A Google employee was able to manage the door-opening system in the company’s office because of a software vulnerability.
If you do not deal with issues of information security in the company, then it can be excruciatingly painful.
In July of this month, a certain hacker could find a vulnerability in the automatic office management system of Google. He was able to open the door without using an RFID key. Fortunately for the company itself, the hacker turned out to be her own employee, who performed work for the benefit of her employer, and did not seek to harm him.
The corporation has an internal network through which data generated by smart systems of offices and buildings of the company are transmitted. David Tomashik, the Google employee in question, simply sent the code he created to this network, after which the LEDs on the closed doors changed color from red to green — that is, the doors were opened. The program itself was not so simple in development - quite a lot of time was spent on its creation.
Initially, an infobase specialist found a vulnerability in software from Sofware House, a Google partner that developed security controllers for a corporation unit in California.
He studied the encrypted messages that Sofware House devices send ( iStar Ultra and IP-ACM ). These messages, as mentioned above, are sent to the internal network of the company. It turned out that messages are not encrypted securely, they are sent with a certain frequency, and an attacker can use this for his own purposes. After a detailed study, Tomashik found out that the encryption key is generally sewn into the memory of all devices of the specified company. This meant only one thing - the key can be copied and used for their own purposes.
It can be used not only to send phishing messages, but also with the aim of executing any commands from the attacker. They will be considered “legitimate” equipment and executed without blocking the source.
But that's not all. Tomashik determined that the attacker can perform all actions without journaling actions. That is, roughly speaking, you can open any room, take there or do everything you need, go out, and no one will ever know about it. Another interesting point is that an attacker who obtained the encryption key is able to block commands that are served by corporate employees, and also to keep any doors closed.
After the employee notified the management of his office, measures were taken. In particular, the company's network was segmented in such a way that hacking of one sector did not affect the performance of other sectors. In addition, the iStar v2 Board encryption protocol has been changed to a more secure one. Management believes that the vulnerability no one used this time the company was lucky.
However, many companies use the Software House hardware. And the worst thing is that it does not reflash - for this gadgets simply do not have enough memory. And in order to switch to a new encryption protocol, for example, TLS, a company that is a client of Software House will have to buy new systems. In addition to monetary expenses, this means the need to waste staff time on setting up a new infrastructure.
A Google employee revealed a vulnerability at the DEF CON Internet of Things Village event, which was held in early August. In total, participants in this event found 55 vulnerabilities in hardware and software from various manufacturers, including the most well-known. For example, smart irrigation systems, Sonos acoustics, and a wide range of IoT gadgets from Korean manufacturers turned out to be open to intruders.
Software House claims that it is already solving this problem with its customers. Whatever it was, but the situation itself confirms the axiom - manufacturers of IoT-systems care more about functionality and design than about the security of their devices. And even companies that manufacture devices and software for enterprise security systems often have extremely strange vulnerabilities in their products that can be easily eliminated at the design stage.
Until manufacturers of devices for smart homes and buildings pay attention to the issue of security, attackers can exploit a large number of various vulnerabilities and holes with impunity. An example is the Mirai worm, due to which a large number of large botnets appeared.