dormakaba Registration Unit 9002 Unauthenticated UART Access Vulnerability

A vulnerability exists in the dormakaba registration unit 9002 (PIN Pad Unit) due to an exposed UART header on the backside of the device. The PIN pad transmits every button press to the UART interface, creating an opportunity for an attacker to exfiltrate PINs. The device's design allows for easy removal and replacement, enabling an attacker to install a hardware implant that connects to the UART and sends the intercepted data to another system, such as via WiFi.

Impact

Exploitation of this vulnerability allows for the interception and exfiltration of PINs entered on the registration unit 9002's keypad.

Reproduction

The vulnerability can be reproduced by physically accessing the registration unit 9002, detaching it from its mounted position, and connecting to the UART pins on the back of the device. Once the UART is properly configured, the unit can be reconnected to the access manager. Afterward, an entered PIN is transmitted via the UART interface, where it can be intercepted by an attached device, such as a Raspberry Pi Pico.

Remediation

Users are advised to update to a version that addresses this vulnerability. Consult the dormakaba security advisory page for more details.