Perimeter Breached! Hacking an Access Control System

The presentation discusses the discovery of 8 zero-day vulnerabilities in the LNL-4420 access control panel, leading to full system control and the ability to remotely manipulate door locks. The vulnerabilities were found by Trellix's Threat Labs team and could be exploited without access to the system firmware. The presentation also highlights the potential impact of such vulnerabilities on various industries and the need for timely updates and patches.

• Trellix's Threat Labs team discovered 8 zero-day vulnerabilities in the LNL-4420 access control panel
• The vulnerabilities could be exploited remotely without access to the system firmware
• The vulnerabilities allowed for full system control and remote manipulation of door locks
• The presentation includes a live demo of the exploit
• The access control panel is widely used across multiple industries, including education, real estate, healthcare, transportation, and government facilities
• Over 20 OEM partner vendors were also found to be vulnerable to the same issue
• The presentation emphasizes the need for timely updates and patches to prevent such vulnerabilities

The presenters demonstrated how they could remotely unlock a door using the vulnerabilities they discovered in the access control panel. They explained that an attacker could exploit a vulnerability in an unrelated internet-connected device, such as a router or a firewall, to gain access to the network and attack the access control panel. The presenters also highlighted the potential impact of such vulnerabilities on various industries, including the Fortune 100 companies, and the need for timely updates and patches to prevent such attacks.

The first critical component to any attack is an entry point. As we lock down our firewalls and sophisticated routers, it can be easy to overlook the network-connected physical access control systems. According to a study done by IBM in 2021, the average cost of a physical security compromise is 3.54 million dollars and takes an average of 223 days to identify a breach. Carrier’s LenelS2 is a global distributor of HID Mercury access control systems, widely deployed across multiple industries including education, real estate, healthcare, transportation, and certified for use in federal and state government facilities. Trellix's Threat Labs team uncovered 8 zero-day vulnerabilities leading to remote, unauthenticated code execution on the LNL-4420 access control panel. When combined, these findings lead to full system control including the ability for an attacker to remotely manipulate door locks. To emulate a true nation-state level threat, our team began our research without access to the system firmware. During this presentation, we will deep dive into our hardware hacking process including the challenges faced such as bypassing the bootloader, hardware-based watchdog timers, and authentication. We will describe our use of emulation and provide a detailed walkthrough of the 8 discovered zero-day vulnerabilities, describing end to end exploitation using malware we designed to control system functionality. We culminate the talk with an impressive live demo featuring full system control, unlocking doors remotely without triggering any software notifications.