By Joe Lea, VP of Product
Even if you don’t use one yourself, odds are good that you’ve seen someone walking around with a badge with a grainy headshot of themselves on a lanyard around their neck or attached to a pocket or belt loop. Most companies today give each employee a security badge to open doors. Corporate security teams stress how individuals should scan their badges at each entry point rather than holding the door open for one another. This helps with security and to ensure an accurate account of who entered a given area and when.
These badge reader systems aren’t closed systems. They’re usually connected to and managed over a network, which means they’re just as exposed to attack as any other device on the network. The devices on these systems don’t have any built-in protection against hacks, and they typically don’t and sometimes can’t receive critical software updates. They’re also unagentable, meaning traditional security products lack visibility and can’t protect them because you can’t load software agents on them. All of this leaves these devices vulnerable to attacks.
How vulnerable? These systems maintain a database of sensitive employee information including unique card IDs and policies that allow (or revoke) access to groups or individuals. A hacker with access to these systems could extract data and use it to create fake access badges with the stolen data.
Door Security May Leave You Insecure
A badge reader may not strike you as an internet-of-things (IoT) device, but it is. The mainstream concept of IoT usually revolves around devices like connected thermostats, connected cameras, or connected refrigerators. That’s one of the reasons why IoT security is such a crucial issue for enterprises. There is little awareness or understanding about the broad range of connected devices that pose a risk and that need to be protected from an IoT security perspective.
Anything that has an IP address and can communicate over the network is a potential target for cyber attacks. A successful compromise of a badge reader system could give an attacker physical access to facilities which is a very serious matter in many locations — think airports, refineries, power plants, hydroelectric dams. It also gives an attacker an entry point to attack other assets on the network — think credit card data, human resources data, etc.
Google Engineer Takes Down Google Security
The idea that the badge reader system can be hacked isn’t purely theoretical. A Google engineer recently discovered vulnerabilities in the controllers that manage physical access at the Google campus where he works. With not much effort, he was able to whip up code he used to exploit the flaw, and voila! He was able to unlock doors remotely without a badge.
It turns out that the encrypted traffic from the card reader was not random. The Google engineer discovered a hardcoded encryption key in the code. With that knowledge, he was able to copy the key and issue commands to lock or unlock doors and execute other commands on the card readers—and he was able to do it without leaving any trace of his actions.
Google, a company worth nearly a trillion dollars—with a ‘T’—could be physically compromised thanks to a design flaw in a connected system. With cutting edge innovation and research to protect, and some of the best software engineers in the world, Google was still vulnerable.
Badge Readers Can Be Held Hostage Too
If an employee engineer with time on his hands can hack a card reader system for fun, clever hackers can just as easily take that system hostage with ransomware, and use that attack to spread ransomware laterally to other devices on the network. Many of these systems run on older operating systems like Windows XP which aren’t just end-of-life, they’re end-of-support. That leaves them without critical patches and security updates that can protect them against very real threats like WannaCry.
Downtime from being locked out of a badge reader system could have significant repercussions. Manufacturing plants could be left at a standstill. Customers and staff could be kept away from shopping at retail stores. Or worse, critical resources like police, fire, and medical staff could be locked out of facilities, impacting the health and safety of the public.
Lock Down Your Door Locks, and Monitor Everything for Intrusion
The card system like the one at Google has since been updated with stronger encryption, but other devices made by this same vendor—Software House—cannot be updated or fixed at all. Flaws on unpatchable, unfixable systems will exist on that equipment forever, and the only way to completely solve the problem is to replace the hardware itself.
Google also told reporters that they have placed the badge reader onto a separate network segment as a way to mitigate risk should an attacker successfully compromise the badge reader system in the future. But network segmentation is not a sufficient security strategy. The U.S. Department of Homeland Security warned everyone last April that network infrastructure is highly vulnerable, and once you compromise a switch or router, you can roam free throughout the network. Armis demonstrated this at the RSA security conference last May. You can watch our RSA presentation in this video.
Organizations need a different approach to security that encompasses IoT. Effective IoT security starts with comprehensive visibility. You need to be able to effectively and accurately inventory, assess, and monitor all devices connected to your network—especially legacy and unmanaged devices. Don’t let your door locks—or any other IoT device—be the Achilles heel that takes down your network.
Joe Lea leads the product team at Armis and is responsible for turning the Armis vision into a service that provides value to and protects customers. Before Armis, he was head of product at Tanium where he helped the company grow from a nascent endpoint query tool to a disruptive industry force. When he’s not busy at Armis or spending time with family, Joe speaks about his experience competing in some of the world’s most grueling 100-mile mountain ultra-marathons, which, as it turns out, are not as different from his day job as you might expect.