Aiphone door entry systems can be easily bypassed thanks to NFC bug

News Summary

  • Promon also said it discovered that the app used to set up the door entry system offers an unencrypted, plaintext file that contains the administrator code for the system’s back-end portal.
  • Aiphone told the security company that systems manufactured before December 7, 2021 are affected and cannot be updated, but that systems after this date have a software fix that limits the rate of door entry attempts.It’s not the only bug that Promon discovered in the Aiphone system.
  • Because the system does not limit how many times a code can be tried, Palmer said it takes only minutes to cycle through each of the 10,000 possible four-digit codes used by the door entry system.
  • Palmer said the affected Aiphone models do not store logs, allowing a bad actor to bypass the system’s security without leaving a digital trace.Image Credits: Cameron Lowell Palmer / PromonPalmer disclosed the vulnerability to Aiphone in late June 2021.
A security research firm says it discovered an easily exploitable vulnerability in a door entry security system used in government buildings and apartment complexes, but warns that the vulnerabilit [+2711 chars]