Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors

Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors

In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow attackers to take full system control, including “the ability for an attacker to remotely manipulate door locks.”

Vulnerability researchers at XDR firm Trellix Threat Labs have discovered eight zero-day vulnerabilities in the commonly used industrial control systems provided by HVAC giant Carrier.

Researchers claim that these vulnerabilities impact the access control products using HID Mercury controllers and can allow hackers to unlock doors remotely. The 0-days are tracked as:

  1. CVE-2022-31479
  2. CVE-2022-31480
  3. CVE-2022-31481
  4. CVE-2022-31482
  5. CVE-2022-31483
  6. CVE-2022-31484
  7. CVE-2022-31485
  8. CVE-2022-31486
Image credit: Trellix

For your information, Trellix was launched in 2022 after the merger of FireEye and McAfee Enterprise.

Details of the Flaws

Among the eight 0-days, seven have been assigned high severity or critical rating, with most having a CVSS score of 7.5. Reportedly, the 0-days impact the LenelS2 Mercury access control panel that provides access to facilities and integration with complex building automation deployments.

LenelS2 is a subsidiary of Carrier and offers physical security solutions. Trellix researchers noted that all OEM partners using specific hardware controllers are impacted by these flaws. 

Our research was performed on Carrier’s LenelS2 access control panels, manufactured by HID Mercury and used by organizations across healthcare, education, transportation, and government physical security. Through this work, we found eight zero-day vulnerabilities leading to full system control, including the ability for an attacker to remotely manipulate door locks.

Trellix – Blog Post

Researchers analyzed the flaws using reverse engineering of software and hardware hacking. Later, they developed a PoC (proof-of-concept) exploit to demonstrate how the attacker can unlock a door and disrupt monitoring systems.

More Smart and OT Flaw News

Potential Dangers

The flaws could be disruptive because Carrier’s LenelS2 Mercury panels are used by hundreds of organizations across crucial sectors, including health care, education, transportation, and even federal government agencies/organizations. 

According to Trellix’s senior security researcher, Sam Quinn, these systems must not be exposed to the internet. These systems should be used with a firewall instead of directly connecting to the internet.

Furthermore, the flaws can be exploited for command injection, remote code execution, denial-of-service, writing arbitrary files, and information spoofing. Attackers can exploit most of the vulnerabilities without needing authentication. However, they would need a direct connection to the targeted system. 

Carrier has already released patches and a detailed advisory on mitigation methods. Furthermore, the US CISA (Cybersecurity and Infrastructure Security Agency) also published an advisory to warn organizations about the potential risk caused by the flaws.

Related Posts