Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Hardcoded Password Exposes RSA Conference Badge Scanning App

SAN FRANCISCO – RSA CONFERENCE 2016 – Researchers at Bluebox Security discovered that the badge scanning application provided by RSA Conference organizers to vendors is plagued by a security bypass flaw.

SAN FRANCISCO – RSA CONFERENCE 2016 – Researchers at Bluebox Security discovered that the badge scanning application provided by RSA Conference organizers to vendors is plagued by a security bypass flaw.

At the 2016 RSA Conference, which is taking place this week in San Francisco, many vendors were provided with Samsung Galaxy S4 smartphones that run an Android app that allows companies to keep track of booth visitors by scanning their badges. The scanning devices run in what is known as “kiosk mode,” which means they cannot be used for anything except scanning badges, unless the app administrator unlocks it using a password.

Researchers at Bluebox Security downloaded a copy of the badge scanning app from Google Play and, after analyzing its code, they discovered that this security mechanism can be bypassed because developers embedded a default password in the application’s code in plain text.

“When we used that passcode we were able to gain access to the kiosk app’s settings. This, in turn, let us gain access to the device’s system settings, which then enabled us to put the device into developer mode to gain full access to the device,” Bluebox Security researchers explained. “This is concerning because if we can do this, an attacker can too, letting them root the device, pull any data off of it, or install malware to steal even more data.”

“We speculate that the default code embedded in the app is there as a mechanism so that the device can still be managed even if the admin’s custom passcode is lost. However, it is a poor developer practice to embed passwords into an app’s shipped code, especially un-encrypted and un-obfuscated,” experts noted.

Bluebox said the RSA Conference badge scanning application was developed by an unnamed third party.

This is not the first time experts have found vulnerabilities in RSA Conference mobile applications. In 2014, IOActive reported uncovering half-dozen flaws in the RSA Conference Android app, including man-in-the-middle and information disclosure issues.

While vulnerabilities in these types of applications might not pose a serious risk, such incidents demonstrate that many mobile apps, including ones developed for security companies, can be insecure.

Advertisement. Scroll to continue reading.

“With the growing focus on mobile, enterprise CIOs are under pressure to accommodate end-user demands—provisioning secure apps to lines of business and partners, and ensuring fast time to market for customer facing apps,” Adam Ely, founder and COO of Bluebox, said in a recent SecurityWeek column. “As a result, a host of mobile application development platforms (MADP) and rapid mobile application development (RMAD) tools that facilitate app creation have emerged—there are now nearly 90 choices—that make it easier for the technical and non-technical alike to create apps. Now that anyone can create a mobile app, this has led to inconsistency in the security knowledge of a mobile app ‘developer’.”

“This variability in security knowledge, use of outsourced development houses, coupled with time to market pressures that favor usability over security features, results in less secure apps,” Ely added.

*Updated to clarify that the app was developed by a third party

Related: Users Lax on Mobile Security – Survey

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.