Google, an American multinational technology company that specializes in Internet-related services and products, which include online advertising technologies, search engine, cloud computing, software, and hardware has been hacked. this incident occurred when their own engineer David Tomaschik, who decided to explore encrypted messages that were being sent across the firm’s network by Software House devices; iStar Ultra and IP-ACM being some of the products on offer designed to improve the physical security of Google’s offices.
the engineer said that after probing the messages and discovering they were not randomized, he also stumbled across a hardcoded encryption key used by all Software House devices when speaking to Forbes
Tomaschik was able to replicate the key, which meant he could effectively forge commands, such as simply replay legitimate unlocking commands, which had much the same effect as using the RFID-based Keycards. and hijack the security system, forcing it to open and lock, depending on his will.
Even when equipped with the RFID-based keycards which are required to enter the premises, the doors would then not submit to legitimate visitors or Google employees — if he did not want them to.
The engineer tested out his findings and sent crafted, malicious code across Google’s networks. The lights on his office door confirmed the findings by turning red to green, and the lock was also completely under his control. which makes Google Campus doors vulnerable
Tomaschik described his findings at DEF CON 26 in the IoT village earlier this month.
The vulnerability, tracked as CVE-2017-17704, impacts the boards of the Software House products. These boards communicate with RFID-based badge readers, but the bug means that the fixed AES keys can be compromised, and there is no authentication of messages beyond the use of the encryption key.
“An attacker with access to the network can unlock doors without generating any log entry of the door unlock. An attacker can also prevent legitimate unlock attempts,” the security advisory says. “Organizations using these devices should ensure that the network used for IP-ACM to iStar Ultra communications is not accessible to potential attackers.”
The Google team recommended that Software House undertake a “full whitebox security assessment of this application,” as it is “likely” other security vulnerabilities exist in the product range.
Another problem uncovered by the engineer is that the firmware in older Software House devices does not have enough memory to cope with firmware changes.
As a result, the company will not be applying security fixes to current hardware and only new systems will be protected against exploitation.
TLS could be used to facilitate communication and work around the security issues, but this, too, poses a problem — as this would need hardware and system overhauls at physical sites that use older Software House products.
Google says that there is no evidence cyberattackers attempted to exploit the vulnerability. The company has also separated its network to prevent the flaws impacting the security of properties still using the vulnerable product range.
Johnson Controls , A spokesperson from Software House said “the issue was addressed with our customers.” However, considering the firmware limitations of old hardware which prevents a fix due to insufficient memory and other alleged factors , addressing the issue seems only to apply to new circuit boards.
Google being lucky that it was one of his own white hat engineer that unraveled this vulnerability .
