Criminals could waltz into secure zones in airports and government facilities by hacking and jamming open doors from remote computers over the Internet, DVLabs researcher Ricky Lawshae says.
The since-patched vulnerabilities affect HID's flagship VertX and Edge controllers which are distributed in scores of busy locations and large global enterprises.
The devices are used in airports including Nanchang Changbei International Airport and the Southern Ohio Medical Center.
Popping the controllers grants attackers access to locks and alarms, and makes it "impossible" for administrators to regain command of the doors.
All it takes Lawshae says is "a few simple UDP packets" for the "potentially devastating bug" to be exploited. Authentication is not required.
Lawshae says the attacks, which can open every door in a building, are possible because of a command injection vulnerability in a LED blinking lights service.
"A command injection vulnerability exists in this function due to a lack of any sanitisation on the user-supplied input that is fed to the system() call," Lawshae says.
"Instead of a number of times to blink the LED, if we send a Linux command wrapped in backticks, like `id`, it will get executed by the Linux shell on the device.
"To make matters worse, the discovery service runs as root, so whatever command we send it will also be run as root, effectively giving us complete control over the device."
The LED service Lawshae messed with is part of a reply door controllers would send to the central remote management service in response to a UDP discoveryd probe.
Normally the response contains information such as MAC address and firmware versions, and the blinking LED pattern service. ®