Hardcoded Password Exposes RSA Conference Badge Scanning App

SAN FRANCISCO – RSA CONFERENCE 2016 – Researchers at Bluebox Security discovered that the badge scanning application provided by RSA Conference organizers to vendors is plagued by a security bypass flaw.

At the 2016 RSA Conference, which is taking place this week in San Francisco, many vendors were provided with Samsung Galaxy S4 smartphones that run an Android app that allows companies to keep track of booth visitors by scanning their badges. The scanning devices run in what is known as “kiosk mode,” which means they cannot be used for anything except scanning badges, unless the app administrator unlocks it using a password.

Researchers at Bluebox Security downloaded a copy of the badge scanning app from Google Play and, after analyzing its code, they discovered that this security mechanism can be bypassed because developers embedded a default password in the application’s code in plain text.

“When we used that passcode we were able to gain access to the kiosk app’s settings. This, in turn, let us gain access to the device’s system settings, which then enabled us to put the device into developer mode to gain full access to the device,” Bluebox Security researchers explained. “This is concerning because if we can do this, an attacker can too, letting them root the device, pull any data off of it, or install malware to steal even more data.”

“We speculate that the default code embedded in the app is there as a mechanism so that the device can still be managed even if the admin’s custom passcode is lost. However, it is a poor developer practice to embed passwords into an app’s shipped code, especially un-encrypted and un-obfuscated,” experts noted.

Bluebox said the RSA Conference badge scanning application was developed by an unnamed third party.

This is not the first time experts have found vulnerabilities in RSA Conference mobile applications. In 2014, IOActive reported uncovering half-dozen flaws in the RSA Conference Android app, including man-in-the-middle and information disclosure issues.

While vulnerabilities in these types of applications might not pose a serious risk, such incidents demonstrate that many mobile apps, including ones developed for security companies, can be insecure.

“With the growing focus on mobile, enterprise CIOs are under pressure to accommodate end-user demands—provisioning secure apps to lines of business and partners, and ensuring fast time to market for customer facing apps,” Adam Ely, founder and COO of Bluebox, said in a recent SecurityWeek column. “As a result, a host of mobile application development platforms (MADP) and rapid mobile application development (RMAD) tools that facilitate app creation have emerged—there are now nearly 90 choices—that make it easier for the technical and non-technical alike to create apps. Now that anyone can create a mobile app, this has led to inconsistency in the security knowledge of a mobile app ‘developer’.”

“This variability in security knowledge, use of outsourced development houses, coupled with time to market pressures that favor usability over security features, results in less secure apps,” Ely added.

*Updated to clarify that the app was developed by a third party

Related: Users Lax on Mobile Security – Survey