Google's Project Zero team are familiar faces in the hunt for vulnerabilities and bugs but a security hole in the tech giant's own physical security network could have left them, as well as other employees, locked out of the office.
Luckily for Google, however, the way to circumvent the security system which kept unauthorized visitors out of Sunnyvale offices was found by one of its own engineers, rather than an individual without pure intentions.
David Tomaschik, an engineer at Google, decided to explore encrypted messages that were being sent across the firm's network by Software House devices; iStar Ultra and IP-ACM being some of the products on offer designed to improve the physical security of Google's offices.
Speaking to Forbes, the engineer said that after probing the messages and discovering they were not randomized, he also stumbled across a hardcoded encryption key used by all Software House devices.
With this key in hand, Tomaschik was able to replicate the key and hijack the security system, forcing it to open and lock, depending on his will.
Even when equipped with the RFID-based keycards which are required to enter the premises, the doors would then not submit to legitimate visitors or Google employees -- if he did not want them to.
The engineer tested out his findings and sent crafted, malicious code across Google's networks. The lights on his office door confirmed the findings by turning red to green, and the lock was also completely under his control.
Tomaschik described his findings at DEF CON 26 in the IoT village earlier this month.
The vulnerability, tracked as CVE-2017-17704, impacts the boards of the Software House products. These boards communicate with RFID-based badge readers, but the bug means that the fixed AES keys can be compromised, and there is no authentication of messages beyond the use of the encryption key.
"An attacker with access to the network can unlock doors without generating any log entry of the door unlock. An attacker can also prevent legitimate unlock attempts," the security advisory says. "Organizations using these devices should ensure that the network used for IP-ACM to iStar Ultra communications is not accessible to potential attackers."
The Google team recommended that Software House undertake a "full whitebox security assessment of this application," as it is "likely" other security vulnerabilities exist in the product range.
TechRepublic: Photos: 10 years of Google Chrome
Another problem uncovered by the engineer is that the firmware in older Software House devices does not have enough memory to cope with firmware changes.
As a result, the company will not be applying security fixes to current hardware and only new systems will be protected against exploitation.
TLS could be used to facilitate communication and work around the security issues, but this, too, poses a problem -- as this would need hardware and system overhauls at physical sites that use older Software House products.
Google says that there is no evidence cyberattackers attempted to exploit the vulnerability. The company has also separated its network to prevent the flaws impacting the security of properties still using the vulnerable product range.
A spokesperson from Software House owner Johnson Controls told the publication that "the issue was addressed with our customers." However, considering the firmware limitations of old hardware which prevents a fix, addressing the issue seems only to apply to new boards.
Google was lucky that it was a white hat engineer under its own umbrella that made the findings. Back in 2017, LockState was not so fortunate, after a flawed software update left countless customers of the smart door lock security system stranded and locked out of their own properties.
Previous and related coverage
- Wireshark fixes serious security flaws that can crash systems through DoS
- Meet ransomware which wears the face of former president Barack Obama
- Former Qualys exec charged with insider trading after protecting brothers from financial loss