At HushCon Seattle 2017, I had the opportunity to publicly disclose CVE-2017-16241, a vulnerability in AMAG’s Edge Network (EN) series of door controllers. Exploitation of this vulnerability gives an attacker to ability to remotely unlock doors and implant access card values into the door controller’s internal database, effectively creating a physical access backdoor. Vulnerable devices include: AMAG’s EN-1DBC, EN-1DBC+, and EN-2DBC. All current firmware versions (as 12/10/2017) are vulnerable out of the box. Other AMAG devices may also be vulnerable but were not tested.
For some background: A door controller acts as the middle man between a Physical Access Control Software (PACS) server and an authentication mechanism (usually an RFID reader). The door controller is connected directly to the RFID reader and other associated door hardware (locking mechanism, alarms, push-to-exit, REX, etc) and is, in most modern cases, connected to the PACS server via the local IP network. In the past, door controllers were usually daisy-chained with one directly connected to PACS.
In normal operation, a new employee’s credentials are added into the PACS, then specific access is granted to those credentials (ie: You can go to the accounting area, but not the datacenter). The PACS then sends a message to all door controllers to which the new credential has access. The door controller stores that information locally.
Once the employee present their credentials to the RFID reader (or other auth mechanism), the reader blindly passes that information to the door controller. The door controller checks it’s local database and makes the go/no-go decision itself, without asking the PACS (usually. Other non-default options exist). Based on the door controller’s decision, it will tell the reader to change it’s LED color, and either trigger the locking mechanism to unlock, or keep it locked.
In the case of CVE-2017-16241, the vulnerable devices do not enforce authentication for some command messages received via TCP port 3001, which should normally only be accepted from the PACS. Authentication exists and appears to be enforced for some commands, but not for others. This lack of authentication means that an attacker can send command messages from an unauthenticated system with network connectivity to the door controller and the controller will execute the commands. Unauthenticated commands include:
- Unlock / Lock (Ud/Ld)
- Version Query (Vf)
- Card Add / Delete (Ca/Cd)
- Reader Enable / Disable (Re/Rd)
Other commands may also be vulnerable but were not tested.
Additionally, these messages are encoded but not encrypted and are static across all EN Series controllers with no per-device change in messaging. Therefore, all that is required for an attacker to craft an exploit is MitM access to one EN series controller and PACS pair. By viewing a packet capture of their interactions, the specific command messages can be rebuilt and sent to other EN controllers regardless of their associated PACS.
In my case, I purchased an EN-1DBC and the demo version of AMAG’s Symmetry Security Management Software (SMS), both on eBay. I was able to get everything set up and capture events from adding a card, sending the direct unlock command, and more. I recreated the command messages in python and tested them in the field during a red team engagement for a client. That exploit code (and code for other physical access control stuff) is available at https://github.com/lixmk/Concierge.
Currently, no patch is available for CVE-2017-16241 and no timeline for a patch is known. That said, there are some non-default options that can be enabled that should protect against this attack. I say “should” because this is based on claims from the vendor and I have no ability to test or confirm. The biggest option is to enable encryption between the door controller and physical access control software (PACS). Additionally, according to the vendor, the latest version of their PACS has be ability to compare access card counts on the door controllers and alarm if the count is higher or lower than expected.