A Google employee succeeded in hacking the Google campus doors deliberately. Well, he had no bad intentions; rather he actually identified a vulnerability in Google’s security system. The flaw in the third-party system integrated with Google’ network could have allowed a bad actor to take control of the keycard-controlled doors.
Google Campus Doors Vulnerable To Hacking
Monday morning, Forbes disclosed an interesting event involving someone hacking the office doors of Google’s building. Reportedly, an engineer David Tomaschik discovered a vulnerability that allowed anyone to access the security system of Google’s Campus Doors.
The doors at the Google’s Sunnyvale office are controlled by RFID keycards. However, Tomaschik discovered that a glitch in the door lock system could let anyone control the doors even without a keycard.
Google’s campus doors are powered by Software House devices operated by keycards. Though the system appears secure, the hacker found that the devices used an unprotected hardcore encryption, easy for anyone to trick.
Explaining how Tomaschik stumbled upon this flaw, Forbes explained,
“Last summer, when Tomaschik looked at the encrypted messages the Software House devices (called iStar Ultra and IP-ACM) were sending across the Google network, he discovered they were non-random.”
Whereas, proper encryption makes messages look random, he “dug deeper” and found that the Software House only used a ‘hardcoded’ encryption key. That would let him easily intercept the security and give whatever commands he would want to the door system.
“That meant he could effectively replicate the key and forge commands, such as those asking a door to unlock. Or he could simply replay legitimate unlocking commands, which had much the same effect.”
He finally exploited the flaw to demonstrate the severity of the flaw. As a result, he noticed that the door lights changed color from red to green and eventually, the door unlocked. Moreover, he could accomplish all this without leaving any traces. It meant that a potential attacker could easily snoop into Google offices, putting the entire infrastructure at risk. Alternatively a bad actor could have easily thrown in malicious codes to the Google’s network.
Google Confirms No Malicious Exploitation Of The Flaw
Soon after discovering the vulnerability, David Tomaschik notified the relevant officials about it. Consequently, Google swiftly stepped up to patch the security flaw.
Regarding whether or not some bad actor had already exploited the vulnerability, a spokesperson from Google confirmed that there has been no evidence of any malicious exploitation. Moreover, both the Software House and Google have taken measures to enhance security. The spokesperson went on to state,
“The iStar v2 Board now uses a more suitable form of encryption, known as TLS, which goes some way to fixing the issue. Meanwhile, Google has segmented its network in order to provide protection for the vulnerable systems still in its properties.”
Moreover, a spokesperson from Johnson Controls, Software House owner, also said that they corresponded with their customers about whether or not they need any replacement of hardware after the patch. This statement came in response to Tomaschik’s concern about the safety of the other customers, besides Google, who use Software House devices.
Take your time to comment on this article.