PWNED Welcome back to Pwned, the column where we immortalize the worst vulns that organizations opened up for themselves. If you’re the kind of person who leaves your car doors unlocked with a pile of cash in the center console, this week’s story is for you.
Our tall tech tale of woe comes courtesy of a reader we’ll Regomize as Pete. Pete used to work at a company that handled parking fees and was trying to secure ISO 27001 certification for its security controls.
One vulnerability that showed up as part of the initial security screening was that the server room network was connected to the production datacenter network, so anyone entering that room could get all kinds of access. The solution: put a lock on the server room door.
The lock that Pete’s company bought used two-factor authentication. First, the entrant would have to swipe an ID card. Then, they’d have to enter a four-digit PIN. If someone entered the wrong code, the failed attempt would be logged.
On the day when the auditor was to come to the office, the team performed a final drill, which looked good at first. First, the CTO swiped their pass, entered the correct PIN, and gained access. Then a senior sysop swiped a card, entered the wrong passcode, and was denied entry. A junior sysop repeated the process and was also denied, as expected.
However, the junior sysop then decided to try bashing the buttons on the keypad without swiping a card first. To his surprise, the door unlocked itself. The senior sysop was able to reproduce this unexpected behavior.
Apparently, the problem was that if you entered more than 10 or 11 digits, the lock would become overloaded and open. If you entered the expected four digits and they were wrong or you didn’t swipe a card, the lock would stay closed.
With the inspection due that day, the company was faced with a major problem, which they solved by strategically withholding some information. When the auditor arrived, the senior sysop demonstrated the lock by only entering a four-digit PIN number every time. It worked as expected and the auditor signed off on the certification.
The vendor who supplied the lock was unable to fix the problem because they weren’t the manufacturer. Supposedly, the lock manufacturer was on the hook to provide a replacement, but that didn’t happen while Pete worked there.
As far as he knows, no one ever exploited this physical security vuln, but it’s still distressing. Just remember: All the cybersecurity in the world breaks down if you don't have physical security.
Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity available upon request. ®
Source: The register