Walk-through metal detectors made by Garrett are affected by potentially serious vulnerabilities that can be exploited to hack the devices and alter their configuration.
The metal detection products and services provided by Texas-based Garrett are sold in more than 100 countries around the world, including in Europe, the Middle East and Australia. Its metal detectors are deployed in stadiums, event venues, schools, courthouses, hospitals, prisons, and government buildings.
The vendor was notified about the vulnerabilities in August and patches were released on December 13, Talos said.
Talos has disclosed the details of seven vulnerabilities discovered in the iC Module, including five that have been assigned a critical or high severity rating.
Three of the security holes can be exploited without authentication by sending a specially crafted packet to the device, allowing the attacker to execute arbitrary code.
The affected product is designed to enable remote users to obtain information on alarms and visitor counts, as well as to make configuration changes to the metal detector. An attacker could abuse this functionality after exploiting the vulnerabilities.
“An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through,” Talos explained in a blog post. “They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors.”
Three of the remaining flaws have been described as path traversal issues that allow an authenticated attacker to read, write or delete files from a device, and one is an authentication-related race condition that can be exploited to hijack an authenticated user’s session.
While some of the vulnerabilities can be exploited without authentication, Nick Biasini, head of outreach for Cisco Talos, told SecurityWeek that in the course of their investigation they did not find any devices exposed to the internet through services such as Shodan, which means an attacker would require local network access for exploitation.
The vendor has released firmware updates that patch the vulnerabilities, but it’s up to the customer to ensure that the patches are deployed on their devices. SecurityWeek has reached out to Garrett to find out if customers have been notified about these vulnerabilities, but we have yet to hear back.
UPDATE 12/22/2021: Garrett has provided SecurityWeek the following statement:
The vulnerability described in the Cisco Talos report is limited to Garrett Walk Through Metal Detectors which are equipped with an accessory network interface appliance known as the CMA or IC Module. The deployment of these modules is very limited and therefore this vulnerability exists in only a relatively small population of the installed Garrett metal detectors. There is no vulnerability to products that do not have this appliance installed and/or are not connected to a network.
In response to the Cisco report, Garrett has successfully developed a patch that can be installed by the customer. Cisco has certified that the patch resolves the reported vulnerabilities.
Garrett will be contacting customers who have purchased the product with information about the patch.
Anyone wanting information or assistance should contact Garrett at 800-234-6151 or via email at security@garrett.com.
Related: Serious Vulnerabilities Found in Wi-Fi Module Designed for Critical Industrial Applications
Related: Cisco Discloses Details of Critical Advantech Router Tool Vulnerabilities