Connect with us

Hi, what are you looking for?



Unpatched Flaws in Building Access System Allow Hackers to Create Fake Badges

Researchers discovered that a popular building access control system made by IDenticard contains vulnerabilities that can be exploited to create fake badges, disable door locks, and obtain or modify user data.

Researchers discovered that a popular building access control system made by IDenticard contains vulnerabilities that can be exploited to create fake badges, disable door locks, and obtain or modify user data.

IDenticard is a US-based provider of ID, access and security solutions. On its website, the company says it has tens of thousands of customers around the world, including Fortune 500 companies, educational institutions, medical centers, factories, and government agencies.

PremiSys is an access control and photo ID solution that provides organizations a wide range of features for a comprehensive access control program, including for granting or restricting access to specific doors, locking down facilities, controlling door alarms, viewing integrated surveillance video, and creating detailed reports.

Researchers at Tenable discovered that the product is affected by several potentially serious vulnerabilities. One of them is related to the existence of a hardcoded backdoor account that can give an attacker admin access to the service. This access can be leveraged to enter the badge system database and modify its content.

The cybersecurity firm’s experts also discovered that PremiSys stores credentials and other sensitive data using a hashing method that is known to be weak.

They also noticed that backups and the database installed by the IDenticard service are protected by default passwords that are easy to obtain and which cannot be changed by the user.

The CVE identifiers CVE-2019-3906 through CVE-2019-3909 have been assigned to these vulnerabilities.

Advertisement. Scroll to continue reading.

Tenable warned that an attacker could exploit these security holes to covertly enter buildings by creating fake badges and disabling door locks. An attacker could also download the entire content of the user database, and modify or delete data.

However, the company has clarified for SecurityWeek that conducting an attack requires access to the network housing the badge system as these servers are unlikely to be accessible directly from the Internet.

“If an attacker needed physical access to a building, they could theoretically add themselves to a badge system to get past security, and either disable locks on demand or simply give themselves entry rights to things they otherwise wouldn’t have,” Tenable’s research team said via email.

Tenable says it has been attempting to report its findings to the vendor since early October, including through CERT/CC, but received no response. Since more than 90 days have passed since the first attempt, Tenable has made its findings public, even if there don’t appear to be any patches.

Tenable has tested its findings on version 3.1.190 of the PremiSys software. Version 3.2 was released in May 2018, but the cybersecurity firm believes the latest versions of the product are affected as well.

SecurityWeek has reached out to IDenticard for comment and will update this article if the company responds.

UPDATED. IDenticard has provided the following statement:

We take the issues identified by Tenable, a leading third party cyber security research company, seriously and are looking to incorporate their feedback into our ongoing product development cycle. PremiSys™ System software is constantly evolving and we appreciate the diligence Tenable outlined in their messages to us.


At IDenticard, we pride ourselves in listening and responding to our customers. Regrettably, we overlooked the communication attempts from Tenable. This is unacceptable for us and we are currently reviewing our inbound communication practices to ensure it does not happen in the future. We welcome further communication from Tenable regarding this matter.


The safety and security of our customers is our first priority. As a global leader in security and identification solutions, IDenticard is committed to continuous improvement and addressing customer concerns. As part of our ongoing agile software development process, we anticipate releasing improvements in the near term and will keep our customers updated with how those improvements address Tenable’s concerns.

Related: Sauter Quickly Patches Flaw in Building Automation Software

Related: Critical Flaws Expose ABB Door Communication Systems to Attacks

Related: Hotel Rooms Around the World Susceptible to Silent Breach

Related: Flaw in Fingerprint Access Devices Could Make It Easy to Open Doors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...