Physical Security Series Part 1: Misconfigured Building Access Systems - A Worldwide Security Oversight

In a recent investigation, cybersecurity researchers uncovered a cluster of over 49,000 Access Management Systems (AMS) exposed to the internet. These systems, integral to controlling and monitoring access to both digital and physical resources (eg RFID card gates), were found to have an interface cheerfully sitting online, waiting to be poked at.  

To provide a bit of context, Access Management Systems are security frameworks that authenticate and/or authorise users, in this case to a company's physical resources, such as a specific building or an office area, usually based on predefined roles and policies. Proper configuration of these systems is critical to ensure that only authorised personnel are granted access.

How far does this go?

The previously referenced research revealed that these misconfigured AMS were prevalent across multiple industries, including construction, healthcare, education, manufacturing, the energy sector, and various public sector and government entities. There were seemingly also no barriers in terms of geography, which implies that the problem transcends regional boundaries and is likely to sit somewhere within the practices used by the global members of the supply chain. To anyone in the cyber industry, this is likely no surprise. Perhaps the most immediate concern is the impact on physical security. An attacker who gains access to a poorly secured AMS could manipulate or bypass existing access controls and gain entry into restricted areas. Alternatively, this could even result in covert surveillance activities.

Many AMS platforms also store significant amounts of employee information, including personal details, photographs, biometric records, work schedules, and even payroll-related data. This information could be used to facilitate identity theft, social engineering campaigns, phishing attacks, and a range of other fraudulent activities designed to compromise both individuals and organisations.

If this wasn't bad enough, there is also the potential for operational disruption. For example,  modifying system configurations could disable access to critical areas and impact production or service delivery, and probably also create a fair bit of confusion during time-sensitive operations.

Clearly, the trend to make everything connected and accessible online is true with physical access systems as well; however, it seems the industry is somewhat lagging behind when it comes to ensuring the lockdown of online components. These systems need to be monitored, hardened, and periodically updated, just like any other IT system. 

How can it be fixed?

In the context of this particular research, affected organisations and vendors have been notified, and it seems that some of the vendors acknowledged the issue and eventually acted upon it. However, apparently, responses from organisations using the vulnerable systems were much more limited. This in itself already shows how reliant the IT ecosystem is on the supply chain, either through lack of in-house expertise or through contractual limitations, and is potentially worth a separate discussion on its own. In any case, a significant volume of exposure continues to remain present. 

Fundamentally, the question should be asked: is it absolutely necessary to have the AMS hanging directly on the internet? In a small number of cases, there may be a legitimate reason for this to be the case, but in the large majority of cases, the first port of call should be to put the interfaces behind a VPN or a firewall to control access. This is a stopgap solution, which won't address the root cause of the issue, but it will significantly limit the exposure of these systems, and it should hopefully not be too difficult to achieve. 

We have also assembled a list of good practice initiatives which should be considered by all organisations:

• Add cybersecurity considerations to the procurement process, and validate the design and architecture of the solution by a cybersecurity consultant. Also consider adding a legal review to cover contractual obligations of the provider in case of cybersecurity issues post-implementation. 

• Review AMS configurations regularly to ensure they are not exposed to unauthorised access or other weaknesses or vulnerabilities. At least once per annum.

• Use firewalls and VPNs to restrict remote access to AMS, to prevent opportunistic attacks.

• Replace default administrator credentials with strong, unique passwords and implement multi-factor authentication to enhance security.

• Regularly apply software and firmware updates provided by AMS vendors to patch known vulnerabilities.

• Through auditing, ensure that all biometric data and personally identifiable information (PII) stored within AMS are encrypted to prevent unauthorised access.

• Periodically check employee records to identify and remove accounts that are no longer active, reducing potential entry points for attackers.

Call us

The best course of action is still prevention. Once the issue is known, the risk can be understood, and action can be taken to reduce impact. 

Consultants on the 45 Cyber Labs team have helped many organisations, large and small, to strengthen their defences against supply chain attacks. If you’re concerned about the integrity of these dependencies, reach out to learn how we can help secure your ecosystem.