Aiphone Door Access Control Devices Vulnerable to Routine Hacking Technique via NFC
Experts told Spiceworks that the bug cannot be fixed with a software or firmware upgrade and would require a complete hardware overhaul.
This week, Norway-based security company Promon disclosed a vulnerability in intercom and security communication devices by Aiphone. The vulnerability, tracked CVE-2022-40903, can be exploited through the near-field communication (NFC) tag.
Promon discovered CVE-2022-40903 in June 2021. The bug exists in multiple door access control devices manufactured by Aiphone before December 7, 2021.
The NFC-driven hack means an attacker, or in this case, thieves, necessarily have to be in physical proximity to the vulnerable device. According to Promon’s blog post, Aiphone devices GT-DMB-N, GT-DMB-LVN, and GT-DB-VN can be exploited through NFC-enabled mobile devices.
Promon security researcher Cameron Lowell Palmer told TechCrunch that an attacker could check every four-digit permutation as the device passcode within minutes because the device has no checks to deter unlimited access tries.
Roger Grimes, defense evangelist at KnowBe4, told Spiceworks, “The allowing of unlimited tries to guess the access code is a very common bug in multifactor authentication and other ‘advanced’ authentication systems like Aiphone. It’s weird.”
“You’ll almost never find a password logon that doesn’t timeout or lockout someone trying to guess at someone’s password, but somehow vendor after vendor just doesn’t seem to get that ‘account lockout’ and ‘rate throttling’ needs to be something implemented especially when the number of possible guesses is less than 10,000.”
Grimes added that multiple notable people from the computer and the tech industry in general, have forgotten to implement basic security measures such as limiters in respective products. This is a big deal. And not to pile on, but this is just the problem we know about today,” Grimes opined.
“It’s the one that made the news. There are probably hundreds to thousands of other physical authentication solutions with the exact same problem…or other problems just as easy to hack. Piling on just Aiphone isn’t the right response. They are just the one you know about today.”
To exploit CVE-2022-40903 by guessing the passcode, the attacker must have a custom Android NFC host-based emulation app that can act as an administrative interface to brute force their way into figuratively blowing open the device.
When the right one is ‘guessed’ by the app, the attacker can then inject the serial number of a new NFC tag containing the passcode in the device to reveal the passcode in plaintext. So the attacker can now unlock the access control system either by punching in the revealed code or through the NFC tag.
Chris Clements, VP of solutions architecture at Cerberus Sentinel, told Spiceworks. “The most surprising thing about the nature of the vulnerabilities identified here are just how well-known they are to anyone with experience targeting physical access control systems. These are not cutting-edge hacking techniques, and their routine effectiveness reinforces the need to have any security mechanisms reviewed by people experienced in targeting them.”
Clements added that the vulnerable Aiphone devices do not store access logs, meaning any mischief by threat actors leaves no trace of exploitation.
See More: November Patch Tuesday: Microsoft Finally Patches Two NotProxyShell And Four Other Zero-day Flaws
“They [Aiphone] may have underestimated the possibility that an attacker would have access to a cheap and easily programmable device capable of brute forcing access codes, and that incorrect assumption informed downstream decisions like only using very short access code lengths, no rate limiting code inputs, as well as the absence of a logging mechanism that could identify and alert that such an attack was taking place,” Clements added.
How to mitigate Aiphone door access control system vulnerability?
Updating the passcode to a more than four-digit one is one possible solution, although that would only increase the time required to crack the code without solving the underlying issue.
“What makes this worse, according to initial reports, is that the problem can’t be fixed with a software or firmware upgrade. Most of the time, when issues like this are found, a software update can be deployed to fix it. In this case, it might take a complete replacement of the hardware to fix,” Grimes said.
He goes on to cite the gaps in secure code development because of “literally zero training” on the matter, either in university, school, or any independent class teaching software development. The problem becomes institutionalized when companies do not adhere to the secure code development standards, which then reflects in products.
“So, we end up with problems like this all over the world across thousands of vendors. And each time it’s discovered, it makes the news, we blame the vendor (which is partially right), and then move on and not question why we have a world full of hacking and malware and don’t require that all developers get basic training in how to code securely,” Grimes said.
“The problem isn’t necessarily that designers and builders are inept, but that they simply don’t anticipate a particular threat vector,” Clements clarified. “I would, however, argue that failure to understand common threat models combined with not bringing in input and review from experts that do is a form of incompetence that software and hardware manufacturer’s both need own up to.”
To secure vulnerable devices, customers need to contact Aiphone for further information.
Aiphone provides door access control and security systems to residential properties, schools and educational institutes, correctional facilities, healthcare facilities, and the government. According to brochures seen by TechCrunch, Aiphone’s products are used by the White House and the U.K. Parliament.
“There’s a problem and the accompanying awes of surprise from readers of this particular report of yet another victim product will not change anything. And we badly need real change,” Grimes concluded.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON VULNERABILITY MANAGEMENT
