Google’s Project Zero team are familiar faces in the hunt for vulnerabilities and bugs but a security hole in the tech giant’s own physical security network could have left them, as well as other employees, locked out of the office. Luckily for Google, however, the way to circumvent the security system which kept unauthorized visitors out of Sunnyvale offices was found by one of its own engineers, rather than an individual without pure intentions. David Tomaschik, an engineer at Google, decided to explore encrypted messages that were being sent across the firm’s network by Software House devices; iStar Ultra and IP-ACM being some of the products on offer designed to improve the physical security of Google’s offices. Speaking to Forbes, the engineer said that after probing the messages and discovering they were not randomized, he also stumbled across a hardcoded encryption key used by all Software House devices. With this key in hand, Tomaschik was able to replicate the key and hijack the security system, forcing it to open and lock, depending on his will. Even when equipped with the RFID-based keycards which are required to enter the premises, the doors would then not submit to legitimate visitors or Google employees — if he did not want them to. See also: Windows utility used by malware in new information theft campaigns The engineer tested out his findings and sent crafted, malicious code across Google’s networks. The lights on his office door confirmed the findings by turning red to green, and… [Read full story]
ZDNet is a business technology news website published by CBS Interactive, along with TechRepublic. The brand was founded on April 1, 1991, as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication owned by CNET Networks.