Google's Doors Hacked Wide Open By Own Employee (forbes.com) 112
Last July, in Google's Sunnyvale offices, a hacker found a way to trick doors into opening without the requisite RFID keycard, Forbes reported Monday. Luckily for Google, it was David Tomaschik, an employee at the tech giant, who only had good intentions. From the report: When he sent his malicious code across the Google network, he saw the lights turn from red to green on the door to his office. Then came the satisfying thunk as the lock opened. It was the culmination of work in which Tomaschik had uncovered vulnerabilities in technology made by Software House, the creator of the office controllers managing the physical security of the California site.
Last summer, when Tomaschik looked at the encrypted messages the Software House devices (called iStar Ultra and IP-ACM) were sending across the Google network, he discovered they were non-random; encrypted messages should always look random if they're properly protected. He was intrigued and digging deeper discovered a "hardcoded" encryption key was used by all Software House devices. That meant he could effectively replicate the key and forge commands, such as those asking a door to unlock. Or he could simply replay legitimate unlocking commands, which had much the same effect. Tomaschik also discovered he could do all this without any record of his actions. And he could prevent legitimate Google employees from opening doors. "Once I had my findings it became a priority. It was pretty bad," he told Forbes. Google then moved quickly to prevent attacks on its offices, according to Tomaschik.
Last summer, when Tomaschik looked at the encrypted messages the Software House devices (called iStar Ultra and IP-ACM) were sending across the Google network, he discovered they were non-random; encrypted messages should always look random if they're properly protected. He was intrigued and digging deeper discovered a "hardcoded" encryption key was used by all Software House devices. That meant he could effectively replicate the key and forge commands, such as those asking a door to unlock. Or he could simply replay legitimate unlocking commands, which had much the same effect. Tomaschik also discovered he could do all this without any record of his actions. And he could prevent legitimate Google employees from opening doors. "Once I had my findings it became a priority. It was pretty bad," he told Forbes. Google then moved quickly to prevent attacks on its offices, according to Tomaschik.
Unsure about this (Score:4, Interesting)
Re: (Score:1)
How a third party handles its own product doesn't seem like it could represent how Google develops their own services.
Re: (Score:3, Insightful)
A lot of third parties do much better than Google. Google dabbles in a lot of directions, at the whim of their loose and often undirected management.
Re: (Score:1)
Oh sure, I just think it's a bad comparison. Google bought a product that it turns out has a security flaw. How some other company operates and sells their products can't really represent Google's own development practices.
Re:Unsure about this (Score:5, Interesting)
How some other company operates and sells their products can't really represent Google's own development practices.
No, but it shows that they use and rely on 3rd party unverified and ill designed programs, giving it access to their networks. That does taint their own products, even if everything they themselves did were safe and secure - to misuse a metaphor, it's fruit from a poisonous tree.
Re: (Score:2)
The time to check for flaws is before putting it on your trusted network, not afterwards. Someone was allowed to make the decision to put a 3rd party IP based security system on the same network as trusted resources, without first evaluating it for security. This seems like a management problem to me.
Re: Unsure about this (Score:2)
Re: (Score:2)
How some other company operates and sells their products can't really represent Google's own development practices.
No, but it shows that they use and rely on 3rd party unverified and ill designed programs
So does every company. So does yours. But how many others do this sort of investigation? Software House has thousands of clients, but it was Google that found the problem -- and published it.
Internet of shit still shit (Score:2, Insightful)
News at eleven.
That's why google support sucks (Score:1)
They spend too much time doing their own shit rather than helping paying customers
Re: (Score:2)
Like finding a solution to why our emails sent through gmail servers go to spam folders of our customers on gmail and whom we have been communicating with via email for years.
Trying to get a support case escalated when the support muppet can't give you an answer is nearly impossible unless you start yelling at the support muppet. Then you get a manager muppet and have to go through the whole process again.
Open All The Doors (Score:1)
He blew it. The proper thing to do would be to have designed and introduced a trojan/worm into the security system. When it reached critical mass, it would be triggered to open all the doors, continue to reopen the doors, and defend itself against removal.
Re: (Score:2)
just cut the power or set off the fire alarm and that will open a lot of the doors and it's part of the fire code.
Kinda weird (Score:2)
Why put your door locks in an accessible network?
My office doors weren't RFID. You had to actually insert a card into the standalone locks which needed to be programmed for access. The locks also kept a record of who/what accessed them. I like old school.
The only downside was the magnetic strip would wear out after a few years...
Re: (Score:2)
Many of those are connected by a serial protocol through their own physical wiring.
