A security research firm says it discovered an “easily” exploitable vulnerability in a door entry security system used in government buildings and apartment complexes, but warns that the vulnerability cannot be fixed.
Norwegian security company Promon says the bug affects several Aiphone GT models that use NFC technology, often found in contactless credit cards, and allows bad actors to potentially gain access to sensitive facilities by brute-forcing the door entry system’s security code.
Door entry systems allow secure access to buildings and residential complexes, but have become increasingly digitized, making them vulnerable to both physical and remote compromise.
Aiphone counts both the White House and the U.K. Parliament as customers of the affected systems, according to company brochures seen by TechCrunch.
Promon security researcher Cameron Lowell Palmer said a would-be intruder can use an NFC-capable mobile device to rapidly cycle through every permutation of a four-digit “admin” code used to secure each Aiphone GT door system. Because the system does not limit how many times a code can be tried, Palmer said it takes only minutes to cycle through each of the 10,000 possible four-digit codes used by the door entry system. That code can be punched into the system’s keypad, or transmitted to an NFC tag, allowing bad actors to potentially access restricted areas without having to touch the system at all.
In a video shared with TechCrunch, Palmer built a proof-of concept Android app that allowed him to check every four-digit code on a vulnerable Aiphone door entry system in his test lab. Palmer said the affected Aiphone models do not store logs, allowing a bad actor to bypass the system’s security without leaving a digital trace.
Palmer disclosed the vulnerability to Aiphone in late June 2021. Aiphone told the security company that systems manufactured before December 7, 2021 are affected and cannot be updated, but that systems after this date have a software fix that limits the rate of door entry attempts.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
It’s not the only bug that Promon discovered in the Aiphone system. Promon also said it discovered that the app used to set up the door entry system offers an unencrypted, plaintext file that contains the administrator code for the system’s back-end portal. Promon said that could allow an intruder to also access the information needed to access restricted areas.
Aiphone spokesperson Brad Kemcheff did not respond to requests for comment sent prior to publication.
Relatedly, a university student and security researcher earlier this year discovered a “master key” vulnerability in a widely used door entry system built by CBORD, a tech company that provides access control and payment systems to hospitals and university campuses. CBORD fixed the bug after the researcher reported the issue to the company.
Security flaws in a popular smart home hub let hackers unlock front doors
