Connect with us

Tech

Researchers find eight CVEs in single building access system

Published

on

Researchers find eight CVEs in single building access system

A series of eight vulnerabilities in Carrier LenelS2’s building access panels could allow malicious actors to gain physical access to their targets

Alex Scroxton

By

Published: 10 Jun 2022 11: 02

A series of eight newly designated common vulnerabilities and exposures (CVEs) in a building access control system built by HID Mercury and sold by Carrier – a global supplier of building systems for physical security, HVAC, and so on – could enable attackers to obtain full system control and remotely manipulate door locks, according to researchers at Trellix Threat Labs.

The Trellix vulnerability research team, which has a special interest in threats to operational technology (OT) and industrial control systems (ICS), conducted its research on Carrier’s LenelS2 access control panels, which are used by organisations across multiple verticals, including healthcare, education, transport and the public sector. This product is permitted to be used on federal government property in the United States, not least because it has been approved for that purpose.

Trellix’s team said it chose to work with this specific access control panel because it is in widespread use across critical industries, has a strong market position, and has been certified as secure.

“For this project, we anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux operating system and root access to the board could be achieved by leveraging classic hardware hacking techniques,” the team said in a disclosure blog.

“While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology.”

The team used a combination of both known and new techniques to hack control panels. They first used hardware hacking techniques to use the on-board debugging ports. This allowed them to force the system to enter desired states that would bypass security measures. They were able to access the operating system root, pull its firmware, and modify startup scripts to gain persistent control.

With both firmware and system binaries to hand, the team then moved on to software accessible from the underlying network. They were able to exploit remotely six vulnerabilities, one of which was unauthenticated.

From there, they were able to chain two of those vulnerabilities to exploit the access control board and gain remote root level privileges on the device. They were able to run their own program to unlock controlled doors and subvert system monitoring.

“The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems,” they said. “The highest CVE, an unauthenticated remote code execution (RCE), received a base score of 10 CVSS, the maximum score for a vulnerability.”

The full list of vulnerabilities can be found here:

  • CVE-2022-31479, an unauthenticated command injection vulnerability.
  • CVE-2022-31480, an unauthenticated denial-of-service vulnerability.
  • CVE-2022-31481, the above-mentioned CVSS 10 rated RCE vulnerability.
  • CVE-2022-31482, an unauthenticated denial-of-service vulnerability.
  • CVE-2022-31483, an authenticated arbitrary file write vulnerability.
  • CVE-2022-31484, an unauthenticated user modification vulnerability.
  • CVE-2022-31485, an unauthenticated information spoofing vulnerability.
  • CVE-2022-31486, an authenticated command injection vulnerability.

In response to the disclosure, Carrier has published an advisory with further specifics, mitigations and firmware updates, which users should apply immediately.

Also, HID Global has since confirmed that all OEM partners using Mercury boards will be vulnerable to these issues on specific hardware controller platforms, and the research is also actionable for suppliers and third parties that work with Carrier to install access systems. For access to patches, end-users of these boards should contact their OEM partners.

According to a 2021 IBM study, physical security breaches cost over $3.5m on average, and can take up to seven months to be identified. Due to the increasing convergence of OT and IT systems, exploitation opportunities by threat actors increase and can take up to seven months to be identified.

“While the stakes are already high, they are still growing,” said Trellix’s team. National security requires that we support organisations in avoiding threats to industrial systems. CISA has established priorities, goals, and best practices in order to protect ICS from both immediate threats and longer-term risks.

” Consumers should be aware that while the vulnerabilities revealed today may seem to have minimal impact, critical infrastructure attacks can impact our day-to-day lives. Cyber attacks such as the infamous Colonial Pipeline serve as a reminder of this.”

Read more on Endpoint security

Read More

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Tech

Nothing announces official launch date for new Ear (stick) AirPods alternatives

Published

on

By

Nothing announces official launch date for new Ear (stick) AirPods alternatives
Nothing Ear (stick) held by a model on white background



(Image credit: Nothing )

True to form, Nothing has just announced the full reveal date for its upcoming audio product, Ear (stick). 

So, an announcement about an announcement. You’ve got to hand it to Carl Pei’s marketing department, they never miss a trick.

What we’re saying is that although we still have ‘nothing’ conclusive about the features, pricing or release date for the Ear (stick) except an image of another model holding them (and we’ve seen plenty of those traipsing down the catwalk recently), we do have a date – the day when we’ll be granted official access to this information. 

That day is October 26. Nothing assures us that on this day we’ll be able to find out everything, including pricing and product specifications, during the online Ear (stick) Reveal, at 3PM BST (which is 10AM ET, or 1AM on Wednesday if you’re in Sydney, Australia) on nothing.tech (opens in new tab)

Any further information? A little. Nothing calls the Ear (stick), which is now the product’s official name, “the next generation of Nothing sound technology”, and its “most advanced audio product yet”. 

But that’s not all! Apparently, Ear (stick) are “half in-ear true wireless earbuds that balance supreme comfort with exceptional sound, made not to be felt when in use. They’re feather-light with an ergonomic design that’s moulded to your ears. Delivered in a unique charging case, inspired by classic cosmetic silhouettes, and compactly formed to simply glide into pockets.” 

