A researcher says a US healthcare facility has failed to address a serious vulnerability that has been making it possible for threat actors to hack the doors of one of its buildings for at least the past year. The healthcare organization, on the other hand, has denied the findings.
The research was conducted by Shawn Merdinger, who in 2010, at the DEFCON conference, showed how S2 Security door access controllers used by hospitals, schools, fire stations, businesses and other entities could be hacked. A decade later, Merdinger was jailed after sending threatening emails to people at several universities during a mental health crisis.
After being released and staying sober, he launched a cybersecurity research project — he describes it as a “project of personal redemption” — whose goal is to show that physical access control vulnerabilities still impact many organizations.
As part of the project, named Box of Rain, the researcher has documented nearly 40 instances of buildings that last year had hackable door controllers. He is now going through all the findings again to determine which of the buildings are still vulnerable considering that more than a year has passed. The researcher claims the findings were responsibly disclosed to impacted organizations and US government agencies.
While some organizations have since addressed the security holes after being notified, others have not. One case that stands out, the research says, impacts a building apparently belonging to Los Angeles-based healthcare organization Cedars-Sinai.
The problem, according to the researcher, is that the S2 door access system associated with the impacted facility is exposed to the internet, it’s easily discoverable, and its web interface can be accessed using default ‘admin/admin’ credentials.
The researcher says a hacker could leverage this weakness to open doors or schedule doors to open at specified times, add or modify staff privileges (an adversary can be added), learn when certain people arrive or leave, disrupt the system and prevent doors from opening, and use the compromised access controller for further attacks on the network.
Products from S2 Security, which several years ago was combined with Lenel and became LenelS2, have been known to be affected by vulnerabilities, but in this case the access controllers are at risk due to their exposure on the web and the use of default credentials, rather than an actual product vulnerability.
Advertisement. Scroll to continue reading.
The researcher said the web interface associated with the Cedars-Sinai building was still accessible with default credentials as of the morning of September 24.
SecurityWeek can confirm that the web interface associated with an S2 controller is accessible at the IP address indicated by the researcher, but we have not attempted to log in. The evidence provided by the researcher, however, is credible.
Merdinger’s report includes a screenshot of an activity log associated with the vulnerable door controller, showing the time when various Cedars doctors had accessed the building.
SecurityWeek has reached out for comment to CISA and Health-ISAC, both of which, Merdinger claims, received his reports but apparently failed to take action. The researcher has provided screenshots of emails showing Health-ISAC had been looking into the findings. Health-ISAC has not responded to SecurityWeek and CISA said it will not be commenting.
Cedars-Sinai has also been contacted, but the healthcare organization said the issues found by Merdinger do not affect its facilities.
Building access systems are known to be affected by many vulnerabilities and in some cases it has taken vendors several years to patch them, even when there was evidence of malicious exploitation.