Researchers discovered that a popular building access control system made by IDenticard contains vulnerabilities that can be exploited to create fake badges, disable door locks, and obtain or modify user data.
IDenticard is a US-based provider of ID, access and security solutions. On its website, the company says it has tens of thousands of customers around the world, including Fortune 500 companies, educational institutions, medical centers, factories, and government agencies.
PremiSys is an access control and photo ID solution that provides organizations a wide range of features for a comprehensive access control program, including for granting or restricting access to specific doors, locking down facilities, controlling door alarms, viewing integrated surveillance video, and creating detailed reports.
Researchers at Tenable discovered that the product is affected by several potentially serious vulnerabilities. One of them is related to the existence of a hardcoded backdoor account that can give an attacker admin access to the service. This access can be leveraged to enter the badge system database and modify its content.
The cybersecurity firm’s experts also discovered that PremiSys stores credentials and other sensitive data using a hashing method that is known to be weak.
They also noticed that backups and the database installed by the IDenticard service are protected by default passwords that are easy to obtain and which cannot be changed by the user.
The CVE identifiers CVE-2019-3906 through CVE-2019-3909 have been assigned to these vulnerabilities.
Tenable warned that an attacker could exploit these security holes to covertly enter buildings by creating fake badges and disabling door locks. An attacker could also download the entire content of the user database, and modify or delete data.
However, the company has clarified for SecurityWeek that conducting an attack requires access to the network housing the badge system as these servers are unlikely to be accessible directly from the Internet.
“If an attacker needed physical access to a building, they could theoretically add themselves to a badge system to get past security, and either disable locks on demand or simply give themselves entry rights to things they otherwise wouldn’t have,” Tenable’s research team said via email.
Tenable says it has been attempting to report its findings to the vendor since early October, including through CERT/CC, but received no response. Since more than 90 days have passed since the first attempt, Tenable has made its findings public, even if there don’t appear to be any patches.
Tenable has tested its findings on version 3.1.190 of the PremiSys software. Version 3.2 was released in May 2018, but the cybersecurity firm believes the latest versions of the product are affected as well.
SecurityWeek has reached out to IDenticard for comment and will update this article if the company responds.
UPDATED. IDenticard has provided the following statement:
We take the issues identified by Tenable, a leading third party cyber security research company, seriously and are looking to incorporate their feedback into our ongoing product development cycle. PremiSys™ System software is constantly evolving and we appreciate the diligence Tenable outlined in their messages to us.
At IDenticard, we pride ourselves in listening and responding to our customers. Regrettably, we overlooked the communication attempts from Tenable. This is unacceptable for us and we are currently reviewing our inbound communication practices to ensure it does not happen in the future. We welcome further communication from Tenable regarding this matter.
The safety and security of our customers is our first priority. As a global leader in security and identification solutions, IDenticard is committed to continuous improvement and addressing customer concerns. As part of our ongoing agile software development process, we anticipate releasing improvements in the near term and will keep our customers updated with how those improvements address Tenable’s concerns.