A critical vulnerability impacting multiple IDEMIA biometric identification devices can be exploited to unlock doors and turnstiles.
Because of this security defect, if the TLS protocol is not activated, an attacker in the network can send specific commands without authentication to open doors or turnstiles directly operated by a vulnerable device.
The attacker could also exploit the bug to cause a denial of service (DoS) condition by sending a reboot command to the vulnerable device, according to an advisory published by IDEMIA, a France-based tech company that specializes in identity-related physical security services.
Identified by researchers at Russian cybersecurity firm Positive Technologies – which was sanctioned by the United States last year for alleged ties with Russian intelligence – the flaw has a CVSS score of 9.1, yet no CVE identification number has been issued for it until now.
Affected products include MorphoWave Compact MD/MDPI/MDPI-M, VisionPass MD/MDPI/MDPI-M, all variants of SIGMA Lite/Lite+/Wide, SIGMA Extreme, and MA VP MD.
The issue impacts all organizations relying on vulnerable IDEMIA biometric identification devices, including critical infrastructure facilities, financial institutions, healthcare organizations, and universities.
“Activation, proper configuration of TLS protocol and installation of the TLS certificate on the device fixes the aforementioned vulnerability,” IDEMIA says.
The company plans to enforce the use of TLS by default in future firmware releases for the impacted devices, to completely eliminate the risk of biometric identification bypass.
“The vulnerability has been identified in several lines of biometric readers for the IDEMIA ACS equipped with fingerprint scanners and combined devices that analyze fingerprints and vein patterns. An attacker can potentially exploit the flaw to enter a protected area or disable access control systems,” Vladimir Nazarov, head of ICS Security at Positive Technologies, says.
Related: Diebold Nixdorf ATM Flaws Allowed Attackers to Modify Firmware, Steal Cash
Related: Intel CPU Vulnerability Can Expose Cryptographic Keys
Related: WAGO Controller Flaws Can Allow Hackers to Disrupt Industrial Processes
More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
