Massive Security Flaw in Google’s RFID keycard system

The best software engineers of the world, you name it and Google have it. It looks like one of those engineer decided to take his skills further and thought to give his employer a surprise.

The man in question is David Tomaschik, he hacked up some code, sent it across the company’s network, and quickly saw the light on the door to his office turn from red to green. This happened when he found a vulnerability that enabled him to hack open doors on campus which otherwise required a RFID keycard.

Talking to Forbes at the DEF Con Internet of Things Village in Las Vegas, Tomaschik said “It was the culmination of work in which he uncovered vulnerabilities in technology made by Software House, the creator of the office controllers managing the physical security of the California site.”

Last summer, the publication goes to explain, Tomaschik was looking at the encrypted messages the Software House devices called iStar Ultra and IP-ACM were sending across the Google network. He discovered they were non-random, whereas encrypted messages “should always look random if they’re properly protected. He was intrigued and digging deeper discovered a ‘hardcoded’ encryption key was used by all Software House devices.”

That meant all he needed to do was copy the key and either write commands like asking a door to unlock or replay legitimate commands. And here’s the crazy part. Tomaschik found that he was able to do this without leaving any digital trail of his actions, and he could also fix it so that Google employees were prevented from opening doors they should have been able to get into. “Once I had my findings it became a priority. It was pretty bad,” he told Forbes.

Google, has fixed this issuem and it has separated its network to prevent people on its properties from doing something like this. The Software House devices also now apparently use a stronger form of encryption — though, according to Tomaschik, Software House came up with a solution that requires a change of hardware at customer sites. His implication being there are lots of locations and businesses that could be open to a similar hack, though a spokesman for Software House owner Johnson Controls told Forbes, “This issue was addressed with our customers,” without providing additional details.

Meanwhile, even though the hacker here had good intentions, this is yet another reminder of the destructive potential of Internet of Things vulnerabilities. Specifically, of how lax security can open up such Internet-connected devices to real-world mischief.

This damage recalls the 2016 Mirai botnet attack that co-opted vulnerable webcams and other IoT devices to launch attacks that crippled Internet services around the world, temporarily knocking services like Netflix and Twitter offline. Lawmakers have been slow to get involved in mandating changes that would protect against this kind of thing, and manufacturers are still proving slow to improve the security of the hardware they sell, which means for now we’re still reliant on hackers like Tomaschik to find and fix vulnerabilities, like keeping doors closed that aren’t supposed to be open.