UART Leaking Sensitive Data in dormakaba registration unit 9002 (PIN pad)

Title

UART Leaking Sensitive Data

Product

dormakaba registration unit 9002 (PIN pad)

Vulnerable Version

<SW0039

Fixed Version

SW0039

CVE Number

CVE-2025-59109

Impact

medium

Homepage

https://www.dormakaba.com

Found

18.03.2024

By

Clemens Stockenreitner, Werner Schober (Office Vienna) | SEC Consult Vulnerability Lab

Management Summary

This advisory details multiple critical vulnerabilities affecting dormakabas enterprise grade physical access management systems built on exos 9300, a widely deployed platform for physical access control. When exploited, these flaws could allow an attacker to unlock arbitrary doors through multiple attack paths, reconfigure connected controllers and peripherals without any prior authentication, and gain extensive unauthorized control over physical access infrastructure. The advisories are split into three parts (exos9300, access manager, registration unit). This part covers the registration unit 9002 (PIN pad).

Vendor description

"The Kaba exos 9300 basic system is the cornerstone of your access management solution. Use it to resolves all your basic employees, system, user and peripheral management tasks and initiate targeted security measures as required. [...] "

Source: dormakaba.com

Business recommendation

The vendor provides multiple patches which should be installed immediately. More details can be found at the following locations:

Tested Architecture Overview

The tested system is the enterprise grade physical access system from dormakaba. The tested system consists of the following components:

dormakaba exos 9300

Exos 9300 is a piece of software based on C# running on a central Windows server with an MSSQL, or Oracle database as central storage. Exos consists of multiple modules (e.g. basis, employee management, key depot, access, visitor management, 3rd party management). Exos is used to centrally manage users, keys, cards as well as the configuration of the access manager. Devices in the exos environment are addressed using a special addressing scheme. The address scheme described in the following table is going to be important.

┌────────────────────┬───────────────────────────┬───────────────┬───────────────────────────────────────────┬───────────────────────────┬───────────────────┐
│         I          │            01             │      00       │                    01                     │            00             │        00         │
├────────────────────┼───────────────────────────┼───────────────┼───────────────────────────────────────────┼───────────────────────────┼───────────────────┤
│ Port Type          │ Communication Hub Address │ Port Address  │ Access Hub Address                        │ 00 = Door Manager         │ Datapoint Address │
│ I = Access Manager │ Values: 01-99             │ Values: 00-99 │ Values: 00-99                             │ 01 = Access Point         │ Values: 00-20     │
│ B = Serial         │                           │               │ Fixed to 01 for Access Hubs with Ethernet │ 02 = Turnstile            │                   │
│ C = Modem          │                           │               │                                           │ 03 = IO Controller        │                   │
│ E = Ethernet       │                           │               │                                           │ Fixed to 00 in most cases │                   │
│ R = remote         │                           │               │                                           │                           │                   │
└────────────────────┴───────────────────────────┴───────────────┴───────────────────────────────────────────┴───────────────────────────┴───────────────────┘

dormakaba Access Manager

The access manager is a component that is configured via exos. The configuration between exos and access manager is exchanged via a SOAP interface. Per default the data exchange is unencrypted. Encryption is only available starting with access manager hardware release K7.

The access manager is a custom piece of hardware with multiple inputs and outputs.

The device offers the following interfaces:

  • Digital Inputs
  • 3x DC Output Relays
  • 2x RS-232
  • 1x RS-485 (Used to connect to access manager extension systems e.g. Kaba 9125)
  • 1x RJ45
  • 1x Micro USB
  • 2x Coax (Used to connect registration units e.g. 9001, 9002)

The tested hardware was an access manager 9200-k5 running Windows CE embedded, and an access manager 9200-k7 running Linux.

dormakaba Registration Unit

dormakaba registration units can be either a Legic/Mifare card reader, or a PIN pad used to enter a PIN to deactivate alarming systems, or as an additional authentication.

Electric lock

The lock used for the tested setup is an Assa Abloy/effeff Profix 118. The lock is simply controlled via a relay contact connected to the access manager. As soon as a user successfully authenticates with a registration unit, the relay connected to the lock is switched and the door opens. 

The system is depicted in the following diagram:

          ┌─────────┐                                        
          │         │                                        
          │exos 9300│              ┌──────────┐  ┌──────────┐
          │         │              │ Reg Unit │  │ Pin Pad  │
          └────┬────┘              │   ┌──┐   │  │  x x x   │
               │                   │   │┼┼│   │  │  x x x   │
Ethernet──────►│                   │   └──┘   │  │  x x x   │
               │                   │   9001   │  │   9002   │
          ┌────┴────┐              └─────┬────┘  └─────┬────┘
          │ Access  │                    │             │     
          │ Manager ├────────────────────┴─────────────┘     
          │  9200   │        ▲                               
          └────┬────┘        │                               
               │           Coax                              
               │                                             
  DC Relay───► │                                             
               │                                             
            ┌──┴──┐                                          
            │     │                                          
            │     │                                          
            │     │                                          
            │    ─┤◄──────Electric Lock                      
            │     │                                          
            │     │                                          
            └─────┘

Vulnerability overview/description

1) UART Leaking Sensitive Data (CVE-2025-59109)

The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).

