A new root vulnerability, allows hackers to easily open networked door controllers in airports, university campus, hospitals, government facilities and other organisations.
According to Rickey Lawshae, researcher with Trend Micro's DVLabs division, HID Global's VertX and Edge controllers can be remotely managed by attackers over the network and a service called discoveryd that listens to UDP probe packets on port 4070.
The door controller responds with its physical MAC address, device type, firmware version and other revealing information when the packet is received. Apparently, discoveryd also responds to a command called command_blink_on that can be used to change the blinking pattern of the controller's status LED.
The discoveryd service runs as root, so whatever command sent will give complete control over the device, including alarm and locking functions. “This means that with a few simple UDP packets and no authentication whatsoever, you can permanently unlock any door connected to the controller. And you can do this in a way that makes it impossible for a remote management system to relock it,” Lawshae said in his blog post.
A patch has been made available through HID's partner portal.