Johnson Controls Sensormatic Electronics KT-1

Plan Patch8.6ICS-CERT ICSA-21-257-02Sep 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The KT-1 controller does not validate message freshness or implement anti-replay protections in its authentication or command protocol. This allows an attacker with network access to capture and replay legitimate authentication or control messages to authenticate to the system or issue commands without providing valid credentials. Successful exploitation may allow unauthorized access to building controls including door locks, HVAC systems, and other integrated facility systems.

What this means

What could happen

An attacker could replay previously captured authentication or command traffic to the KT-1 controller, potentially granting unauthorized access to building automation controls or issuing commands to physical systems like door locks, HVAC, or lighting without valid credentials.

Who's at risk

Building automation system operators and facility managers who deploy Johnson Controls KT-1 access control systems. This affects any organization using KT-1 for door lock, badge reader, or building access management systems integrated with EntraPass software.

How it could be exploited

An attacker with network access to the KT-1 controller can capture legitimate authentication or control messages (via network sniffing or man-in-the-middle positioning). The attacker then replays these captured messages to the controller, which does not validate message freshness or originality, allowing the attacker to authenticate or issue commands as if they were legitimate users.

Prerequisites

Network access to KT-1 controller on the LAN or from Internet if device is Internet-accessible
Ability to observe or intercept network traffic to the KT-1 (requires network position between user and device, or compromise of network segment)

Remotely exploitableNo authentication required for replayLow complexity attackAffects access control systemsOlder KT-1 versions (3.01 and below) have no vendor patch planned

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

KT-1:≤ 3.013.04

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to KT-1 controller: place behind firewall, segment from business network, and disable Internet exposure

WORKAROUNDIf remote access to KT-1 is required, use VPN with current security patches; do not expose device directly to Internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade KT-1 controller to Version 3.04 or later

HOTFIXUpgrade EntraPass to Version 8.40 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate building automation systems from corporate IT network

CVEs (1)

CVE-2021-27662

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8aa75e6a-594f-4e20-aed6-804a64b6cf0b