Opinion: I need more than a lipstick-style case

Nothing Ear (stick) – official leaked renders pic.twitter.com/FrhKmRttmiOctober 1, 2022

See more

It’s no secret that I want Nothing’s earbuds to succeed in world dominated by AirPods; who doesn’t love a plucky, eccentric underdog? 

But in order to become some of the best true wireless earbuds on the market, there is room for improvement over the Nothing Ear 1, the company’s inaugural earbuds. 

Aside from this official ‘news’ from Nothing, leaked images and videos of the Ear (stick) have been springing up all over the internet (thank you, developer Kuba Wojciechowski) and they depict earbuds that look largely unchanged, which is a shame. 

For me, the focus needs to shift from gimmicks such as a cylindrical case with a red section at the end which twists up like a lipstick. Don’t get me wrong, I love a bit of theater, but only if the sound coming from the earbuds themselves is top dog. 

As the natural companions for the Nothing Phone 1, it makes sense for the Ear (stick) to take a place similar to that of Apple’s AirPods 3, where the flagship Ear (1) sit alongside the AirPods Pro 2 as a flagship offering. 

See, that lipstick case shape likely will not support wireless charging. That and the rumored lack of ANC means the Ear (stick) is probably arriving as the more affordable option in Nothing’s ouevre. 

For now, we sit tight until October 26. 

Becky is a senior staff writer at TechRadar (which she has been assured refers to expertise rather than age) focusing on all things audio. Before joining the team, she spent three years at What Hi-Fi? testing and reviewing everything from wallet-friendly wireless earbuds to huge high-end sound systems. Prior to gaining her MA in Journalism in 2018, Becky freelanced as an arts critic alongside a 22-year career as a professional dancer and aerialist – any love of dance starts with a love of music. Becky has previously contributed to Stuff, FourFourTwo and The Stage. When not writing, she can still be found throwing shapes in a dance studio, these days with varying degrees of success.  

Read More

Continue Reading

Tech

YouTube could make 4K videos exclusive to Premium subscribers

Published

on

By

YouTube could make 4K videos exclusive to Premium subscribers
Woman watching YouTube on mobile phone screen



(Image credit: Shutterstock / Kicking Studio)

You might soon have to buy YouTube Premium to watch 4K YouTube videos, a new user test suggests.

According to a Reddit thread (opens in new tab) highlighted on Twitter by leaker Alvin (opens in new tab), several non-Premium YouTube users have reported seeing 4K resolution (and higher) video options limited to YouTube Premium subscribers on their iOS devices. For these individuals, videos are currently only available to stream in up to 1440p (QHD) resolution.

The apparent experiment only seems to be affecting a handful of YouTube users for now, but it suggests owner Google is toying with the idea of implementing a site-wide paywall for access to high-quality video in the future.

So, after testing up to 12 ads on YouTube for non-Premium users, now some users reported that they also have to get a Premium account just to watch videos in 4K. pic.twitter.com/jJodoAxeDpOctober 1, 2022

See more

It’s no secret that Google has been searching for new ways to monetize its YouTube platform in recent months. In September, the company introduced five unskippable ads for some YouTube users as part of a separate test – an unexpected development that, naturally, didn’t go down well with much of the YouTube community. 

A resolution paywall seems a more palatable approach from Google. While annoying, the change isn’t likely to provoke the same level of ire from non-paying YouTube users as excessive ads, given that many smartphones still max out at QHD resolution anyway. 

Of course, if it encourages those who do care about high-resolution viewing to invest in the platform’s Premium subscription package, it may also be more lucrative for Google. After all, YouTube Premium, which offers ad-free viewing, background playback and the ability to download videos for offline use, currently costs $11.99 / £11.99 / AU$14.99 per month.

Suffice to say, the subscription service hasn’t taken off in quite the way Google would’ve hoped since its launch in 2014. Only around 50 million users are currently signed up to YouTube Premium, while something close to 2 billion people actively use YouTube on a monthly basis. 

Might the addition of 4K video into Premium’s perk package bump up that number? Only time will tell. We’ll be keeping an eye on our own YouTube account to see whether this resolution paywall becomes permanent in the coming months.

Axel is a London-based staff writer at TechRadar, reporting on everything from the newest movies to latest Apple developments as part of the site’s daily news output. Having previously written for publications including Esquire and FourFourTwo, Axel is well-versed in the applications of technology beyond the desktop, and his coverage extends from general reporting and analysis to in-depth interviews and opinion. 

Axel studied for a degree in English Literature at the University of Warwick before joining TechRadar in 2020, where he then earned a gold standard NCTJ qualification as part of the company’s inaugural digital training scheme. 

Read More

Continue Reading

Tech

Europe sets deadline for USB-C charging for (almost) all laptops

Published

on

By

Europe sets deadline for USB-C charging for (almost) all laptops

USB-C als Ladestandard in der EU

Mundissima / Shutterstock


Author: Michael Crider
, Staff Writer

Michael is a former graphic designer who’s been building and tweaking desktop computers for longer than he cares to admit. His interests include folk music, football, science fiction, and salsa verde, in no particular order.

Read More

Continue Reading

Trending

Copyright © 2022 Xanatan