At the beginning of January, I was looking for a new subject to start researching. While out on a walk one night, my attention was drawn to the telephone entry systems outside every apartment complex in my neighborhood. I noticed one brand of these systems more than others, Doorking.
As soon as I got home, I started looking into Doorking’s entry systems. I found that some of the newer models could be programmed with software known as Remote Account Management so I began to pour over manuals. The video below will give a quick summary of how these systems work.
Unfortunately I didn’t have a Doorking system to test on and working systems that I could find on eBay were a tad bit on the pricey end for my research budget. Without a system to test on I watched more Doorking videos and read materials. From these materials, I found out that Doorking uses a software registration system. There are two types of systems that can be registered, Internet Modem or IM Server and DKS Cellular.
Learning more about the IM Server and what its function is:
I decided to take a look at the registration system itself, so I navigated there and registered an account. I populated my account’s profile with information and then took a look around.
After checking out the few pages that logged in users have access to I fired up Fiddler and took a look at the request to view my account’s profile.
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept-Encoding: gzip, deflate, sdch, br
I realized that the only thing telling the server what user is currently in use is the cookie Credits=User:tednorman. This indicated to me that session management and authorization was in bad shape. To confirm, I create a second account and successfully verify that the only change in the request at all is the username in the cookie. This means that if we know an account’s username we can gain complete access to it by modifying the cookie.
I believe this to be a complete authentication bypass that leads to the disclosure of personal information and entry system access information including master codes. A malicious user could create a list of possible usernames and automate requests to scrape information. Currently on the software registration system, the current password is not required to change the email address and password of a logged in account. A malicious user could leverage this to forcibly lock users out of their accounts. Users would then have to contact Doorking directly to get access back to their accounts. After reviewing the manual of their Remote Account Manager software I’ve also learned that it is possible to download a system’s data.
This would mean that once a person has the telephone number and access code of a system they can download data from that system. The manual lays out the types of information that can be downloaded.
The 1833, 1834, 1835, 1837, or 1838 entry systems store all activity in a history buffer which is then down loaded to the PC for auditing, analysis, and record keeping. The history buffer in these units will store up to 8000 events which include the date, time, resident name, if access was by telephone entry, entry code, postal, or card / transmitter and which code number was used. The system will also report if access was granted or denied. If the access control system includes gate operators with Gate Tracker™ reporting capability, these transactions are also received during the transaction data transfer.
To recap, a bad foray into authorization and session management exposes customer data and entry system creds which then leaves those systems open for a potential attacker. The attacker could choose to download the entry system’s data and history or reprogram the system.
Getting in touch with Doorking about this issue wasn’t exactly a breeze. I couldn’t get a response through their support email. I commented on one of Doorking’s tweets and asked how I could get in touch with them. They replied with a phone number to their tech support and an email address. I sent off an email to this email address but never heard back. After some time I call the number they gave me and spoke to someone about the issue. We went over the issue on the call and then I sent a detailed email on the issue. The following day I received an email from the VP of Engineering at Doorking. He thanked me for contacting them about the issue and said the problem would be fixed immediately. Overall it was difficult getting in touch with them but once I spoke to someone about the issue they were responsive.
1-8-17 – Initial contact via email
1-12-17 – After no response I sent a second email
1-18-17 – After no response I called DK and left a voicemail
1-30-17 – Spoke to DK Staff and disclosed findings.
1-31-17 – Received an email from DK VP of Eng
2-9-17 – Noticed a change with the affected system’s session management. Requested confirmation from DK that their fix has been applied.
2-15-17 – Received an email from DK stating that they had implemented a fix.