Hannah Robbins and Scott Brink, two student interns at IBM division X-Force Red set out to study potential vulnerabilities in sign-in reception kiosks, found at many offices and retailers, and discovered 19 bugs in kiosks from industry leaders Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist (the vendors say they have now patched these bugs).
The defects the interns discovered variously allowed attackers to dump the full contents of the reception system's databases (including Social Security Numbers and scanned driver's licenses), overwrite/delete/alter entries for previous visitors, and more.
Though the interns did yeoman work in surfacing these defects, the fact that a pair of relatively junior security practitioners were able to find all these showstopper bugs bodes ill for the whole category, which has not been subject to much independent scrutiny (yet).
I encounter these systems often, including in places like doctor's offices and schools, which sometimes ask you to scan sensitive IDs and input other sensitive information. I'd always had a bad feeling about them, so it's a little alarming to get hard data to support that impressionistic anxiety.
Crawley says he would like to look more deeply in the future at visitor management systems that integrate with RFID door locks and can directly issue badges. Compromising one of those would not only potentially give an attacker extensive physical access within a target organization, but could also enable other digital compromises across the victim’s networks. And researchers have certainly found vulnerabilities in electronic access control systems over the years, and continue to.
“This was sort of scratch the surface kind of stuff,” Crawley says. But he adds that the bugs the interns found in just a few weeks say a lot about what else might be lurking on these crucial and interconnected systems. “One of the reasons I was excited for somebody to do this project is because I knew going in that it was going to be a bloodbath.”
Stranger Danger: X-Force Red Finds 19 Vulnerabilities in Visitor Management Systems [Daniel Crowley/Security Intelligence]
The Overlooked Security Threat of Sign-In Kiosks [Lily Hay Newman/Wired]