NFC Technology Is Flawed?

Published on 05 Nov 2022

NFC, Technology, Flawed

A security research company claims to have found a flaw that may be "easily" exploited in a door entry security system used in government buildings and apartment complexes, but the flaw cannot be patched. The company issues a warning about the flaw.

According to the Norwegian security company Promon, the flaw is present in several models of the Aiphone GT that use the NFC technology commonly found in contactless credit cards. This flaw makes it possible for malicious actors to gain access to sensitive facilities by brute-forcing the security code for the door entry system.

Door entry systems provide safe entrances to buildings and residential complexes. Still, their growing reliance on digital technology makes them more susceptible to direct and indirect tampering forms.

Also Read: Top E-learning Trends In 2022

Aiphone Clientele Under Threat 

According to corporate brochures, Aiphone names both the White House and the United Kingdom Parliament as clients of the compromised systems. 

Promon security researcher Cameron Lowell Palmer stated that a would-be intruder could use an NFC-capable mobile device to rapidly cycle through every possible combination of a four-digit "admin" code to secure each Aiphone GT door system. Palmer made this statement after researching on behalf of Promon. Palmer said it only takes a few minutes to cycle through each of the 10,000 potential four-digit codes utilised by the door entry system. This is because the system does not restrict the number of times a code may be attempted. This code may be entered into the system's keypad or transferred to an NFC tag, enabling malicious actors to access restricted regions without needing to touch the device.

Palmer demonstrated how he constructed a proof-of-concept Android app in a video posted with TechCrunch. The software allowed him to verify each four-digit code on an Aiphone door entry system that was susceptible in his test lab. Palmer said that the afflicted variants of the Aiphone do not save logs, which makes it possible for malicious users to circumvent the system's security without leaving a digital trail.

In the latter half of June 2021, Palmer informed Aiphone of the security flaw. Aiphone has informed the security company that systems manufactured before December 7, 2021, are vulnerable and cannot be updated. However, Aiphone has told the security company that systems manufactured after this date have a software fix that restricts the number of times a door is opened.

Multiple Flaws In Aiphone System

Promon found more than one flaw in the Aiphone system; thus, this one is one of many. Promon also said that it had found that the application that was used to set up the door entry system provides a file in plaintext that is not encrypted and includes the administrator code for the back-end portal of the system. Promon says this might also offer intruder access to the information required to enter restricted regions.

Requests for a response that were put in before the article was published were not responded to by the Aiphone representative, Brad Kemcheff.

CBORD is a technology company that provides access control and payment systems to hospitals and university campuses. Earlier this year, a university student who was also a security researcher found a vulnerability in a widely used door entry system built by CBORD. The vulnerability was referred to as a "master key." After the researcher brought the problem to the attention of CBORD, the business promptly corrected the flaw.


Featured image: NFC Technology


Subscribe to to learn about new updates and changes made by tech giants that affect health, marketing, business, and other fields. Also, if you like our content, please share on social media platforms like Facebook, WhatsApp, Twitter, and more.