Proof of concept

1) UART Leaking Sensitive Data (CVE-2025-59109)

To verify that the UART interface actually sends the entered numbers, wires have been soldered to the board of the keypad. Using a baud rate of 57.600, one stop bit and no parity bits, the data keystrokes can be received.

The received output then includes the pressed keys, and the coordinates of the pressed key in the following format. 

1,1324,0395,
5,1294,0386,
8,1290,0398,
6,1294,0388,
6,1294,0403,
E,1304,0374,

Vulnerable / tested versions

All hardware revisions with a firmware version <SW0039, which was the latest version available at the time of the test, are vulnerable.

Vendor contact timeline

2024-04-02 Contacting vendor through securitysupport@dormakaba.com, no response
2024-04-05 Contacting vendor again through securitysupport@dormakaba.com, no response
2024-04-09 Contacting vendor again through info@dormakaba.com and helpdesk.awm.ch@dormakaba.com
2024-04-09 info@dormakaba.com and helpdesk.awm.ch@dormakaba.com informed us that they are not responsible for Austrian "Customers" and we should contact the Austrian dormakaba entity.
2024-04-09 Contacting vendor again through info@dormakaba.com, helpdesk.awm.ch@dormakaba.com and securitysupport@dormakaba.com. Explaining that this is not a local Austrian problem, but a global issue for dormakaba. Requesting a Global Security Contact.
2024-04-09 Instead of forwarding our message to the global security team a local Austrian dormakaba representative called us. We closed the call down by requesting a contact of dormakaba's global security team.
2024-04-09 Austrian representatives requests the advisory via E-Mail. Asking for confirmation, if mail encryption is supported or if the advisory shall be forwarded unencrypted.
2024-04-10 Scheduling a conference call with the Austrian contact to clarify everything and explain the security issues.
2024-04-10 Conference call got cancelled. The Austrian contact forwarded our request to the headquarter in Switzerland.
2024-04-10 dormakaba's CISO contacted us via email and informed us to get back to us as soon as possible.
2024-04-12 dormakaba's DVP Systems Access Control und Owner Security Governance contacted us via email and provided us with a secure channel to submit the advisory. The advisory got submitted immediately.
2024-04-12 dormakaba's DVP Systems Access Control und Owner Security Governance requests details about the tested firmware and software version.
2024-04-15 SEC Consult provides detailed software and firmware version that was tested.
2024-04-16 dormakaba updates us and informs us that they are actively investigating the reported issues.
2024-04-30 Asking for a status update & offering a meeting to discuss any questions.
2024-04-30 dormakaba's CISO replies by accepting our meeting offer. Scheduling a Meeting for 2024-05-07.
2024-05-07 Meeting with dormakaba's CISO and DVP Systems Access Control. All vulnerabilities are confirmed and actively worked on. Discussing further steps and agreeing on a monthly update meeting with dormakaba.
2024-05-08 Providing further details concerning the vulnerabilities as well as providing a set of questions (Vulnerable Versions, Firmware, Revisions), proposing meeting dates; no response
2024-05-23 Asking for a status update, no response
2024-06-03 Asking again for a status update.
2024-06-04 dormakaba's CISO replies with a meeting invite.
2024-06-05 Meeting with dormakaba for the scheduled monthly update meeting.
2024-07-24 Asking again for a status update, no response.
2024-07-31 Asking again for a status update or meeting, no response.
2024-08-19 Asking again for a status update or meeting.
2024-08-27 Scheduling a call for 2024-09-03
2024-09-03 dormakaba technician provides status update about which vulnerabilities are already fixed in the next release and on which they are still actively working on.
2024-11-12 Asking for a status update and informing dormakaba that we tested a newer Hardware release of the dormakaba Access Manager (9200-K7) which is based on Linux. Multiple new critical vulnerabilities were identified. A separate advisory is in the making.
2024-12-12 Meeting with dormakaba to discuss new identified issues in other hardware releases.
2025-01-16 Added vulnerability "Unauthenticated access to the internal SQLite Database" & "Static firmware encryption password", see SEC Consult advisory 20260126-1.
2025-01-17 Providing updated advisory to dormakaba, asking for a status update regarding the other issues.
2025-01-28 Asking for status update again. Vendor responds that they received our updated advisory and they are preparing a feedback.
2025-02 - 2026-01 Monthly meetings with dormakaba to discuss the current developments.
2026-01-26 Public release of the advisory.

Solution

In this specific case there is a hardware replacement needed to fix the vulnerability described above. There is no mechanism available to update the reader firmware. The vulnerability is fixed starting with all hardware revisions equipped with firmware >= SW0039. If readers are installed in unsecured areas, we recommend to replace the hardware.


Review the website provided by dormakaba which was created specifically for all the vulnerabilities documented in this advisory for more details and insights from the manufacturer side. The vendor's security page is available at the following location: https://www.dormakabagroup.com/en/security-advisories 

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/ 


EOF Clemens Stockenreitner, Werner Schober / @2025

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices.

Back