That goes back to one or more security panels that connect via serial to a PC that may or may not have a network connection.
Of course, for safety, many of those are fail open and the wiring isn't physically secured such that you can short the wires to the latch to open the door without leaving a record of access.
Re:Kinda weird (Score:5, Insightful)
Why put your door locks in an accessible network?
At some point having a centralized control increases flexibility and security over and above the effort needed to implement it.
In your old school scenario if you were fired then Fred down at IT would have to schedule someone to physically come to your office and and re-program your door lock to stop you gaining access to not only your office but all those other sensitive places that you previously frequented. That would take time and manpower to do.
In a connected world, run one script and *poof* you are instantly persona non grata in the entire organization. Of course the connected world scenario does require security to be correctly implemented. But that is what pen testing is all about. It is akin to the software corollary that untested software should be considered broken.
Re: (Score:2)
>accessible network
I think the suggestion was that the locks should be on a separate network than is accessible to anyone other than building management.
Re: (Score:2)
>accessible network
I think the suggestion was that the locks should be on a separate network than is accessible to anyone other than building management.
I was replying to the OP was reminiscing about how good disconnected locks were.
Re:Kinda weird (Score:4, Interesting)
There is a risk to fully automatic organizations like that.
https://idiallo.com/blog/when-... [idiallo.com]
Can be pretty scary when there are no checks and balances to the automation.
Re: (Score:2)
There is a risk to fully automatic organizations like that.
https://idiallo.com/blog/when-... [idiallo.com]
Can be pretty scary when there are no checks and balances to the automation.
I've seen that story before and its a bit disingenious. The machine didn't fire him, the non-renewal of a contract by a person fired him. The system did its job correctly.
Re: (Score:2)
And the system apparently had permissions somewhere up around CEO level seeing as NO ONE was able to stop what it was doing.
I'm curious what would have happened if they'd told the machine the CEO had been fired.
Re: (Score:2)
Why put your door locks in an accessible network?
At some point having a centralized control increases flexibility and security over and above the effort needed to implement it.
In your old school scenario if you were fired then Fred down at IT would have to schedule someone to physically come to your office and and re-program your door lock to stop you gaining access to not only your office but all those other sensitive places that you previously frequented. That would take time and manpower to do.
In a connected world, run one script and *poof* you are instantly persona non grata in the entire organization. Of course the connected world scenario does require security to be correctly implemented. But that is what pen testing is all about. It is akin to the software corollary that untested software should be considered broken.
Nah, the parking lots, security fence entry and building entry were on RFID which was on a separate network. Easy to revoke if needed.
Re: (Score:1)
>In your old school scenario if you were fired then Fred down at IT would have to schedule someone to physically come to your office and and re-program your door lock to stop you gaining access to not only your office but all those other sensitive places that you previously frequented. That would take time and manpower to do.
This could very well be considered a feature in terms of checks and balances.
>In a connected world, run one script and *poof* you are instantly persona non grata in the entire org
Re: (Score:2)
Not for most systems I have seen-- they work kindof like a certificate authority with a revocation list. No control communication over the IP network, just RS-485.
Re:Kinda weird (Score:5, Insightful)
> Why put your door locks in an accessible network?
This one is easy. One of the purposes of encryption is allowing trusted communication over untrusted networks. If the communication is properly authenticated and encrypted, who cares who can see it. The key word being "properly".
Getting encryption and authentication right on a mass-produced, IoT product is extraordinarily difficult. Making it [reasonably] future-proof, even more so.
Re: (Score:3)
That's exactly why for the sake of belt and suspenders you should at least use a vlan to isolate the security traffic if not a physically separated network.
Re: (Score:2)
That's exactly why for the sake of belt and suspenders you should at least use a vlan to isolate the security traffic if not a physically separated network.
The Google network is heavily segmented, though Google has shifted to consider that more of a management feature than a security feature. Google relies primarily on the BeyondCorp zero trust model to provide security, because network segmentation really doesn't. Segmentation isn't useless, but it provides no protection against adversaries who get access to the wires.
I'm sure the badge readers were on a separate VLAN. But Google doesn't trust network segmentation and obviously chose to investigate potentia
Re: (Score:2)
According to TFA, they segmented the network in response to the hack. And yes, VLAN isn't perfect. That's why you want belt AND suspenders, not belt OR suspenders.
Re: (Score:2)
According to TFA, they segmented the network in response to the hack.
Okay.
And yes, VLAN isn't perfect. That's why you want belt AND suspenders, not belt OR suspenders.
