Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Hardcoded Password Exposes RSA Conference Badge Scanning App

SAN FRANCISCO – RSA CONFERENCE 2016 – Researchers at Bluebox Security discovered that the badge scanning application provided by RSA Conference organizers to vendors is plagued by a security bypass flaw.

SAN FRANCISCO – RSA CONFERENCE 2016 – Researchers at Bluebox Security discovered that the badge scanning application provided by RSA Conference organizers to vendors is plagued by a security bypass flaw.

At the 2016 RSA Conference, which is taking place this week in San Francisco, many vendors were provided with Samsung Galaxy S4 smartphones that run an Android app that allows companies to keep track of booth visitors by scanning their badges. The scanning devices run in what is known as “kiosk mode,” which means they cannot be used for anything except scanning badges, unless the app administrator unlocks it using a password.

Researchers at Bluebox Security downloaded a copy of the badge scanning app from Google Play and, after analyzing its code, they discovered that this security mechanism can be bypassed because developers embedded a default password in the application’s code in plain text.

“When we used that passcode we were able to gain access to the kiosk app’s settings. This, in turn, let us gain access to the device’s system settings, which then enabled us to put the device into developer mode to gain full access to the device,” Bluebox Security researchers explained. “This is concerning because if we can do this, an attacker can too, letting them root the device, pull any data off of it, or install malware to steal even more data.”

“We speculate that the default code embedded in the app is there as a mechanism so that the device can still be managed even if the admin’s custom passcode is lost. However, it is a poor developer practice to embed passwords into an app’s shipped code, especially un-encrypted and un-obfuscated,” experts noted.

Bluebox said the RSA Conference badge scanning application was developed by an unnamed third party.

This is not the first time experts have found vulnerabilities in RSA Conference mobile applications. In 2014, IOActive reported uncovering half-dozen flaws in the RSA Conference Android app, including man-in-the-middle and information disclosure issues.

While vulnerabilities in these types of applications might not pose a serious risk, such incidents demonstrate that many mobile apps, including ones developed for security companies, can be insecure.

Advertisement. Scroll to continue reading.

“With the growing focus on mobile, enterprise CIOs are under pressure to accommodate end-user demands—provisioning secure apps to lines of business and partners, and ensuring fast time to market for customer facing apps,” Adam Ely, founder and COO of Bluebox, said in a recent SecurityWeek column. “As a result, a host of mobile application development platforms (MADP) and rapid mobile application development (RMAD) tools that facilitate app creation have emerged—there are now nearly 90 choices—that make it easier for the technical and non-technical alike to create apps. Now that anyone can create a mobile app, this has led to inconsistency in the security knowledge of a mobile app ‘developer’.”

“This variability in security knowledge, use of outsourced development houses, coupled with time to market pressures that favor usability over security features, results in less secure apps,” Ely added.

*Updated to clarify that the app was developed by a third party

Related: Users Lax on Mobile Security – Survey

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.