 Sam and I spent a while on this research project and we found eight vulnerabilities in the access control panel that manages It's connected to these card readers and we can use it to essentially force them to open the doors for us Using triggering these vulnerabilities over the network that they're connected to we can choose to lock or unlock the door And we can avoid all detection even with the logging systems that are meant to capture those attempts This guy's just kind of a dumb thing that's connected to the strike in there It opens and closes electronically the actual panel is behind the board here It's typically going to be in a server closet in a facility But it's wired through the building and connected into the door just like we have in our demo system here the panel itself It controls this remotely is what we are actually hacking and I'm calling up Sam I'm standing here and I can't get into the door and Sam's remotely connected to the network with his laptop And he's running our exploit on that network Which is connecting to the door panel back in the server closet or wherever in the building it is It's triggering those vulnerabilities. He's exploiting it and actually the way that we wrote the exploits It'll call back to us the attackers on the laptop We're running it from in the parking lot or wherever it is and we can actually complete the exploit remotely So we don't have to be really within physical proximity at all to get this The hackers will do that all the time We'll take internet connected devices that are completely unrelated to this door right a router or a firewall is not related to this door But if it has a vulnerability that gets you in the virtual door on the network now all of a sudden We have a way to attack this device We've exploited a command injection vulnerability in the controller for the hosting the device and that vulnerability actually allows us to Connect to the door itself What you'll see now is if we listen carefully to the door It's now unlocked remotely over the network and we can open it go in so Sam Just ran that from the parking lot and now I'm into the secure facility We're running locally from the controller right to here the on-guard server actually never even knows that we've gone into or out of this Building with our hacks. It could be two in the morning. Nobody's gonna be unionized This panel that we actually found vulnerabilities on has over 20 OEM partner vendors that were vulnerable to the same issue And that's we're talking tens of millions of controllers at sites worldwide The vast majority of the fortune 100 companies then the install base of these devices is massive How many of them are actually vulnerable? Well, that depends on the version of the board They're running and whether they've updated or patched the noise