A Google employee managed to manage the door opening system at the company's office due to a vulnerability in the software
If you do not deal with information security in the company, then it can be painfully painful
In July, a certain hacker was able to find a vulnerability in the automatic office management system of Google's office. He was able to open the doors without using an RFID key. Luckily for the company itself, the hacker was her own employee, who did the work for the benefit of her employer, and did not seek to harm him.
The corporation has an internal network through which data is transmitted, generated by smart systems of offices and buildings of the company. David Tomashik, the Google employee in question, simply sent the code he created to this network, after which the LEDs on the closed doors changed color from red to green - that is, the door was opened. The program itself was not so simple in the development - it was spent quite a lot of time to create it.
found the vulnerability in the software company Sofware House - Google partner, who developed security controllers for the corporation division from California.
He studied encrypted messages sent by Sofware House devices ( ? iStar Ultra
). These messages, as mentioned above, are sent by the company's internal network. It turned out that the messages are encrypted unreliable, they are sent with a certain frequency, and this can be used for their own purposes by an attacker. After a detailed study, Tomashik found out that the encryption key was sewn into the memory of all the devices of the specified company. This meant only one thing - the key can be copied and used for its own purposes.
It can be used not only to send phishing messages, but also for the purpose of executing any commands of the attacker. They will be considered equipment "legitimate" and run without blocking the source.
But that's not all. Tomashik determined that the attacker can perform all actions without logging actions. That is, roughly speaking, you can open any room, take it there or do everything you need, get out, and no one will ever know about it. Another interesting point - an attacker who has obtained the encryption key, is able to block the commands that employees of the corporation submit, and also keep any doors closed.
After the employee informed the management of his office, measures were taken. In particular, the company's network was segmented in such a way that hacking one sector did not affect the performance of other sectors. In addition, the iStar v2 Board encryption protocol has been changed to a more reliable one. The management believes that no one used the vulnerability this time, the company was lucky.
Nevertheless, Software House equipment is used by many companies. And the worst thing is that it does not reflash - for this, gadgets simply do not have enough memory. And for the transition to a new encryption protocol, for example, TLS, a company that is a software house client, will have to buy new systems. In addition to spending money, this means having to spend time on setting up a new infrastructure.
Vulnerability employee Google disclosed at the event DEF CON Internet of Things Village, which was held in early August. In total, participants in this event found 55 vulnerabilities in equipment and software from different manufacturers, including the most famous. For example, clever irrigation systems, Sonos acoustics and a wide range of IoT gadgets from Korean manufacturers turned out to be open to intruders.
Software House claims that it is already solving this problem with its customers. Whatever it was, but the situation confirms the axiom - the manufacturers of IoT-systems are more concerned with functionality and design than about the safety of their devices. And even companies that manufacture devices and software for enterprise security systems, their products often have extremely strange vulnerabilities, which can easily be eliminated even at the development stage.
While device manufacturers for smart homes and buildings do not pay attention to the issue of security, attackers can use with impunity a large number of various vulnerabilities and holes. An example is the worm Mirai, thanks to which appeared a large number of large botnets.
It may be interesting
Houston Embroidery Service
visit this site
visit this site