Last July, in Google’s Sunnyvale offices, a hacker found a way to trick doors into opening without the requisite RFID keycard. Luckily for Google, it was David Tomaschik, an employee at the tech giant, who only had good intentions.
When he sent his malicious code across the Google network, he saw the lights turn from red to green on the door to his office. Then came the satisfying thunk as the lock opened. It was the culmination of work in which Tomaschik had uncovered vulnerabilities in technology made by Software House, the creator of the office controllers managing the physical security of the California site.
Last summer, when Tomaschik looked at the encrypted messages the Software House devices (called iStar Ultra and IP-ACM) were sending across the Google network, he discovered they were non-random; encrypted messages should always look random if they’re properly protected. He was intrigued and digging deeper discovered a “hardcoded” encryption key was used by all Software House devices. That meant he could effectively replicate the key and forge commands, such as those asking a door to unlock. Or he could simply replay legitimate unlocking commands, which had much the same effect.
Tomaschik also discovered he could do all this without any record of his actions. And he could prevent legitimate Google employees from opening doors. “Once I had my findings it became a priority. It was pretty bad,” he told Forbes. Google then moved quickly to prevent attacks on its offices, according to Tomaschik.
A Google spokesperson said there was no evidence the doors had been exploited by any malicious hackers. The iStar v2 Board now uses a more suitable form of encryption, known as TLS, which goes some way to fixing the issue. Meanwhile, Google has segmented its network in order to provide protection for the vulnerable systems still in its properties, the spokesperson added.
But problems likely remain for others using the vulnerable Software House tech. Tomaschik said Software House had come up with solutions to fix the problem, though to switch to TLS, it’d require a change of hardware at the customer site. That’s because the Software House systems didn’t have enough memory to cope with the installation of new firmware, Tomaschik said.
A spokesperson for Software House owner Johnson Controls said: “This issue was addressed with our customers.” They didn’t respond to a question on the need to replace physical devices.
Tomaschik told Forbes the flawed Software House tech was likely to be deployed widely, inside and outside Google, as there are only a handful of companies making such office controls. That means that all manner of other businesses could be open to attack by hackers-turned-robbers.
IoT Hacking Village
Many other so-called Internet of Things devices remain vulnerable.
Tomaschik gave his talk on hacking his employer’s doors in early August at the DEF CON Internet of Things Village, where all manner of IoT tech was hacked. In results exclusively handed to Forbes, the IoT Village organizers from Independent Security Evaluators disclosed that a whopping 55 vulnerabilities were uncovered across an array of devices.
That included a smart irrigation system, Sonos speakers and a range of home hub devices made by various Korean manufacturers.
So it’s not just smart homes that are vulnerable, but smart buildings of any kind. And the damage could well extend out of the digital realm.