2025-12-13 –, Clappy Monkey Track
We have all seen the Hollywood films, The attacker is in the building they swipe a card and its set of the alarms and the guards are coming. The attacker calls down to the hacker in the van. “Unlock all the doors” a couple of seconds later all the doors unlock and the thief narrowly escapes the building.
But how true is that, can we just take a couple of seconds to remotely unlock all the access control systems, or even force the building in to lockdown?
Turns out the answer is yes, at least for some vendors. In this presentation we bring this tradecraft to light using a number of CVEs discovered in Paxton a popular access control system used everywhere from schools, to prisons to government buildings and regional airports.
In the past we have seen talks and demonstrations showing either covert physical entry or network attacks against software running OT/IOT systems. Our presentation aims to combine both of these elements, showing how they are not mutually exclusive, and in the world of needlessly interconnected devices, how vulnerabilities on either side can open a larger attack surface. Hundreds of thousands of doors are vulnerable and it's not the vendor's risk to accept.
Overview:
What makes up an access control System
Demo - The Classic Card Clone Attack
Why does that door have an RJ45?
Reverse Engineering the Software Installation
The First Vulnerability - Getting SA and our first remote unlock
Demo - Recover Clear Text Credentials
Demo - Remotely Unlock all the doors
Demo - RCE on the server using SA Credentials
The Second Vulnerability - Hard Coded Accounts
When we recover the credentials, we can see a number of details in the database, including passwords and card details.
Demo - Take a Card UID from the DB and Clone to a blank then unlock the door
The Third Vulnerability - We don't need servers when we have doors
Recovering the key derivation function
Demo - Trigger soft reset on ACU and then remote unlock
