
Google's Doors Hacked Wide Open by Own Employee - everdev
https://www.forbes.com/sites/thomasbrewster/2018/09/03/googles-doors-hacked-wide-open-by-own-employee/
======
CobrastanJorji
Many years ago at Georgia Tech, a student noticed that the network controlling
the magnetic ID card-controlled doors was trivially controllable. He scheduled
a talk about it at a local hacker conference, and what followed was the
company that installed the system, Blackboard Inc, filed cease and desists and
a lawsuit alleging violations of the DMCA, theft of trade secrets, violations
the Espionage and Sedition Act, and presumably maritime piracy.

~~~
jpatokal
Coverage at the time: [https://www.geek.com/news/more-on-the-blackboard-hack-
vs-dmc...](https://www.geek.com/news/more-on-the-blackboard-hack-vs-
dmca-551061/)

~~~
Topgamer7
Wow that website shows full page ads while reading mid sentence. That's one
way for me to nope off their site and never return.

------
dzhiurgis
> Tomaschik also discovered he could do all this without any record of his
> actions.

> A Google spokesperson said there was no evidence the doors had been
> exploited by any malicious hackers.

Hmmm...

------
benguild
‪“Tomaschik also discovered he could do all this without any record of his
actions.” ... “A Google spokesperson said there was no evidence the doors had
been exploited by any malicious hackers.” ‬

------
therealtbs
In my (tbh quite limited) experience, I have found that physical security
devices are some of the worst offenders when it comes to connecting to
anything more complex than a simple RFID-tag. I wonder why there are no (or
few?) companies that get their devices properly audited before release. I
personally would pay much more for devices that have an independent audit
published.

------
mirimir
As the article says, it's a much broader problem. Maybe the title ought to be
"Software House security devices compromised by Google employee".

~~~
puzzle
It's not clear if this was a scheduled vendor security review or if Tomaschik
just looked into it out of personal interest. Google has done a lot of the
former, for many years, even for physical security. The reports can be brutal.
Think of Tavis Ormandy and his AV research, perhaps crazier. I remember a
couple that were particularly bad and made me rethink everything I ever
assumed about "security" systems.

------
IshKebab
> Tomaschik also discovered he could do all this without any record of his
> actions.

... three lines later ...

> A Google spokesperson said there was no evidence the doors had been
> exploited by any malicious hackers.

Yeah no shit.

------
lysp
[https://news.ycombinator.com/item?id=17902753](https://news.ycombinator.com/item?id=17902753)

------
exikyut
IMO this is very bad to release as a news article.

> _...he could simply replay legitimate unlocking commands, which had much the
> same effect. ... And he could prevent legitimate Google employees from
> opening doors._

This is script-kiddie material. You don't even need the mental chops to
reverse the encryption being used, you can just quietly sniff the corporate
LAN and you're done.

> _Tomaschik also discovered he could do all this without any record of his
> actions._

The obvious interpretation of this is that, if there's any logging at all,
it's being done at a higher level. But I realized this might also mean that
the locks communicate via UDP broadcast packets, which explains why this
person was able to do this research _in situ_.

> _... problems likely remain for others using the vulnerable Software House
> tech. Tomaschik said Software House had come up with solutions to fix the
> problem, though to switch to TLS, it’d require a change of hardware at the
> customer site. That’s because the Software House systems didn’t have enough
> memory to cope with the installation of new firmware, Tomaschik said._

The reason I think this is bad to discuss is that infrastructure like this is
generally installed and expected to work for years. Obviously a bunch of sites
have quietly upgraded to the v2 boards that now do TLS (yay, capitalism...?),
but many many more won't. Indeed, as of the time the article was printed, even
Google hadn't yet!! See:

> _Meanwhile, Google has segmented its network in order to provide protection
> for the vulnerable systems still in its properties, the spokesperson added._

I expect they'll be upgraded soon enough, and that VLANing building infra was
something netops could just do immediately.

But what about all the sites that aren't told? They'll surely all be high-
value targets, if I presume that Google are going to use systems appropriate
for high-value enterprises.

I guess my (unanswerable?) question now is what kind of contract wording is
used to stipulate security updates and full disclosure to clients.

~~~
heavenlyblue
>> I guess my (unanswerable?) question now is what kind of contract wording is
used to stipulate security updates and full disclosure to clients.

None. They generally install security systems to reduce their insurance
premiums.

~~~
exikyut
Ah. Of course.

~~~
heavenlyblue
I don't really see anything out-of-the-ordinary here.

The fact that security guys haven't yet managed to organise themselves into a
consultancy to be used by insurance companies as security advisors is
appalling.

------
jondubois
It seems that Google employees have nothing to do so they just play around
trying to hack stuff around the office. Obviously it took a lot of time to
research this.

It's disturbing to think how much they get paid to do nothing.

~~~
tushar-r
>It's disturbing to think how much they get paid to do nothing.

Identifying serious vulnerabilities is a "nothing"?