Except that VLANs are more like wearing suspenders made of a few, thin threads. It's almost nothing. Proper cryptographic security is the right solution here, and once you have that, a VLAN provides nothing -- other than traffic management, which is what it's really good for. VLANs were never intended to be used as a security measure, and shouldn't be applied with any expectation that they're adding significant security.
Re: (Score:1)
For a door lock? Ever set some of this "IOT" which is really "ICT" or Internet Connected Technology? Some of the crap requires windows and explorer for the controls. Vlan, they barely meet minimum requirements as it is.
If you want to keep people out, use a good old commercial door lock. That'll keep almost all the lock picks out. They an also put spools, other things in to make it a lot harder.
Re: (Score:2)
There are many reasons you might want centrally controlled access control with cards. For example, if 1000 people have legitimate access, how long do you suppose it will be before a copy of THE key goes missing somewhere?
Re: (Score:1)
There are many reasons you might want centrally controlled access control with cards. For example, if 1000 people have legitimate access, how long do you suppose it will be before a copy of THE key goes missing somewhere?
I run into this all the time. That's not what the problem is. The problem was his office. For central places it's not nearly as much of a concern. There is usually a guard there, CCTV, other people. They can also piggy back in. Then they filter people down by floor, then often by other key card access areas. Most of these places today if you have an actual office, whatever you do is worth protecting. Otherwise you're usually out in a bull pen at a half desk.
I remember even over 20 years ago I had to use a c
Re: (Score:2)
I have to deal with building security systems sometimes and nearly always the RFID locks (which encompasses the RFID reader, secondary keypad if there is one, and electromechanical lock mechanism) aren't ethernet enabled.
The "locks" are hardwired to controllers which can be networked but are programmed by some software application which in turn places each keycard into whatever access groups its supposed to have. The controllers are then updated with add/deletes of card profiles. I see about half the cont
What, no network isolation? (Score:3)
Clearly, the door access/lock system has or had design problems and needs these properly addressed. It's presence was made worse by poor network security. It should have been on a dedicated network and certainly not on the general LAN/VLAN. This guy had access to the network and shouldn't have unless the poking around was blessed.
Re: (Score:2)
Agreed.
VLAN. With RADIUS. Or the very least MAC-based RADIUS and blocking any unknown devices.
Re: (Score:2)
Clearly, the door access/lock system has or had design problems and needs these properly addressed. It's presence was made worse by poor network security. It should have been on a dedicated network and certainly not on the general LAN/VLAN. This guy had access to the network and shouldn't have unless the poking around was blessed.
Physically securing wires is a fools errand. You can't protect wires that go everywhere.
Every dime spent on a fools errand is a dime not spent securing what is attached to those wires.
Re: (Score:2)
Correct. Wires are pretty easy to sufficiently protect through physical barriers that aren't easily breached without noise and adherence to smart policy. Like most things in need of securing, network and network attached devices require a multi prong approach. And similarly to all security implementations, the one that Google may have employed along this with door lock/access management solution would have been defeated by those sufficiently motivated even wit
Re: (Score:2)
Google don't have dedicated networks full of systems that blindly trust everything, as they're on "trusted networks".
They have one massive network, with devices that are supposed to be secure.
Re: (Score:3)
This guy had access to the network and shouldn't have unless the poking around was blessed.
"The guy" is a member of Google's Red Team, which is the group tasked with finding internal security problems. He was "blessed".
Re: Weird (Score:3)
Re: (Score:2)
I am surprised the door locks were on the same network as workstations. Actual traffic isolation would have prevented someone from finding this flaw unless they start tearing holes in their walls.
Is it clear that it was on the same network as workstations? I left Google in 2017, and for many years the internal networks had been heavily segmented. I'd be very surprised if any random RFID node or printer could have communicated directly with my workstation. In fact, I don't think my machines could talk to each other from physically adjacent Ethernet ports without requesting a network change.
Re: (Score:2)
Oh, my. It's very easy to ask why someone else did not spend several times the amount of money in capital costs and support costs for an infrastructure change. What is the return on investment?
Re: Weird (Score:2)
Re: (Score:2)
Ideally, the doors would be on a physically distinct network with its own switches, not a VLAN tagged distinct network. That means physically distinct wiring all the way back to the wiring closets, and no plain repeaters or shared switches all the way back to any central switch for the door controller system. In practice, a few facilities bother to set up tagged VLAN's on shared switches. But unless the switches are also programmed to only communicate with specific MAC addresses on specific ports, anyone ca
Re: (Score:2)
Ideally, they wouldn't be on any network at all if you fixate only on theoretical security threats... but in the real world both your suggestion and this was have passed well beyond the point where the inconvenience exceeds to the additional security benefit. If you can compromise VLAN security to the extent that you could directly access and exploit an access control unit you could almost certainly do the same thing to access and compromise far mo
He's a Google employee (Score:2)
This means that they will be dealing with the legal side, and will have ensured that there are no issues. One of the advantages of being an employee.
