Researchers hacked Garrett metal detectors

Daniel ZimmermannDecember 22, 2021

0 77 2 minutes read

Cisco Talos experts hacked Garret metal detectors: they found that two of the company’s widely used metal detectors are vulnerable to various remote attacks that can seriously degrade their functionality.

Garrett is a renowned US manufacturer of hand held and arched metal detectors commonly used in locations such as airports, banks, museums, courts, schools, prisons, and more. However, experts have found that Garrett devices have security problems: many vulnerabilities allow attackers to execute commands or read / change information in the Garret iC Module version 5.0, which is a component that provides network connectivity to the Garrett PD 6500i and Garrett MZ 6100 metal detectors.

In their blog, Cisco Talos analysts detail the following issues:

CVE-2021-21901 and CVE-2021-21903 (CVSS: 9.8 points): Stack buffer overflow vulnerabilities that allow an unauthenticated attacker to achieve a buffer overflow using a single specially crafted packet;
CVE-2021-21904 (CVSS 9.1): traversal of the directory in the iC module, allowing a hacker to pass a specially prepared command line argument to the device, which can lead to overwriting of an arbitrary file;
CVE-2021-21905 and CVE-2021-21906 (CVSS: 8.2): two stack buffer overflow errors that can be triggered by downloading a malicious file to the target device and forcing the system to call readfile;
CVE-2021-21902 (CVSS 7.5): bypassing the authentication in the CMA run_server of the iC module, allowing to start a network connection at a set time using a sequence of requests, which leads to a session hijacking;
CVE-2021-21908 and CVE-2021-21909 (CVSS 6.0): directory traversal to delete files on the target device by sending command line arguments;
CVE-2021-21907 (CVSS: 4.9): traversing a directory to include a local file using a special command line argument.

In the case of the most dangerous vulnerabilities, CVE-2021-21901 and CVE-2021-21903, the iC module provides a discovery service on UDP port 6977. That is, exploitation of problems is possible through sending specially formatted UDP packets that will force the device to share confidential information in response. Using the data obtained in this way, an attacker can create a UDP packet with a sufficiently long CRC field, which will lead to a buffer overflow and allow remote execution of arbitrary code.

An attacker can manipulate the iC module to remotely track statistics on a metal detector, for example, to find out if an alarm has been triggered and how many visitors have passed through the device. Attackers can also make changes to the configuration, for example, change the level of sensitivity, which potentially poses a security threat to users who rely on these metal detectors.<span class="su-quote-cite">the experts warned.</span>

Researchers notified the manufacturer of all discovered deficiencies back on August 17, 2021, and the company finally released patches in mid-December 2021. Garrett Arch Administrators are now strongly encouraged to update their software as soon as possible.

Let me remind you that we talked about what Microsoft said that since May 2021, the Nobelium group hacked at least 14 IT companies, and also that Hackers hacked a company that is engaged in routing SMS operators in the United States.

Sending