Author: Mike

This post is mostly an expansion on my last post. I recently got my hands on a VertX EVO V2000 and a V1000, in addition to the Edge EVO EH400’s. I’ve only owned them for ~24 hours so I haven’t had tons of time to dig deep, but I have had a chance to test the previous exploit and make the necessary changes in order to achieve the same goal.

If you haven’t read the last post the tl;dr is: Leveraging the Discoveryd vulnerability disclosed by @HeadlessZeke, it is possible to modify the password for the EH400 door controller’s web service. With access to the web service, it is possible to lock and unlock doors attached to the door controller with ease. Read More …

Recently, a blog post on Trendmicro disclosed a remote, unauthenticated, command injection vulnerability for HID’s VertX and Edge door controller platforms. This vulnerability immediately sparked my interest and I went shopping. I was lucky enough to find a lot of 2 Edge Evo EH400’s on ebay for a fairly reasonable price. Having little doubt that I was going to break at least one of them, this seemed like the perfect purchase.

As soon as they arrived, I networked them up and got to exploring. I knew I needed an end goal lest I go down the never ending “what else can I do” rabbit hole. I decided my end goal was to leverage the command injection vulnerability to open the door, while noting any other potential attack vectors on the way.

Both controllers were set to static IP addresses so I had to reset the networking, which was fairly simple. Additionally, the same process also reset the password for http(s). With a little extra work, I probably could have avoided this step, but excitement got the best of me. Reseting the networking changed the device from Static to DHCP. Using the readily available HID Discovery GUI, I was able to identify their IP addresses with relative ease. We’ll talk more about the discovery GUI and it’s related service a bit later. Read More …

Physical access monitoring and control systems have been around for quiet some time, but things are changing. These systems and devices have been moving away from their CCTV roots and making their way onto IP networks. There are certainly benefits to networking this equipment. Monitoring of these systems becomes easier as does their administration. The primary motivator for moving to IP based systems, however, is the cost and ease of deployment. Most buildings, new and old, have ethernet runs everywhere. With IP based access control systems, you no longer need to run dedicated cables (most commonly RS485), saving money in both time and materials and and it allows for easier modification in the future.

With added benefits comes added risk. Obviously, any device on the network adds to the networks attack surface, but I believe the largest danger presented by networked access control stems from the fact that, in most organizations, Facilities (ie: Physical Security) and Information Security fall under two very different groups. Facilities is no longer deploying RS485 door controllers, they are deploying networked computers that control and monitor access to their building (in turn their data), often with little to no input from the information security group within the organization. As most people are aware, an attacker with physical access to a location is almost guaranteed access to sensitive data. Physical Security is Information Security, and Information Security is Physical Security. Read More …