Door security theatre? (Score:2)
What is the mission of the security system at Google?
What I figure it is for at Google and many other tech companies is to satisfy a legal requirement, for I.P. protection and especially to satisfy the U.S. Patent Office.
If you make a public disclosure, it sets a clock ticking for a U.S. Patent and it may prevent issuance of a patent in other countries. If you make a confidential disclosure, you are protected against tripping that clock, but how do you guarantee that when you are talking to other Goog
WhatCouldPossiblyGoWrong (Score:2)
Particularly if you are Turing testing a hot looking android named Ava.
I think Bart Simpson said it best... (Score:3)
Re: (Score:2)
when he said this... [imgur.com]
Static encryption keys are fine as long as you keep them secret and randomize the protocol. It's when you set about inventing key update protocols that it all goes to shit, Eh TLS?
And then David was fired (Score:2)
Lack of security not a hack (Score:3)
1)Static keys, no replay attack prevention, sending the session key with a static key are all things that happen all the time.
2)Authorization: The next level of security fuck-up for many small devices like these is a complete lack of authorization. Any device that is in radio range or has access to the LAN during the joining window can join the network. (think of WiFi or Blue Tooth as an example).
3)Identification: Most devices have no means to prove they really are who they say they are. Thus an attacker who takes one device apart and extracts its keys can impersonate almost any other device. Many networks don't even care what device joins, as long as it has a static piece of information and they have no defense against man-in-the-middle attacks. This is also the case where a single device connecting to a network can see everything. When you log into a website and pull up your information and then change the query string to another user's ID and see their information, that isn't a hack. The site is performing as designed.
I call these lack of security, they aren't bugs or vulnerabilities, the system was simply was never designed to be secure. You aren't hacking a system that didn't have security*.
*Disclaimer: If you live in a certain country where pointing out something has no security embarrasses people with money you are likely to get charged with unauthorized use of a computer, lose all financial resources, be threatened with 10^20 years in prison and have to take a plea deal. Don't ever do security research in that country.
Re: (Score:2)
When it comes to physical building security... (Score:1)
Security automation measures such as RFID scanners, card insert readers, IP Security cameras, etc should always been kept on its on closed-loop network and redundant power source as a best practice. Opening security systems for buildings on a main network can, and will always result in major flaws to the physical security of an infrastructure of a housed facility, and will almost always result in vulnerability points whether it's from a localized or external source.
Serious Linux security & maintenance question (Score:2)
Let's say that you have built a Linux-based "appliance" and it's deployed in numerous places around the world. Let's also say that you need to make some changes to system libraries for new versions. AFAIK, the only way to do this is to have root access. So how would you build some sort of updating software that a user with no Linux experience could run that would allow for installation of new system components? If you have to have root/superuser access, how do you keep it secure? Is there another way t
Re: (Score:2)
You don't need the end user to have root access, you just need to have an update process running which can acquire root access, or at least access to the files which need to be updated.
So you give each appliance a private/public keypair and the public key of your update server. The process which has access to update would then only accept encrypted updates both designated for that appliance's specific key and signed using the update server's private key. Mutual authentication.
You can do that online via a TL
Re: (Score:1)
As long as it can get out to the internet that's not a problem. I used to do this two decades ago with Linux firewalls I used to set up in Washington. Lot of NPOs. As long as they kept up their payment it would keep updating the machine. Sometimes I'd have to hoof it out there and do an in person upgrade. The bitch ran into it when they had no trouble so they'd cut the support contract. Then call me about a year or so later because someone broke in.
I don't do any of that anymore. Sold that business off. How
Port Mirroring (Score:1)
Re:Since when google became a bank? (Score:5, Funny)
I heard they have free food, and that it is really good.
Re: (Score:2)
It's called a Lauer lock
Re: Since when google became a bank? (Score:2)
Re: Haxxy haxxy haxx0rz!!!1! (Score:3)
Re: (Score:2)
Re: (Score:2)
In theory? No. In practice? That is a very good question. These are, generally, skilled officers, educated well enough to manage a tremendous responsibility correctly and reliably. One or more of them might be clever enough to outsmart flawed security.
Re: (Score:2)
Re: (Score:1)
Google doesn't sack people for finding exploits. They sack people who say men and women aren't biologically identical.