Building communication like door intercom systems uses traditionally own buses in the building. However, nowadays everything needs to be smart and IP based. Therefore, gateways are available to couple the building intercom with IP networks and further with smartphone apps. We analyzed two smart door extension for large-scale intercom systems and tried to gain access to the door controls and of course to get root on them. We will discuss the typical architecture of such intercom networks and then look in detail at two systems by Siedle and Gira. We will show how we not only managed to possibly open all doors connected to the gateway but also how we fully compromised the systems.
When you ring the bell at a larger building, you may assume that you are actually operating a complex network with further call buttons, access control units checking smart cards and opening doors and of course intercom devices. But your call (and video) may also end up on a smart phone or the desktop pc of the people at the front desk. IP-Gateways between the established intercom bus systems and the IP world are used. We will discuss typical scenarios, where the intercom world meets the IP world.
We picked two devices to have a closer look. A number of researcher showed already the many flaws in home devices and Cloud based systems. Therefore, we focused on systems for larger installations and which can be used without the Cloud. We also assume such systems to be more widely adopted among enterprises and security conscious users.
We used the available firmware to emulate the devices on a raspberry pi. Analyzing the emulated devices and the firmware files, we identified possible ways to compromise the gateways. Thus, we decided to buy the needed parts to operate a test intercom network. After building a test environment following the vendor recommendations, we managed to confirm the initial findings and fully compromise the gateway from both companies. Both attacks do not need physical access to the box and can be done remotely from the local network (or the internet, when a crazy administrator exposed the needed ports to the internet).
After the introduction of typical intercom IP gateway setups, our talk will walk through the setup, our findings, and the process of reporting the flaws. For a better understanding of the attack, we will also do a live demonstration of the attacks and demonstrate the path from discovering the device to root access.
The work was done by Julian Beier, Sebastian Neef, Lars Burhop, Viktor Schlüter, and Jörg Schneider. A responsible disclosure process was started with both vendors, which already prepare firmware updates to address our findings.