A Google engineer discovered a vulnerability in the third-party system controlling access to doors across its campus in Sunnyvale, California, and took the opportunity to prove that he could bypass any RFID keycard-operated lock in the facility, Forbes reported on Monday. According to Forbes, employee David Tomaschik discovered that Software House devices connected to Google’s network used an unsecure, hardcoded encryption key, and launched the attack to prove the consequences that could arise: Last summer, when Tomaschik looked at the encrypted messages the Software House devices (called iStar Ultra and IP-ACM) were sending across the Google network, he discovered they were non-random; encrypted messages should always look random if they’re properly protected. He was intrigued and digging deeper discovered a “hardcoded” encryption key was used by all Software House devices. That meant he could effectively replicate the key and forge commands, such as those asking a door to unlock. Or he could simply replay legitimate unlocking commands, which had much the same effect. Tomaschik was also able to use his knowledge of the vulnerability to impede other Google staffers’ access to parts of the building. Worst of all, he could do all of this without leaving any trace: Tomaschik also discovered he could do all this without any record of his actions. And he could prevent legitimate Google employees from opening doors. “Once I had my findings it became a priority. It was pretty bad,” he told Forbes. Google then moved quickly to prevent attacks on its offices, according to… [Read full story]
You are here: / / A Google Engineer Discovered a Vulnerability Letting Him Take Control of Keycard-Controlled Doors
Gizmodo is a design, technology, science and science fiction website that also features articles on politics. It was originally launched as part of the Gawker Media network run by Nick Denton, and runs on the Kinja platform.