The first critical component to any attack is an entry point. As we lock down our firewalls and sophisticated routers, it can be easy to overlook the network-connected physical access control systems. According to a study done by IBM in 2021, the average cost of a physical security compromise is $3.54 million and takes an average of 223 days to identify a breach.
LenelS2 is a global distributor of access control systems, widely deployed across multiple industries including education, real estate, healthcare, transportation, and certified for use in federal and state government facilities.
Trellix’s Threat Labs team uncovered 8 zero-day vulnerabilities leading to remote, unauthenticated code execution on versions of the LenelS2 Mercury access control panel. When combined, these findings lead to full system control including the ability for an attacker to remotely manipulate door locks. To emulate a true nation-state level threat, our team began our research without access to the system firmware. During this presentation, we will deep dive into our hardware hacking process including the challenges faced such as bypassing the bootloader, hardware-based watchdog timers, and authentication. We will describe our use of emulation and provide a detailed walkthrough of the 8 discovered zero-day vulnerabilities, describing end to end exploitation using malware we designed to control system functionality. We culminate the talk with an impressive live demo featuring full system control, unlocking doors remotely without triggering any software notifications.
Steve Povolny is the Head of Advanced Threat Research for Trellix, which delivers groundbreaking vulnerability research spanning nearly every industry. With well over a decade of experience in network security, Steve is a recognized authority on hardware and software vulnerabilities, and regularly collaborates with influencers in academia, government, law enforcement, consumers and enterprise businesses of all sizes. Steve is a sought after public speaker and media commentator who often blogs on key topics. He brings his passion for threat research and a unique vision to harness the power of collaboration between the research community and product vendors, through responsible disclosure, for the benefit of all.
Sam Quinn is a Senior Security Researcher on the Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. Sam has a focus on embedded devices with knowledge in the fields of reverse engineering and exploitation. He has had numerous vulnerability findings and published CVEs in the areas of IOT and enterprise software.