September 25, 2024 at 08:48AM
Researcher Shawn Merdinger discovered a serious vulnerability in a US healthcare facility that allows threat actors to hack its building doors. The vulnerability stems from the exposure of the facility’s door access system to the internet and the use of default credentials. The facility has denied the findings, and some organizations and government agencies have reportedly failed to take action despite being notified.
Based on the meeting notes, it appears that a researcher, Shawn Merdinger, has conducted a cybersecurity research project called Box of Rain, which identified nearly 40 instances of buildings with hackable door controllers. One of the impacted buildings belongs to the healthcare organization Cedars-Sinai, where the S2 door access system is exposed to the internet with easily discoverable web interface accessible using default credentials.
The researcher has responsibly disclosed the findings to impacted organizations and US government agencies, but there are challenges in getting the issues addressed. For example, despite being notified, Cedars-Sinai denied that the issues found by Merdinger affect its facilities. Additionally, government agencies such as CISA and Health-ISAC, though notified, apparently failed to take action to address the vulnerabilities.
It is also highlighted that building access systems are known to be affected by many vulnerabilities, and in some cases, vendors have taken several years to patch them even when there was evidence of malicious exploitation.
In summary, the researcher’s findings indicate a serious vulnerability in the S2 door access system at Cedars-Sinai and raise concerns about the organization’s and government agencies’ responses to the disclosed vulnerabilities. Addressing these security weaknesses in a timely manner is crucial to prevent potential malicious exploitation and protect the security of the healthcare facility.