Hackers Can Unlock Any HID Door Controller with One UDP Packet

Share this…

Hacking like in the movies! Sometimes it’s that easy.If you ever want to impress your friends and hack doors with one command and a push of a button, like in those cheesy and unrealistic Hollywood movies, then choosing an HID door controller for your demonstration is the sure way to get a jaw-dropping reaction.

The reason is that Trend Micro researchers have discovered a severe vulnerability in HID door controllers that allows you to send one malicious UDP request to a door and automatically unlock it and/or deactivate the alarm if the door has that feature enabled.

HID is a company that manufactures, among other things, door controllers. These are those black boxes that you can see next to securitized doors where someone comes in, swipes their card, an LED turns green, and the door automatically opens for them to enter.

Attackers can exploit flaw via the local network

In some newer variants, these door controllers can also be connected to the local network and allow system administrators to manage the devices from their local command center.

Trend Micro’s Ricky “HeadlessZeke” Lawshae discovered that two of these door controllers, VertX and Edge, the company’s flagship products, have a design vulnerability in their management protocol that allows someone to run remote commands on the device, all with root privileges.

According to the researcher, these two devices are running a special daemon calleddiscoveryd, which answers to UDP network packets on port 4070 with information on the device, like its lock state, alarm state, firmware version, device type, MAC address, and a generic name (like “Door for East Corridor”).

Besides reporting on the device’s status, this service also includes a debugging function that allows a remote admin to tell the device to blink its LED for a number of times.

Improper input filtering allows hackers to send commands with debugging code

This operation takes place when the IT manager sends a “command_blink_on” command with the door’s ID. Mr. Lawshae says that by placing Linux command after the ID, wrapped in backticks, like `command`, due to improper input sanitization, the command will execute on the device.

Since this LED function is fed to the system() call, which then runs as root, an attacker can instruct the device to do whatever they wish, all via one single UDP packet.

Additionally, leaving out the ID, the attacker can control all doors inside a building at the same time. If this operation is automated in a network flood-like action, the doors will stay open or closed until the UDP packet spam ends, and only then the IT administrators will be able to open or close the door controllers.

If you deploy such controllers on your network, it may be a good time to visit the HID website and download the latest firmware versions, where this vulnerability was patched.

HID Edge door controller

HID Edge door controller