HID security card readers have a potentially disastrous vulnerability in their access control panels, according to Steve Povolny, senior manager for TippingPoint DVLabs at Trend Micro.
“Over time, more of these devices have been exposed to networks, and, specifically, this one is on the Internet now,” Povolny said. “This is a classic hard system for secured access that has a vulnerability on the electronic level.”
The HID readers’ EDGE and VertX controllers, part of a popular and fairly ubiquitous brand for securing doors in restricted areas of buildings, can be hacked remotely by malicious actors, enabling them to lock and unlock a building’s doors without ever setting foot on the premises.
“This is kind of your classic hacker movie scenario, where one person is sitting at the keyboard while the other waits at the door to get granted access. And this would be an attack that would leverage that capability and open the door remotely for someone who was trying to break in,” Povolny said. “A malicious attacker could actually use this to unlock or lock and then cover up their footprints for all of the affected devices or scanners on an entire network.”
TippingPoint’s Zero Day Initiative team discovered the vulnerability, and warns that the system could present a real security threat, as many are located in hospitals, airports, and even government offices. The HID brand of card reader has existed for years, but has recently set up a remote management system, which connects the readers to a building’s network. It is this network connectivity that presents the weakness.
“This is a classic Internet of Things (IoT) type of attack,” Povolny said. “In fact, the attack landscape has become much more than just a term lately. I know everyone is throwing that around, and there is good reason to panic.”
HID recently released a software patch for the vulnerability, stating, “HID Global developed a firmware update that protects end-user customers against the vulnerability. The company recommends that all EDGE and VertX controllers be updated to this latest firmware.” The statement also thanked TippingPoint’s Zero Day team for discovering the problem and assisting with finding a solution.
However, TippingPoint has yet to test the strength of the fixed system, and has released a patch of its own to cover customer vulnerabilities in the meantime.
“The attack space is exploding, and the security space is just not staying up to date, particularly the developers at these sorts of institutions,” Povolny said.
Though cybersecurity is often considered a danger to data and information on network-connected systems, this weakness poses both a digital and physical risk to sensitive buildings, such as Federal office buildings. Being able to unlock the doors could provide hackers with in-person access to physically secured data that was thought to be safe because it wasn’t on a network.