"Researcher Says Healthcare Facility’s Doors Hackable for Over a Year"

A security researcher recently launched a project with the goal of showing that physical access control vulnerabilities still impact many organizations. The researcher noted that he documented nearly 40 instances of buildings that last year had hackable door controllers. He is now going through all the findings again to determine which of the buildings are still vulnerable, considering that more than a year has passed. The researcher claims the findings were responsibly disclosed to impacted organizations and US government agencies. The researchers noted that while some organizations have since addressed the security holes after being notified, others have not. The researcher says one case that stands out impacts a building apparently belonging to the Los Angeles-based healthcare organization Cedars-Sinai. The researcher noted that the S2 door access system associated with the impacted facility is exposed to the internet, it’s easily discoverable, and its web interface can be accessed using default admin/admin credentials.  The researcher says a hacker could leverage this weakness to open doors or schedule doors to open at specified times, add or modify staff privileges (an adversary can be added), learn when certain people arrive or leave, disrupt the system and prevent doors from opening, and use the compromised access controller for further attacks on the network.  The researcher said the web interface associated with the Cedars-Sinai building was still accessible with default credentials as of the morning of September 24.

SecurityWeek reports: "Researcher Says Healthcare Facility’s Doors Hackable for Over a Year"