Hackers can compromise many popular digital door-entry systems provided by Aiphone by only using a mobile smartphone and near-field communication, or NFC, tag. High-profile clients using the mentioned devices (GT-DMB-N, GT-DMB-LVN, and GT-DB-VN) include the White House and the UK Houses of Parliament.
A researcher with the Norwegian security company Promon revealed the flaw and that some Aiphone door-lock systems allow an incorrect password to be input an unlimited number of times. After discovering the admin passcode, the malicious actor might then enter the serial number of a fresh NFC tag with the admin passcode back into the system’s log of authorized tags.
“This would give the attacker both the code in plaintext that can then be punched into the keypad, but also an NFC tag that can be used to gain access to the building without the need to touch any buttons at all,” explained a blog post reporting the flaw.
There is no digital evidence of the attack since the Aiphone system does not preserve logs of the attempts. In June 2021, Promon initially informed Aiphone about the problem. According to the business, systems created before December 7 of that year cannot be corrected. Still, any systems created after that date include a feature that restricts the amount of passcode tries that may be made.
The Promon report reveals that Aiphone informed its customers of the vulnerability, which is cataloged as CVE-2022-40903. The vulnerability was found by Promon security researcher Cameron Lowell Palmer, who deems this sort of IoT security oversight “fairly typical” despite the worrisome top-line findings. He argues that adopting NFC was advantageous administratively and exposed the system to this new attack vector.
Mike Parkin, a senior technical engineer at Vulcan Cyber, said that the lack of throttling or lockout measures shows that no one considered an attacker attempting to brute-force NFC access when the product was built. The important questions, in his opinion, are how many of these fundamentally susceptible systems are in operation and, equally crucially, what additional products—whether from this vendor or another—use digital access deprived of throttling or lockout timers to mitigate a brute-force attack.
Palmer continues by pointing out that NFC and IoT are difficult to protect technology, which leads him to believe that suppliers not working together to improve security are taking a risky step. Aiphone did not even do fundamental threat modeling, according to Roger Grimes, a data-driven protection advocate at KnowBe4.
“It makes me suspicious of their entire design, security-wise,” he states. “This is not just a problem with this vendor. You can name nearly any vendor or product you like, and they are also not doing the appropriate threat modeling.”
Jason Hicks, field CISO and senior consultant at Coalfire, says that there has been a drive recently to combine voice over IP (VoIP), newer wireless technologies like NFC, remote access, and other components with physical security systems. Access control systems are not one of the numerous IoT devices whose breach would not pose a significant security risk, according to Hicks. Here, a hack might cause damage or financial loss. Vendors must thus provide all developers with secure software and product development training.
Palmer counsels IoT businesses to implement even basic measures: Hire independent specialists and periodically have them check the devices’ security, for instance. IoT is the fastest-growing attack surface, according to Bud Broomhead, CEO of Viakoo. He adds that there are several causes for this, starting with the fact that consumers frequently ignore security consequences.
“IoT devices are typically managed by the line of business and not IT, so there is both a lack of skills and knowledge about maintaining cyber hygiene,” he states.
He continues by saying that although many IoT systems are planned as capital expenditures, they often do not receive the ongoing budget necessary to maintain security. Additionally, they lack software bills of materials (SBOMs), enabling them to swiftly ascertain whether a device includes known vulnerabilities, and they frequently employ open-source software. According to Broomhead, several makes and models frequently carry out the same duties. Thus, when a vulnerability exists, it requires updates from several manufacturers. He further says that IoT fingerprinting might aid in security and administration for firms seeking to safeguard a fast-growing number of IoT devices.