With great computing power comes great responsibility.
Edge computing architecture brings the processing power on or near the endpoints for faster processing speed, less latency and reduced demand of bandwidth. Facial recognition cameras, smart thermostats that adjust room temperature, elevators tuned for scheduled maintenance, optical inspectors for medical pills … with all the sensors that extract the features, the devices make decisions on the edge, sending metrics and sometimes logs back to the datacenter. Industrial control systems, access control systems, and even consumer products are leveraging this architecture. However, a model of powerful computational endpoints brings us back to the era where thin clients have failed. Edge computing nodes are now responsible for protecting sensitive data, ensuring autonomous behavior and resisting intrusions, while the servers become “blind” or only capable of auditing part of the data.
In this talk, we look into one example of edge computing that is of particular interest for the security domain: biometric access control. In our work, we conducted an extensive security analysis of four access control systems that utilize facial recognition as a way to authenticate users, and reported similar classes of vulnerabilities in all tested devices. This talk wants to be a technical journey into one of the devices that we found to be largely vulnerable. We will first discuss the general weakness of the edge computing model and then walk through technical details of the vulnerabilities that we identified (currently in responsible disclosure, ZDI-CAN-9990, 9991, 9992, 9993), including: server command forgery, user arbitrary addition, privilege escalation, man-in-the-middle, and face database exposure. We will demo how to leak employee pictures, automatically add unauthorized personnel as administrator, and impersonate a back-end server in order to open the doors and leave a false trace to deceive auditions.
As a conclusion, we will discuss why OSWAP Top 10 is still meaningful to edge computing, how common such vulnerabilities are in the edge computing field, and how to mitigate the disclosed issues.