Whee, bugs in badge control systems: https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-02
@reverseics@infosec.exchange
According to Johnson Controls, the iSTAR Ultra is an older device that has a planned end of service date within a year from this publication. Johnson Controls recommends users consider upgrading to a newer control unit.
That completely reads like "I can't wait to stop supporting this shit."
@cR0w@infosec.exchange That pull quote you mentioned disappeared from the advisory today. I guess the vendor has decided that the product is not actually planned end of service. Hooray?
@cR0w@infosec.exchange Yeah. I will say, I reported the bugs in August 2024. At that time the vendor had expressed no plans to end support for the equipment.
The advisory might not make it perfectly clear, but all of the bugs really impact the newer hardware anyway. I think the newer ones might limit firmware modification slightly (maybe, but I'm of course skeptical), but that's about it.
@reverseics@infosec.exchange Skeptical? Of Johnson Controls?!
@reverseics@infosec.exchange Skeptical? Of Johnson Controls?!
@cR0w@infosec.exchange This project did teach me something funny: if infosec doesn't work out for me, I can make a killing by repairing and configuring door/badge control systems.
A couple of the devices I got used which had failed, and I found a ton of forum posts about how door controllers failed in an identical manner. I was able to repair them, all the forum people lamented that the controllers were irreparable according to the vendor and they had to buy new.
There are a LOT of failed boards out there. I can pick them up for $20-50, fix them, and sell them for $500 easily.
@cR0w@infosec.exchange This project did teach me something funny: if infosec doesn't work out for me, I can make a killing by repairing and configuring door/badge control systems.
A couple of the devices I got used which had failed, and I found a ton of forum posts about how door controllers failed in an identical manner. I was able to repair them, all the forum people lamented that the controllers were irreparable according to the vendor and they had to buy new.
There are a LOT of failed boards out there. I can pick them up for $20-50, fix them, and sell them for $500 easily.
@reverseics@infosec.exchange Oh nice. That actually sounds kind of fun. Maybe not to do every day but for a break.
@cR0w@infosec.exchange If I put on my evil hat I could also preload all said repaired boards with some backdoors, lulz. Magic Card to let me into any building? Is possible.
@reverseics@infosec.exchange So like every integrator out there then? 😉
@cR0w@infosec.exchange
(••)
( ••)>⌐■-■
(⌐■_■)
I'm in.
@cR0w@infosec.exchange
(••)
( ••)>⌐■-■
(⌐■_■)
I'm in.
K. Reid Wightman :verified: 🌻
:donor: :clippy:
cR0w