A vulnerability in a series of popular digital door-entry systems offered by Aiphone can enable hackers to breach the entry systems — simply by utilizing a mobile device and a near-field communication, or NFC, tag.
The devices in question (GT-DMB-N, GT-DMB-LVN, and GT-DB-VN) are used by high-profile customers, including the White House and the United Kingdom's Houses of Parliament.
The vulnerability was discovered by a researcher with the Norwegian security firm Promon, who also found there is no limit to the number of times an incorrect password can be entered on some Aiphone door-lock systems.
After finding the admin passcode, the malicious actor could then inject the serial number of a new NFC tag containing the admin passcode back into the system's log of approved tags.
"This would give the attacker both the code in plaintext that can then be punched into the keypad, but also an NFC tag that can be used to gain access to the building without the need to touch any buttons at all," a blog post reporting the vulnerability explained.
Because the Aiphone system does not keep logs of the attempts, there is no digital trace of the hack.
Promon first alerted Aiphone to the issue in June 2021. The company said systems built before Dec. 7 of that year are unable to be fixed, but any systems built after that date include a feature limiting the number of passcode attempts that can be made.
The Promon report noted Aiphone alerted its customers to the existence of the vulnerability, which is tracked as CVE-2022-40903.
Despite the alarming top-line findings, Promon security researcher Cameron Lowell Palmer, who discovered the vulnerability, calls this kind of IoT security oversight "fairly typical." From an administrative standpoint, adding NFC was a win, but it exposed the system to this new attack vector, he explains.
"The system started off with some reasonable design choices, and with the addition of the NFC interface, the design became dangerous," he explains. "This product seems, to me, predicated upon the notion of physical security, and when NFC was added, they added a touchless high-speed data port on the exterior of the building, which violated the premise."
Nobody Thought of Brute Force NFC Access
Mike Parkin, senior technical engineer at Vulcan Cyber, says the lack of throttling or lockout features indicates that no one thought of an attacker trying to brute-force NFC access when the product was designed.
"Or, if they did, they believed the risk of an attacker doing it in the field was low enough to omit those security features," he adds.
He says the real questions are how many of these inherently vulnerable systems are deployed, and, just as important, what other products, from this or other vendors, use digital access without throttling or lockout timers to blunt a brute-force attack.
Palmer adds that NFC and IoT are challenging technologies to secure, which makes him think that vendors that are not collaborating with others for security are walking down a dangerous path.
"Developers and companies try to make the very best product they can, which is already hard," he says. "It is especially easy to make security gaffes, because security is usually not their area of expertise, and in many cases it does not directly improve the user experience."
Roger Grimes, data-driven defense evangelist at KnowBe4, is harsher, and says the vulnerability suggests that Aiphone did not even do basic threat modeling.
"It makes me suspicious of their entire design, security-wise," he says. "This is not just a problem with this vendor. You can name nearly any vendor or product you like, and they are also not doing the appropriate threat modeling."
No Security by Design for IoT
Jason Hicks, field CISO and executive adviser at Coalfire, explains that in recent years there has been a push to integrate things like remote access, voice over IP (VoIP), and newer wireless technologies like NFC to physical security systems.
"This introduces new attack vectors that physical access designers are not used to having to consider how to secure," he says. "The same basic security best practices we apply to IT equipment needs to be extended to these systems in a consistent manner."
For instance, "storing passwords in a plaintext file is something that should be avoided for obvious reasons," he says.
Hicks adds that there are many IoT devices whose compromise would not create much of a security issue — but access control systems are not one of them. A hack here could result in loss or physical harm.
Therefore, vendors need to train all developers on how to develop secure software and secure products.
"It's always seemed ironic to me that security vendors supplying me a [physical] security product don't train — or require — their developers in how to securely develop software and products," Grimes says. "How can you expect a developer with no training in secure development to naturally just figure it out?"
Palmer advises IoT companies to take even simple steps: Hire outside experts and have them test out the security of the devices regularly, for example.
For Organizations, It's Tough Avoid IoT Dangers
Bud Broomhead, CEO at Viakoo, says IoT represents the fastest-growing attack surface, adding that there are many reasons for that, starting with the fact that users often overlook security implications.
"IoT devices are typically managed by the line of business and not IT, so there is both a lack of skills and knowledge about maintaining cyber hygiene," he says.
He adds that many IoT systems are budgeted as a capital expenditure but do not always have the operating budget assigned to them to maintain their security.
"They are very hard to patch manually, and often have out-of-date firmware when they are brand new, and they exist in the supply chain for long periods of time," he says.
They also use a lot of open source software containing vulnerabilities and lack software bills of material (SBOMs) to quickly determine if the device contains those vulnerabilities. Broomhead adds there are often multiple makes/models that perform similar functions, so when a vulnerability is present, it takes multiple manufacturers to provide patches.
"There needs to be auditable compliance requirements, and coordination between the silos within an organization so that IoT security is shared across multiple disciplines including IT, CISO office, and the lines of business," he says.
For organizations struggling to protect a rapidly expanding volume of IoT devices, he adds, IoT fingerprinting could help with security and management.