crappy music

Did you hack the video too? The music kept on playing when the video ended D:

Sweet.

I WANT!!

Congratulations man! You managed to make it onto Popular Science, my favorite magazine!!

POOL IS CLOSED!

For remote management by a Mgmt Company.. Very common.

@Nikosgeor - Or the auth was weak and broken as a part of the vulnerability... Which is the case as it is hard coded and not adjustable within the app or by the user, a flaw we can't disclose or anyone would be able to exploit. Don't apply that this system used best practice at this point. It is widely used here in the US and other countries.

Impossible if you think about it, all info must be known by this guy. IP address, port, access code for system, access code for database, authority level to open doors etc, etc.etc. All security levels at factory defaults maybe???With factory password (it does happen)

@LouisAVD1 - Not true.. No matter what you set the SW configuration to, we can get in. Only taking it off the Internet would take away the super easy access, but it would be easy to target a fingerprint in some code to find them on an internal system and then go down the targeted process to gain access.

No Hoax, read the Engadget article, validated by a Security Pro.

Nothing its easy as it looks like... this access control system has a huge security hole. Since its connected to TCP/IP network and requires no authentication to get commands... So if the video is real (and not a HOAX) the whole access control system is a crap... I suggest you to keep your doors unlocked all the time!

@NIKOSGEOR - almost as easy... You still have to know what we do in how to find them and what to configure.. So locking your doors will help until 'they' find you.

@videocalls

Look, as guy who deals every day with access control systems I can ensure you that most of the systems out there require more than the IP address and the communication port. You have give more info about the system architecture to make me believe that this is a professional access control solution. In any case "Caribu" sends TCP command to a device connected to network... so this is the first drawback for the access control. I addition the authentication credentials must be known

WTF are locks internet connected???

@MrBjoey2010 - in this case yes, but we can do this on the local LAN too if we have access by phone or laptop or some PC or script executed off a thumb drive for example.

Awesome :)

At 0:44 it sounds like the kid said "A leopards vagina."

FAKE N GAY

pin 0 worked... seems like there is some kind of default access code...

@MrKellerdelirium - does not matter what IP or Port is or the Pin used... We can find that info and adjust the app as you can see on the video.. Two items can be entered, the rest is coded to take care of the unknowns.

@kprez007 - It's all about the system, if you design an Ethernet port, you need to think about securing the system and that is only done by the design and implementation of the system.

If you have a system like that public-facing or accessible over a wireless network, you're an idiot and deserve to be broken into.

Why is a door connected to a network anyway?

@Stonos22 remote access maybe?

@xeroaxlvx - would help, but that would significantly change the way these are used and remotely managed currently, but would be best to secure them from this threat. Add a system that you remote into and then use a local PC to manage the app.

@Stonos22 - The Internet in this case, but would apply to internal systems as well, just a little harder to identify them.

@videocalls Still, why is a door connected to the internet?

@Stonos22 - To entertain people like us.. ;-)

@Stonos22 geia sou re mixalopoule!

@Stonos22 The network connection seems to be plausible, for instance you have a company and all your workers have RFID cards to access certain rooms or buildings much like many universities have, and if one of your workers needs to go to a certain building or room he usually has no authorisation for, he can easily remotely get authorisation for his card for a limited time.

The question should be why isn't the network secured via a firewall or a virtual private network.

If you don't know why we showed this, then your system is secure enough... ;-)

@videocalls Its has nothing to so with the system. Its the network...

Yup... Kids like my dog

Badge and pin should be OK.. But if they send the pin over the network in the clear that would be bad

Yup... MI was added for entertainment value

Nope.. No WiFi was used, No RFID cloning, BT, Ir or anything else to do with the card...

@videocalls And how the hack it works? How smartphone connects to the doors? Can this work on Hotels dors too? :D or? Also, where this IP comes from? How APP finds it? Anyone tried this? :O

@vedranart - You won't find this app in the Droid store.. We will never release it to the public unless all the vulnerabilities that allow this to work are remediated. Which is likely never. Vendor may fix it, but users are likely not to know or ignore an upgrade.

How do you get that IP in the first place? Is it a wireless access point?

@Xeon06 - No WiFi was used in this exploit

Did the creator of this add Half-Life sound effects?

Hey kids hack into your communal pool and drown when there isn't a lifeguard around :-)

listen to the kid in the background at 0:44

How does this fare against systems that use a badge + pin combo?

@scotterdoos He got into the system and unlocked the doors. It has nothing to do with the card or PIN...

He is on the network.

Also what if the ip address and port are encrypted through a router?

@extremegymguy - That would be good to do, but some of the exploit may still be there. We will be working on writing some documentation for implementation and remediation so everyone can resolve the issue. And providing feedback to the vendor as well. Implemented correctly, encryption would solve the issue.

Will this also work on card entry systems whereas you have to slide the the barcode of the card through the narrow opening of the system..You know much like a credit card machine?

@extremegymguy - Yes, the reader is just an entry point, it can be card swipe or Weigard or RFID as that is not where we focus the Sploit.

this is fake... or the man who made the app is the owner of the gates.

@KingpinEX - I would think a leading expert in Pen Testing would disagree with you... Watch his video validating our exploit.

vimeo com / 21137418

do want

do want

@felipeapolanco - Yup, but woudl work if you were on a local LAN via WiFi too... or a DoDad as already mentioned... Plug PC or Crafted malware... lots of options.

it works only if the local site has unencrypted wifi, or the person in the video knows the encryption key for the networked controller or the network has an open port and the person with the phone knows all that info already...

@duumnuts - No WiFi needed.. though that would make it ever more stoopid easy. No encryption key needed either. Yes the network has to have an open port, Internet or LAN. Say we Social Engineered a piece of java scrip on say a thumb drive with some auto launch Cruiser, etc.... then maybe gain access via Social Engineering and added a small device like a Plug computer that has the code to search and exploit We could NEVER get someone to find a 8GB thumb drive on the ground of a building...

@felipeapolanco

yes, you prez de internetz button an de doors disuhpeer !!!!!!@#!@#!@#@!

@felipeapolanco Not quite the internet but yes they are networked!

@Dmohamed89 - Many ARE on the Internet.... was not designed for it and thus... Warning Will Robinson...

That is redic!

@felipeapolanco

seems like it, but i smell a fake  video some how

@Dcomicboyisback - Feel free to come by and see the real thing..., NOT fake... Advisory has been filed with US-CERT and the Vendor(s). We are working with them to resolve the issue.

Once we do, we will disclose what we know so you can check to see if a card key system you have is vulnerable...

hacker hurricane DUH KOM for the Blog

@videocalls

sorry to call it fake, i mean its totally feasible that it could work, its just like usually videos like this tend to be a fake. but from what i've seen android/iOS be able to actually do, the more reasonable this becomes

@Dcomicboyisback - It is just a Java app that runs the code needed to do the gate opening which is the part we figured out doing the research.

@videocalls

lol i had 3 people on another forum ask me to find the APK file of this app. i'd keep this private if i were you though haha

@Dcomicboyisback - We will... NOT available for public consumption...

@videocalls

still a very nice find. i've seen this done before on computers, never thought i'd see it on a phone

@videocalls then whats the poitn of showing it?

How can I get this from?

@scarx1992 - Uhhh yeah... Nope... not on the Android Store... Responsible Disclosure and all.. we need to protect the Vendor until we resolve and mitigate the issue, or at least document the remediation...

Professional and all... We need to practice Ethics with stuff like this.