This week, Norwegian security firm Promon disclosed a vulnerability in Aiphone’s intercom and security communication devices. The vulnerability, tracked as CVE-2022-40903, can be exploited through Near Field Communication (NFC) beacon.
Promon discovered CVE-2022-40903 in June 2021. The bug exists in multi-door access control devices manufactured by Aiphone before December 7, 2021.
The NFC-driven hack means that an attacker, or in this case, thieves, must necessarily be in physical proximity to the vulnerable device. According to Promon’s blog post, the Aiphone GT-DMB-N, GT-DMB-LVN, and GT-DB-VN devices can be operated via NFC-enabled mobile devices.
Promon security researcher Cameron Lowell Palmer told TechCrunch that an attacker could verify every four-digit permutation as the device’s passcode within minutes because the device has no controls to deter unlimited access attempts.
Roger Grimes, Defense Evangelist at KnowBe4, told Spiceworks, “Allowing unlimited passcode guessing is a very common bug in multi-factor authentication and other ‘advanced’ authentication systems. like Aiphone. It’s strange.”
“You will almost never find a password login that doesn’t expire or lock out someone trying to guess someone’s password, but somehow provider after provider, it just doesn’t seem to get that ‘account lock’ and ‘rate limiting’ need to be something implemented especially when the number of possible guesses is less than 10,000.”
Grimes added that several notable people in IT and the technology industry in general forgot to implement basic security measures such as limiters in the respective products. This is a big deal. And not hoarding, but that’s just the problem we have today,” Grimes said.
“He’s the one who made the news. There are probably hundreds, if not thousands, of other physical authentication solutions out there with the exact same problem…or other equally easy-to-hack problems. Piling on Aiphone is not the right answer. They are just the ones you know today.
To exploit CVE-2022-40903 by guessing the password, the attacker must have a custom Android NFC host-based emulator app that can act as an administrative interface to brute-force their way in by opening the device in the figurative sense.
When the correct one is “guessed” by the app, the attacker can then inject the serial number of a new NFC tag containing the passcode into the device to reveal the passcode in the clear. Thus, the attacker can now unlock the access control system either by entering the revealed code or via the NFC tag.
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, told Spiceworks. “The most surprising thing about the nature of the vulnerabilities identified here is how well known they are to anyone with experience targeting physical access control systems. These are not state-of-the-art hacking techniques, and their routine effectiveness reinforces the need to have all security mechanisms reviewed by people experienced in their targeting.
Clements added that vulnerable Aiphone devices do not store access logs, meaning any mischief by malicious actors leaves no trace of exploitation.
Learn more: November Patch Tuesday: Microsoft finally fixes two NotProxyShell and four other Zero-day flaws
“They [Aiphone] may have underestimated the possibility that an attacker had access to a cheap, easily programmable device capable of brute-forcing passcodes, and this incorrect assumption informed downstream decisions, such as using only very short passcode lengths, no rate-limiting code entries, as well as the lack of a logging mechanism that could identify and alert that such an attack was taking place,” Clements added.
How to mitigate the vulnerability of Aiphone door access control system?
Updating the passcode to more than four digits is a possible solution, although doing so will only increase the time it takes to crack the code without fixing the underlying problem.
What makes the situation worse, according to initial reports, is that the issue cannot be resolved with a software or firmware upgrade. Most of the time, when issues like this are detected, a software update can be rolled out to fix it. In this case, it may require a complete hardware replacement to fix it,” Grimes said.
He goes on to cite the shortcomings in developing secure code due to “literally zero training” on the subject, whether in college, school, or any independent teaching software development class. . The problem becomes institutionalized when companies fail to adhere to secure code development standards, which is then reflected in products.
“So we end up with issues like this all over the world and across thousands of vendors. And every time it’s discovered it makes the news, we blame the vendor (which is partially right) and then move on and don’t wonder why we have a world full of hacks and malware and don’t require all developers to receive basic training in how to code safely,” Grimes said.
“The problem isn’t necessarily that the designers and builders are incompetent, but that they just aren’t anticipating a particular threat vector,” Clements clarified. “I would argue, however, that the failure to understand common threat patterns, combined with the lack of expert commentary and reviews that do, is a form of incompetence that software and hardware manufacturers need to to assume.”
To secure vulnerable devices, customers should contact Aiphone for further information.
Aiphone provides access control and security systems to residential properties, schools and educational institutions, correctional facilities, healthcare facilities and government. According to the brochures seen by Tech CrunchAiphone’s products are used by the White House and the British Parliament.
“There is a problem and the fear of surprise that comes with it from readers of this particular report on yet another victimized product will not change that. And we really need real change,” Grimes concluded.
Let us know if you enjoyed reading this news on LinkedIn, TwitterWhere Facebook. We would like to hear from you!
Image source: Shutterstock