A security research firm claims to have discovered an “easily” exploitable vulnerability in a door entry security system used in government buildings and apartment complexes, but warns that the vulnerability cannot be patched.
Norwegian security firm Promon says the bug affects several Aiphone GT models that use NFC technology, often found in contactless credit cards, and allows bad actors potential access to sensitive facilities by brute-forcing the door entry system security code.
Aiphone counts both the White House and the British Parliament as customers of the affected systems, according to company brochures viewed by TechCrunch.
Promon security researcher Cameron Lowell Palmer said a potential intruder can use an NFC-enabled mobile device to quickly scan through each permutation of a four-digit “admin” code used to secure each Aiphone GT door system. Because the system does not limit the number of times a code can be tried, Palmer said it only takes a few minutes to cycle through each of the 10,000 possible four-digit codes used by the door entry system. . This code can be typed into the system keypad or transmitted to an NFC tag, allowing bad actors to potentially access restricted areas without having to touch the system at all.
In a video shared with TechCrunch, Palmer created a proof-of-concept Android app that allowed him to verify every four-digit code on a vulnerable Aiphone door entry system in his test lab. Palmer said affected Aiphone models do not store logs, allowing a malicious actor to bypass system security without leaving a digital trace.
Palmer disclosed the vulnerability to Aiphone in late June 2021. Aiphone told the security firm that systems manufactured before December 7, 2021 are affected and cannot be updated, but systems after that date have a software patch. which limits the rate of door entry attempts.
This isn’t the only bug Promon has discovered in the Aiphone system. Promon also said it discovered that the application used to configure the door entry system offers an unencrypted plain text file containing the administrator code for the system’s main portal. Promon said this could allow an intruder to also gain access to information needed to access restricted areas.
Aiphone spokesman Brad Kemcheff did not respond to requests for comment sent before publication.
In a similar vein, a university student and security researcher earlier this year discovered a “master key” vulnerability in a widely used door entry system built by CBORD, a technology company that provides access control and payment systems to hospitals and college campuses. CBORD fixed the bug after the researcher reported the issue to the company.