Regulators can be Hacked to Open Doors Without Allowing Being Re-Locked

Security investigators at Trend Micro recently found critical security flaw inside HID door regulators which lets anyone dispatch a malevolent UDP request towards certain door followed with unlocking it as well as turning off the alarm. HID is certain manufacturer producing several products, of which door regulator is one. A door regulator is a black box which is installed beside a securitized door through which someone enters to swipe his credit card so that an LED lamp displays green light, an indication that the person can walk in through the automatically opening door.

The vulnerability has been found inside the popular Edge and VertX lines belonging to HID Global's door regulators. HID Global is a huge manufacturer of access control devices, card readers and smart-cards across the world. On receipt of the request packet, HID door regulator replies by giving its MAC id, firmware version, device type along with more identifying information such as the name a human can read (name which the door regular was assigned). Csoonline.com posted this, April 1, 2016.

Nevertheless according to Researcher Lawshae, the door controller also answers when it receives the command_blink_on command issued for altering the LED blinking pattern of the regulator. On receipt of this command, the blink scheme is executed via the service summoning system function.

Lawshae further found that both the devices executed one unusual daemon known as discoveryd that responded with the device's details when UDP packets got activated via port 4070. The details were alarm state along with lock state of the device, its Mac address, type, firmware version as well as one generic name. Apart from reporting these details, the service as well had one debugging function which let the admin from remote instruct the device for starting the LED's blinking.

Moreover, it was possible to unlock the door such that any remote system couldn't lock it again, Lawshae stated. He added all doors placed like a network could be unlocked simultaneously via the dispatch of UDP packets. Suppose the operation was automated, the doors would remain shut or open till the time spam about UDP packets subsided.

» SPAMfighter News - 4/7/2016