Needless to say,
access control is a core component in the security of an end user organization. However, the security of access control can be overlooked. Specifically, being an IoT device, the access control reader is as vulnerable to IoT security issues as any other device sitting on the network.
That was the point raised in a recent
blog post by Armis as it suggests that the end user have visibility to all IT devices in the organization, access control readers included, to maintain
IoT security.
According to the post, a badge reader may not strike people as an internet of things (IoT) device, but it is.
“The mainstream concept of IoT usually revolves around devices like
connected thermostats, connected cameras, or connected refrigerators. That’s one of the reasons why IoT security is such a crucial issue for enterprises. There is little awareness or understanding about the broad range of connected devices that pose a risk and that need to be protected from an IoT security perspective,” the post said. “Anything that has an IP address and can communicate over the network is a potential target for cyberattacks. A successful compromise of a badge reader system could give an attacker physical access to facilities which is a very serious matter in many locations — think
airports, refineries, power plants, hydroelectric dams. It also gives an attacker an entry point to attack other assets on the network — think credit card data and human resources data.”
Threats posed by unsecure readers
The post further cited a recent incident at Google that illustrates how vulnerable some door access control readers are. “A Google engineer recently discovered vulnerabilities in the controllers that manage physical access at the Google campus where he works. With not much effort, he was able to whip up code he used to exploit the flaw, and voila! He was able to unlock doors remotely without a badge,” the post said.
It further added clever hackers can just as easily take that system hostage with ransomware and use that attack to spread ransomware laterally to other devices on the network. “Many of these systems run on older operating systems like Windows XP which aren’t just end-of-life, they’re end-of-support,” the post said. “That leaves them without critical patches and security updates that can protect them against very real threats like WannaCry.”
This could lead to dire consequences, the post said. “Downtime from being locked out of a badge reader system could have significant repercussions. Manufacturing plants could be left at a standstill. Customers and staff could be kept away from shopping at retail stores. Or worse, critical resources like police, fire, and medical staff could be locked out of facilities, impacting the health and safety of the public,” it said.
A different approach to IoT security
According to the post, flaws on unpatchable, unfixable systems will exist on that equipment forever, and the only way to completely solve the problem is to replace the hardware itself. While network segmentation is implemented by some end user enttiies, it is not a sufficient security strategy, it added.
“The U.S. Department of Homeland Security warned everyone last April that network infrastructure is highly vulnerable, and once you compromise a switch or router, you can roam free throughout the network,” it said. “Organizations need a different approach to security that encompasses IoT. Effective IoT security starts with comprehensive visibility. You need to be able to effectively and accurately inventory, assess, and monitor all devices connected to your network — especially legacy and unmanaged devices.”