Physical access monitoring and control systems have been around for quiet some time, but things are changing. These systems and devices have been moving away from their CCTV roots and making their way onto IP networks. There are certainly benefits to networking this equipment. Monitoring of these systems becomes easier as does their administration. The primary motivator for moving to IP based systems, however, is the cost and ease of deployment. Most buildings, new and old, have ethernet runs everywhere. With IP based access control systems, you no longer need to run dedicated cables (most commonly RS485), saving money in both time and materials and and it allows for easier modification in the future.
With added benefits comes added risk. Obviously, any device on the network adds to the networks attack surface, but I believe the largest danger presented by networked access control stems from the fact that, in most organizations, Facilities (ie: Physical Security) and Information Security fall under two very different groups. Facilities is no longer deploying RS485 door controllers, they are deploying networked computers that control and monitor access to their building (in turn their data), often with little to no input from the information security group within the organization. As most people are aware, an attacker with physical access to a location is almost guaranteed access to sensitive data. Physical Security is Information Security, and Information Security is Physical Security.
The recent public disclosure of a remote, unauthenticated, command injection vulnerability in HID’s two flagship door controller platforms (VertX and Edge) is a perfect example of this. This vulnerability, patched as of March 28, 2016, allows command execution, as root, on the system via the discoveryd services listening on udp port 4070.
The disclosure of this vulnerability has ignited my research, and I’m sure many others’, of physical assess control and monitoring systems, and I’m sure we’ll be seeing more disclosures in the not-to-distant future (plug: My next post will cover weaponizing the discoveryd vulnerability and other potentials attack vectors against an Edge Evo EH400 door controller).
I think this leads us to two things. First, we as consultants and pentesters need to do a better job, on a client by client basis, in helping our clients understand these risks. Physical access control systems and devices should be included in the scope of pentests. While a door controller for your datacenter might not have direct access to your CDE environment, like any ACL or firewall rule already in place, it does control access to that environment..
Second, and more importantly, we need to stop thinking about network security (InfoSec) and physical security (Facilities) as two different things. This has been spoken about for a long time, and even demonstrated several times, but the evidence continues to grow while organizations stay stagnant. It’s not just about protecting your badge from would-be cloners anymore. Now, with relative ease, a phishing email can quite literally open your doors to attackers.