
'Devastating' bug pops secure doors at airports, hospitals - dcposch
http://www.theregister.co.uk/2016/04/04/devastating_bug_pops_secure_doors_at_airports_hospitals/
======
amluto
HID is up there with RSA on my list of big companies whose products should not
be used.

Let's see.

\- IIRC, many (most? half? not really sure) HID devices use no crypto
whatsoever. The tags simply tell the reader their serial number.

\- A bunch that do use crypto use a homebrewed algorithm that's entirely
broken. (See, for example,
[http://www.openpcd.org/HID_iClass_demystified](http://www.openpcd.org/HID_iClass_demystified)).

\- AFAICT, HID doesn't like to talk about their actual protocols. That rules
them out for serious use in my book.

IMO the right way to do keyless entry is to use SIA OSDP Transparent Mode [1]
readers and some very simple software to authenticate something like a Yubikey
NEO or a Mifare DESfire at the other end. (The high-end DESfire devices are
cheap and use real crypto.)

(Of course, big customers still use HID and RSA, because no one ever got fired
for using an expensive product from a well-known big-name supplier.)

[1] A fancy name for an open protocol that lets you _gasp_ exchange plain ol'
APDUs with a card via a reader that speaks the protocol. Of course, this is so
amazingly brilliant that HID's parent company claims to have patented it.
Someone should file for ex parte review. (The patents are, AFAICT,
[https://www.google.com/patents/US6575360](https://www.google.com/patents/US6575360)
and
[https://www.google.com/patents/US7853789](https://www.google.com/patents/US7853789).
These are IMO about as obvious as patents get.)

~~~
passivepinetree
If you don't mind my asking, what other companies are on your list?

------
dcposch
> Lawshae says the attacks, which can open every door in a building, are
> possible because of a command injection vulnerability in a LED blinking
> lights service.

> "A command injection vulnerability exists in this function due to a lack of
> any sanitisation on the user-supplied input that is fed to the system()
> call," Lawshae says.

This looks like the latest in "internet of things" idiocy. Things that were
once simple, but which now inexplicably run Linux.

This is how you get critical security failures from an "LED blinking lights
service" or a home thermostat that bricks itself one morning after an auto
update.

Its also how you get cars that can be crashed by a 4chan troll 1000 miles
away, over the network, because of a bug in the entertainment system.

[http://www.wired.com/2015/07/hackers-remotely-kill-jeep-
high...](http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/)

Just Say No to needless complexity. Just because you can give your fridge an
IP address doesnt mean you should.

~~~
golemotron
Agreed. After seeing cars rooted and controlled remotely I'd rather have a car
with no software at all. It's time for a new Luddism.

~~~
kbhn
Among the many reasons why I drive stick, this ranks near the top.

The clutch serves as a wonderful dead man's switch.

~~~
passivepinetree
I'd be willing to bet a significant percentage of HN's readers drive stick.

~~~
r00fus
Except for those of us who drive hybrid eCVTs or electric. Owning an automatic
was one of the most expensive decisions of my life... One I wouldn't repeat if
I could avoid it.

~~~
pitay
Just curious as to why owning an automatic was one of the most expensive
decisions of your life?

Just for reference I own an automatic and I'm quite happy with it.

------
cellularmitosis
There's a surprisingly simple way to leave yourself a "backdoor" with almost
any these electronically controlled magnetic locks: tape a paperclip to the
magnet.

The paperclip creates enough of a gap to weaken the magnetic hold such that if
you put your shoulder into it, you can pop the door open.

This backdoor is virtually undetectable, because the door still operates
normally, and no one thinks to look directly at the magnet (except for me,
which is how I discovered this trick).

~~~
abraae
Wow, that's a pretty easy attack, and one that a baddy could pull casually
while scoping out an office or some other target during business hours.

~~~
plaguuuuuu
I know a guy who had to break into his own office, he popped a ceiling panel
and disconnected the door's power supply, switching off the magnetic lock

~~~
grahamburger
I've done that before to get in to the server room during an outage in the
middle of the night. For some reason my keycard wasn't working. Servers were
on battery backup but the door locks weren't. Killed power via the master
switch to the building long enough to get in the door, fix the outage and get
out.

------
peterwwillis
So you need to be on the door controller network to exploit it... and the
network is behind the door.

As opposed to paying a pickpocket $50 to swipe a HID card from any of a
thousand employees. Or, I dunno, using a passive reader to clone any of them
from across the parking lot. Both of which are less traceable than, say, a
spear-phishing malware attack.

~~~
woodman
[http://www.exfiltrated.com/queryport.php?Port=4070](http://www.exfiltrated.com/queryport.php?Port=4070)

All those IPs are on networks behind doors.

------
Animats
Why is a door lock running a full Linux, with command line tools?

~~~
cmdrfred
Most privilege.

~~~
bluejellybean
Everyone gets root :)

------
basicplus2
no inhouse security network like this should be connected to the internet. in
house security personel are on site to monitor control and manage

