Modern PACS designed to enhance building security inadvertently serve as entry points into internal IP networks
OTORIO, a leading cybersecurity company, recently revealed groundbreaking research on the security risks associated with modern Physical Access Control Systems (PACS), presented at Black Hat Europe 2023.
Key highlights
- Bypassing the latest physical security access control systems, allowing unauthorized access to secure facilities.
- Demonstrating how attackers can breach internal IP networks directly from outside the front door.
When the Front Door Becomes a Backdoor: The Security Paradox of OSDP
During the 40-minute virtual closed-door session, Eran Jacob, Head of Research, and Ariel Harush, Security Researcher, exposed the paradoxical nature of modern Physical Access Control Systems (PACS) situated at the front doors of various facilities. Contrary to their primary purpose of enhancing security, these systems, especially those utilizing the Open Supervised Device Protocol (OSDP), inadvertently created a potential entry point into the organization’s internal IP network.
CIO INFLUENCE News: NetDevOps Days and AutoCon Join Forces to Accelerate Booming Network Automation Community
“We successfully bypassed the latest physical access control systems, exposing potential vectors for unauthorized facility access,” says Eran, “Our findings illuminate a paradox in the technological advancement of these devices—as they incorporate additional security features, they also increase complexity and introduce new risks. During our research, we demonstrated how this could potentially enable attackers to compromise the physical barriers and penetrate the internal IP networks right from the gate of the secure site.”
The research demonstrates how cyber attackers could exploit supposedly secure doors equipped with the latest building access control measures. The attackers could rapidly establish a Man-in-The-Middle on the serial connection behind the reader, overcome tamper protection, bypass OSDP for unauthorized physical access, and exploit access controllers for breaching the internal IP network over the serial channel. This discovery raises concerns about the security of devices utilizing OSDP, highlighting the need for a comprehensive revaluation of building access control measures.
CIO INFLUENCE News: Apiiro and Wiz Partner to Unite Application and Cloud Security
Implications for Building Security
As PACS communication has evolved, it has brought about crucial security enhancements but, at the same time, simultaneously introduced a new attack surface. While unauthorized access is not a new threat, the alarming revelation made by OTORIO was the possibility of lateral movement from the front door into the internal network – an unprecedented scenario.
CIO INFLUENCE News: SensiML Unveils Data Studio – Next-Generation Sensor Data Management for AI / ML
[To share your insights with us, please write to sghosh@martechseries.com]
