December 20, 2023 at 02:50PM
Otorio researchers demonstrated at Black Hack Europe 2023 how attackers can exploit access control systems installed on secure facility doors to gain unauthorized building access and breach internal IP networks. They highlighted vulnerabilities in modern physical access control systems (PACSs), particularly those using the Open Supervised Device Protocol (OSDP), urging security teams to conduct comprehensive pen-testing reviews to prevent potential threats.
Based on the meeting notes, the key takeaways are:
1. Cyberattackers are capable of exploiting access control measures in secure facility doors to gain unauthorized building access and breach internal IP networks.
2. Researchers at Otorio demonstrated during a closed-door session at Black Hat Europe 2023 how attackers can subvert modern physical access control systems (PACSs), especially those using the Open Supervised Device Protocol (OSDP).
3. The demonstration revealed vulnerabilities in OSDP, allowing man-in-the-middle attacks on the serial connections behind readers, bypassing tamper protections, unlocking doors for unauthorized physical access, and then exploiting access controllers to pivot to the internal IP network.
4. The anticipation of lateral movement from a building’s front door to the internal network is considered an unprecedented scenario, prompting Otorio to urge security teams to review PACS through comprehensive pen-testing to prevent potential threats such as data exfiltration and ransomware.
These takeaways highlight the significant security risks associated with modern physical access control systems and the urgent need for robust security measures to mitigate potential breaches.