Vulnerabilities Allowed Researchers to Remotely Lock and Unlock Doors

Security researchers found several vulnerabilities that allowed them to take remote control of internet-connected devices that control door locks.
Screen Shot 2022-08-08 at 2
Image: Trellix
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

If you have worked or still work in an office, you have probably swiped an access card in front of one of those black devices with a light that toggles from red to green, which lets you get into the building. Thanks to a series of vulnerabilities into one of the most popular access control panels in the world, hackers could get into the building too. 

Researchers at cybersecurity firm Trellix found eight vulnerabilities in the LNL-4420 panel, made by HID and distributed by Carrier, which allowed them to take full control of the device. This would have allowed them to remotely lock and unlock the doors controlled by the device, allowing them to steal valuable hardware or access sensitive computers inside whatever building that was protected by the access control system. 


“With that level of access, we could unlock the doors, bypass all sorts of monitoring and really control the device in like a god mode state,” Sam Quinn, a senior researcher at Trellix, told Motherboard in a phone call.

A similar attack has reportedly happened in the real world when a volunteer group of technologists and hackers known as the Ukraine IT Army hacked into the network of RuTube, Russia’s largest streaming service and YouTube competitor. The hackers claimed to not only have taken down RuTube’s site for three days, but also have hacked into the system that controlled access to the company’s server rooms, locking people inside. 

Quinn and Steve Povolny, the head of research at Trellix, presented their findings during a talk at the Black Hat security conference in Las Vegas on Thursday. 

The caveat in their research is that malicious hackers would need to get into the building’s network first, in order to target the access control systems. But that is hardly an impossible task, as hacks like that happen every day on the internet. 

“As soon as we're on the network, with this device, there would be nothing stopping us,” Quinn said in an interview ahead of the talk at Black Hat. 

Depending on what company or government organization the hackers are targeting, getting into its network gives them a lot already, but getting into the building may give them even more. 

Povolny and Quinn reported the eight vulnerabilities they found to Carrier, who worked with HID to patch them. Quinn said that Carrier acted swiftly and was very open to work with the researchers once it found out about the vulnerabilities. 

Carrier and HID did not respond to a request for comment. 

Other than the patches, which have now been applied to the HID access control systems, there are other ways companies and organizations that use these devices can do to protect themselves. First, they could put the access control system in a dedicated network, separate from the main one, which would make it harder for the hackers to get access to the devices and eventually hack them. The second thing would be to disable the network interface, which would have prevented all their attacks, according to Quinn.

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.