Critical Vulnerabilities Found in HID Mercury Access Control Panels

SILICON VALLEY, Calif. — Cybersecurity firm Trellix recently announced it discovered four zero-day vulnerabilities in HID Global Mercury access control panels, as well as four previously patched vulnerabilities that were not publicly disclosed.

The firm says the impact of these vulnerabilities is full system control, including the ability for an attacker to remotely manipulate door locks.

Trellix investigated the access control panels as part of its ongoing research to discover critical vulnerabilities, saying, “We chose this specific access control panel to research because of its ubiquitous use, the volume and criticality of industries they are used in, the security certifications the product has received and overall position in the market.”

The firm was able to achieve root access to the device’s operating system and pull its firmware for emulation and vulnerability discovery via physical access, network access and exploitation.

The vulnerabilities uncovered by Trellix allowed researchers to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems.

HID Global confirmed with Trellix that all OEM partners using Mercury boards are vulnerable to the issues on specific hardware controller platforms.

The firm says this research is actionable for vendors and third parties that collaborate with integrators to install physical access systems and that customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors, which could lead to both digital or physical breaches of sensitive information and protected locations.

“HID Global is committed to open and transparent communication with our partners to ensure the continued long-term success of our business together,” HID Global tells SSI. “We were recently informed of cybersecurity vulnerabilities within firmware running on Mercury LP and EP4502 Intelligent Controllers. We then acted quickly to confirm and address all issues reported, validated fixes externally, and posted new firmware for our OEM partners to consume. These partners then communicate with their channel to deploy the firmware fix based on their individual timelines.”

HID acquired Mercury from ACRE in 2017. You can view the full research report from Trellix here.

The post Critical Vulnerabilities Found in HID Mercury Access Control Panels appeared first on Security Sales & Integration.



from News Archives - Security Sales & Integration https://www.securitysales.com/news/critical-vulnerabilities-found-hid-mercury-access-control-panels/
via IFTTT

Comments

Post a Comment

Popular posts from this blog

Total Tech Summit Puts Call Out for Top Integrators to Apply Now

Image
FRAMINGHAM, Mass. — Total Tech Summit announces that applications are now being accepted to attend this year’s event. Comprised of the  SSI Summit, CE Pro Summit and Commercial Integrator Summit, this year’s event will take place in Las Vegas at the MGM Grand Hotel and Casino, Nov. 13-15. At this all-expense-paid, exclusive event, VIP guests will have the chance to sit in on industry-defining sessions, key boardroom presentations, and be able to meet one-on-one with potential vendors. Total Tech Summit brings together the best in class to share ideas, learn from others, and most importantly, accelerating the next stage of their businesses. It is the only event of its kind that bridges channels and connections by bringing together professional security, commercial AV and residential AV integrators. Another perk of the Total Tech Summit is the VIP Peer-to-Peer groups. These group conversations take place throughout the months leading up to the event and are guided by the editors of t
Read more

Top 10 Security Stories From October 2021: China Ban Gains Steam, Vivint Countersues ADT

October saw its fair share of legal issues and acquisitions. This month, lawsuits involved home security companies, a gunshot detection provider and even a media company. Vivint Smart Home is seeking retribution for the lawsuit ADT filed against it last year that alleged Vivint salespeople go to ADT customers’ homes, get them to sign Vivint contracts and install the company’s alarm systems in their homes under false pretenses. Vivint had requested a motion to have that lawsuit dismissed, but when the judge denied the motion, Vivint launched a countersuit claiming it is in fact ADT that is deceiving and stealing its customers. Gunshot detection provider ShotSpotter filed a lawsuit against media company Vice, alleging it is profiting off of fabricated claims. Vice has been critical about ShotSpotter’s technology in a multitude of articles. Though not a lawsuit, Dahua and Hikvision continue to feel pressure from the U.S. government as it considers a new measure that would make it imp
Read more

Minnesota AG Calls for Cancellation of Home Security Contracts for Alleged Fraud

STEARNS COUNTY, Minn. — Bring Me the News reports that Minnesota’s Attorney General, Keith Ellison, says he’s gotten consumers in Stearns County out of home security contracts after they were misled by a door-to-door salesman. According to the report, Ellison’s office announced that home security companies Skyline Security Management and Safe Home Security have agreed to their cancel contracts with customers in and around Stearns County who purchased their systems from door-to-door salesman Gary Harvey. “Door-to-door salesmen and their employers are in the business of trust-building,” Ellison said in a statement. “They know they need to have your trust to sell you their products, particularly expensive products like security systems that are supposed to keep your home safe. When that trust is betrayed, it’s emotionally and financially painful. I appreciate Skyline and Safe Home taking the right step in canceling these contracts while my office does what we can under the law to hold M
Read more