Researcher Finds Over 60 Vulnerabilities in Physical Security Systems
A researcher has discovered more than 60 vulnerabilities across 20 physical security products, including critical flaws that can be exploited remotely to take complete control of a device.
The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory to warn users of Honeywell’s MAXPRO video management system (VMS) and network video recorder (NVR) products that Austria-based researcher Joachim Kerschbaumer had identified two serious vulnerabilities that could allow hackers to take control of affected systems.
A research project driven by curiosity
Kerschbaumer told SecurityWeek that the flaws impacting the Honeywell products were discovered as part of a larger research project targeting 28 video management systems and 13 access control systems.
The researcher has worked in the physical security market for over ten years — mostly in software development and product security — and decided to review the cybersecurity of popular video surveillance and access control products.
Driven by curiosity, he tested the products of many important vendors in Europe and the United States in an effort to determine just how easy it would be for someone to find and exploit vulnerabilities.
For his tests, Kerschbaumer used a “timeboxed” approach where he would allocate only up to three evenings to each of the targeted systems. His analysis, which involved mostly manual testing supported by some custom tools, focused on remotely exploitable vulnerabilities related to web interfaces, APIs with network access, and services with proprietary protocols.
He obtained the targeted software — mostly ISO images and application installers — through Google searches that led him to the vendor’s own website or publicly open AWS S3 instances owned by subcontractors.
“Checking publicly available installation manuals and explicitly searching for file names mentioned in installation manuals also was quite effective,” Kerschbaumer told SecurityWeek. “But for every system I was able to get an installer via a public link using Google and patience.”
Over 60 vulnerabilities discovered across 20 products
Once he obtained the software, the expert set it up in an isolated virtual machine and performed some initial reconnaissance using an Nmap scan to identify the services that were installed and running, along with their permissions. He also inspected installation folders in an effort to identify the system’s tech stack.
“I’ve created some custom scripts/tools to enumerate possible services/application endpoints exposed by the binaries to get a quick idea on where to start,” the researcher explained. “After that it was more or less poking around, doing some reverse engineering exercises, and when I had the feeling that this might be misused/exploited I kept going until I was successful. I’ve also had to throw in the towel several times, but most of the time it was a lot easier than expected upfront.”
“Some vulnerabilities could be exploited using common free tools (mostly developer tools used for debugging as I was comfortable with them), while for others small custom exploits were needed (C#, Powershell or Python). This was quite helpful as these Proof of Concepts made it quite easy to demonstrate the vulnerabilities to the vendors and I did not yet had a case where a vendor did not acknowledge the vulnerability,” he added.
His analysis led to the discovery of vulnerabilities in 15 of the 28 targeted video management systems, and 5 of the 13 tested access control systems. He has identified 23 remote code execution vulnerabilities, 16 injection issues (SQL, XAML and command injection), 14 arbitrary file upload/download flaws, and 12 instances of hardcoded passwords and private keys.
Some of the more serious vulnerabilities he has identified can be exploited by a remote attacker — directly from the internet and without authentication — to take complete control of the targeted machine.
He has identified hundreds of internet-exposed systems, including ones owned by industrial complexes, prisons, banks, airports and public transportation organizations.
“For other systems I also found several vulnerabilities that allowed access to system internals and data without authentication via HTTP endpoints, which would allow an attacker to download system configuration or cameras with not more than a browser sometimes,” Kerschbaumer said. “I’ve done some sample checks for validation — e.g. camera name screening — which led to the conclusion that banks and prisons have vulnerable publicly accessible systems out there.”
He added, “If you leave out public web access, the picture gets a lot worse if you consider an attacker having access to a local network. 10 out of 28 systems contained remote code execution bugs that led to full system compromise in every case. Some systems even contained several of them.”
As a result of his research, Kerschbaumer has also identified several common issues that could pose a serious cybersecurity risk, including the execution of services with SYSTEM privileges, the lack of TLS validation, exposed and unprotected APIs, unsafe deserialization issues, and insecure software update mechanisms.
“Finding severe vulnerabilities in ‘security related software’ turned out to be much easier than expected,” the researcher said. “I did not expect to find so many severe vulnerabilities in the limited time frame. I assume due to the target environments of these systems, there’d have been plenty of professionally conducted penetration tests for these systems. Therefore I was even more surprised that the vulnerability ‘yield’ was that high.”
Responsible disclosure and vendor responses
Kerschbaumer has been working to contact affected vendors, either directly or through CERTs. He initially attempted to contact all vendors directly, but he soon realized that it was a difficult and often frustrating process due to the lack of proper vulnerability disclosure programs and policies, which is why he turned to the help of CERTs. “[CERTs] helped out a lot and if I could start all over I’d let them handle all responsible disclosures,” he noted.
Kerschbaumer says he has yet to contact all of the impacted vendors, but plans on doing so in the upcoming period.
Of the vendors that have been informed — some of them have already released patches while others are working on patches — the researcher mentioned Mirasys, March Networks, UTC/Interlogix, Panasonic, Johnson Controls and OnSSI. Of these vendors, Panasonic and Johnson Controls were highlighted as positive examples of how a company should handle vulnerability reports.
“Responsible disclosure is hard. Really hard,” Kerschbaumer concluded. “A lot of vendors have processes established for such scenarios, have a public disclosure policy and contact information. About half of them are also able to execute this process. Sometimes it was really a pleasure to report a vulnerability as it was handled fast and in a professional way. Most of the time however it was frustrating or hardly possible and it turned out to be a motivation killer.”