Breaking Physical Access Control: Exploiting OSDP and AXIS A1001 Controllers

TLDR: Researchers at Black Hat 2023 demonstrated that the Open Supervised Device Protocol (OSDP) is susceptible to critical vulnerabilities, including heap overflows and time-delay attacks that allow unauthorized door access. By targeting the AXIS A1001 network door controller, they achieved remote code execution and developed a custom fuzzing framework to uncover zero-day flaws. Security teams must prioritize hardening these controllers and treating serial connections with the same scrutiny as public-facing network interfaces.

Physical access control systems are often treated as a "set and forget" component of infrastructure. We assume that because a reader is physically mounted to a wall and connected via a serial cable, it is inherently secure. The research presented at Black Hat 2023 shatters this assumption, proving that modern protocols like OSDP, while offering more features than the legacy Wiegand standard, introduce a massive, complex attack surface that is ripe for exploitation.

The OSDP Security Paradox

OSDP was designed to replace the aging, insecure Wiegand protocol. It supports bidirectional communication, AES encryption, and data integrity checks. However, the transition to a more feature-rich protocol has brought significant complexity. Where a Wiegand implementation might consist of a few hundred lines of code, an OSDP implementation often exceeds 4,000 lines, excluding the necessary linked libraries. This increase in code volume is a direct contributor to the rise in exploitable bugs.

The researchers identified that even when OSDP is configured with a secure channel, implementation errors can lead to critical failures. One of the most striking findings is the "PD Busy" message. This message is used by a peripheral device to tell the controller it needs more time to process a command. Crucially, this message is unencrypted, even within a secure channel, and can be sent continuously. An attacker can use this to manipulate the timing of the communication, effectively forcing a time-delay attack that keeps a door unlocked or delays a response until the attacker can inject their own valid entry request.

From Serial to Remote Code Execution

The research didn't stop at protocol-level manipulation. By targeting the AXIS A1001 Network Door Controller, the team demonstrated a path from a physical serial connection to full remote code execution. Using binwalk and Jefferson, they extracted the device firmware and identified the pacsiod binary as the primary process handling OSDP communication.

Once they gained a foothold, they discovered that the web interface allowed for arbitrary file uploads. By uploading a crafted netcat payload, they established a reverse shell. The technical core of their exploit involved a heap overflow vulnerability in the message processing logic. The controller calculates the buffer size based on the OSDP message payload, but it fails to handle negative numbers returned by the osdp_get_message_data_size function correctly. When this signed number is cast to an unsigned integer during the malloc call, it results in an massive allocation request, leading to a heap overflow that allows for the overwriting of critical structures, such as callback function pointers.

Fuzzing for Zero-Days

To automate the discovery of these flaws, the team built a custom fuzzing framework. This tool sits in the middle of the serial connection, allowing for the interception, modification, and injection of OSDP packets. The framework is designed to be easily extensible, with custom mutation primitives that can be defined in a few lines of code.

For those interested in testing their own hardware, the researchers highlighted the importance of monitoring controller logs and performing rigorous product assessments. The ability to fuzz serial protocols is no longer a niche skill; it is a requirement for anyone auditing modern IoT or industrial control systems. The team’s work underscores that OWASP A01:2021-Broken Access Control and OWASP A07:2021-Identification and Authentication Failures are just as relevant to physical hardware as they are to web applications.

Hardening Your Infrastructure

Defending against these attacks requires moving away from the "trusted serial" mindset. If you are managing access control systems, ensure that your controllers are not publicly exposed and that their management interfaces are restricted to isolated VLANs. Disable any unnecessary debug features or services that could be abused for file uploads or remote command execution.

Most importantly, treat the serial connection between the reader and the controller as a potential entry point. If a reader is in a public area, it should be considered compromised. Use tamper-detection features, but do not rely on them as your only line of defense. The researchers’ ability to bypass physical tamper sensors using simple, custom-built tools proves that physical security controls are only as strong as the software logic that monitors them. As OSDP continues to evolve, we should expect to see more research into these protocols, and it is only a matter of time before these techniques are weaponized in the wild. Keep your firmware updated, audit your configurations, and never assume that a "secure" protocol is immune to a well-crafted heap overflow.