A vulnerability in Aiphone intercom products allows attackers to breach the entry system and gain access to the building that uses it.
Aiphone is one of the largest global manufacturers of intercom systems, including audio and video entry systems for residential and corporate buildings.
Last week, researchers with Norwegian application security firm Promon published information on a vulnerability identified in several Aiphone products that could allow an attacker to easily breach the entry system using an NFC tag.
The security bug is tracked as CVE-2022-40903 and is described as an information disclosure vulnerability.
The issue was identified in June 2021 and impacts Aiphone device series GT-DMB, GT-DMB-N, and GT-DMB-LVN running firmware versions prior to 3.00, and GT-DB-VN devices running firmware version 2.00 or earlier.
According to Promon, the bug allows an attacker to “use a mobile device with NFC capability to run an attack on the entry system in order to find the admin passcode”.
Essentially, the system is prone to brute-forcing the admin security code, meaning that an attacker with network access can try an unlimited number of combinations until they can find the correct one.
“The exploit requires a modification app (a custom Android NFC host-based emulation app that mimics the behavior of the official administrative tool),” Promon notes.
Once they know the administrator passcode, the attacker can use it to add a new NFC tag into the system (by injecting the device’s serial number), for access into the building.
This gives “the attacker both the code in plain text that can then be punched into the keypad, but also an NFC tag that can be used to gain access to the building without the need to touch any buttons at all”, the application security firm notes.
Given that the vulnerable Aiphone products do not store access logs, an organization may be unaware of any unauthorized access, as there would be no evidence of it on the device.
The main issue, however, is that the vulnerability cannot be addressed via a software update, requiring a hardware replacement instead.
On November 10, Aiphone published a vulnerability notification on its website, saying that device models manufactured after December 7, 2021 are no longer vulnerable and encouraging customers using older models to contact the vendor for instructions.
“Regarding the Video Multi-Tenant System Entrance Station GT-DMB-N, GT-DMB-LVN, and GT-DB-VN sold by Aiphone since their launch in June 2017, it has been found that there is a vulnerability in the Entrance Station that may lead to leakage of the settings information in the products or to partial loss of functionality. This attack requires a highly specialized technique,” the vendor says.
The vendor warns that an attacker may exploit the vulnerability to open doors without authorization, but says that it has received no reports of the vulnerability being exploited in attacks.