Modern PACS designed to enhance building security inadvertently serve as entry points into internal IP networks.
TEL AVIV, Israel , Dec. 19, 2023 /PRNewswire/ -- OTORIO, a leading cybersecurity company, recently revealed groundbreaking research on the security risks associated with modern Physical Access Control Systems (PACS), presented at Black Hat Europe 2023.
Key highlights
- Bypassing the latest physical security access control systems, allowing unauthorized access to secure facilities.
- Demonstrating how attackers can breach internal IP networks directly from outside the front door.
When the Front Door Becomes a Backdoor: The Security Paradox of OSDP
During the 40-minute virtual closed-door session, Eran Jacob, Head of Research, and Ariel Harush, Security Researcher, exposed the paradoxical nature of modern Physical Access Control Systems (PACS) situated at the front doors of various facilities. Contrary to their primary purpose of enhancing security, these systems, especially those utilizing the Open Supervised Device Protocol (OSDP), inadvertently created a potential entry point into the organization's internal IP network.
"We successfully bypassed the latest physical access control systems, exposing potential vectors for unauthorized facility access," says Eran, "Our findings illuminate a paradox in the technological advancement of these devices—as they incorporate additional security features, they also increase complexity and introduce new risks. During our research, we demonstrated how this could potentially enable attackers to compromise the physical barriers and penetrate the internal IP networks right from the gate of the secure site."
The research demonstrates how cyber attackers could exploit supposedly secure doors equipped with the latest building access control measures. The attackers could rapidly establish a Man-in-The-Middle on the serial connection behind the reader, overcome tamper protection, bypass OSDP for unauthorized physical access, and exploit access controllers for breaching the internal IP network over the serial channel. This discovery raises concerns about the security of devices utilizing OSDP, highlighting the need for a comprehensive revaluation of building access control measures.
Implications for Building Security
As PACS communication has evolved, it has brought about crucial security enhancements but, at the same time, simultaneously introduced a new attack surface. While unauthorized access is not a new threat, the alarming revelation made by OTORIO was the possibility of lateral movement from the front door into the internal network - an unprecedented scenario.
OTORIO remains committed to advancing cybersecurity awareness and providing innovative solutions to mitigate emerging threats. For more information about OTORIO and its research initiatives, please visit.
About OTORIO:
OTORIO is a provider of OT Security solutions delivering a Cyber Risk Management Platform designed to support every stage of the maturity journey, from unmatched visibility to tailored risk management. OTORIO's platform enables organizations to make informed decisions that boost security ROI and meet KPIs. The platform leverages operational context for risk analysis, generating insights that empower stakeholder collaboration to prioritize risk reduction and optimize resource allocation. With continuous monitoring and automated reporting, OTORIO's platform ensures resilient, compliant business operations and robust supply chain governance.
OTORIO, established in 2018 by experienced IDF cybersecurity experts and founding partner Andritz, is dedicated to seamlessly protecting ICS-CPS environments.
For media inquiries and interview requests,
please contact:
Sara Flack
[email protected]
Logo: https://mma.prnewswire.com/media/2004395/4272499/Otorio_Logo.jpg
SOURCE Otorio
Share this article