The Overlooked Security Threat of Sign-In Kiosks
Credit to Author: Lily Hay Newman| Date: Mon, 04 Mar 2019 11:00:00 +0000
Daniel Crowley has a long list of software platforms, computers, and internet-of-things devices that he suspects he could hack. As research director of IBM’s offensive security group X-Force Red, Crowley's job is to follow his intuition about where digital security risks and threats may be lurking and expose them so they can be fixed. But so many types of computing devices are vulnerable in so many ways, he can’t chase down every lead himself. So he does what any self-respecting research director would do: He hires interns, two of whom have found a slew of bugs in software platforms that offices rely on every day.
On Monday, IBM is publishing findings on vulnerabilities in five “visitor management systems,” the digital sign-in portals that often greet you at businesses and facilities. Companies buy visitor management software packs and set them up on PCs or mobile devices like tablets. But X-Force interns Hannah Robbins and Scott Brink found flaws—now mostly patched—in all five mainstream systems they looked at from the visitor management companies Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist. If you had signed in on one of these systems, an attacker could've potentially nabbed your data or impersonated you in the system.
“There’s this moment of surprise when you start assessing real products, real devices, real software and see just how bad certain things are,” Crowley says. “These systems would leak information or not properly authenticate a person, or would allow an attacker to break out of the kiosk environment and control the underlying systems to plant malware or access data.”
The systems X-Force Red analyzed don’t integrate directly with systems that print access badges, which would have been an even greater security concern. Still, the researchers found vulnerabilities that endangered sensitive data and created security exposures.
"I knew going in that it was going to be a bloodbath."
Daniel Crowley, IBM
The very nature of visitor management systems is partly to blame. Unlike the remote access attacks most organizations anticipate and attempt to block, a hacker could easily approach a visitor management system with a tool like a USB stick set up to automatically exfiltrate data or install remote-access malware. Even without an accessible USB port, attackers could use other techniques, like Windows keyboard shortcuts, to quickly gain control. And while faster is always better for an attack, it would be relatively easy to stand at a sign-in kiosk for a few minutes without attracting any suspicion.
Among the mobile products the researchers looked at, The Receptionist had a bug that could potentially expose users’ contact data to an attacker. Envoy Passport exposed system access tokens that could be used to both read data and write, or input, data.
"IBM X-Force Red discovered two vulnerabilities, but customer and visitor data was never at risk," Envoy wrote in a statement. "Worst case, these issues could cause inaccurate data to be added to the systems we use to monitor how our software is performing." The Receptionist did not provide comment by deadline.
Among the PC software packs, EasyLobby Solo by HID Global had access issues that could allow an attacker to take control of the system and potentially steal Social Security numbers. And eVisitorPass by Threshold Security had similar access issues and guessable default administrator credentials.
"HID Global has developed a fix to the vulnerabilities that a team of security researchers at IBM identified in HID’s EasyLobby Solo, an entry-level, single-workstation visitor management product," HID Global said in a statement. "It is important to note that the installed base of EasyLobby Solo is extremely small worldwide. HID has identified all customers who are using the older EasyLobby Solo version of software, and the company is actively contacting them in order to inform and guide them on implementing the fix." Threshold Security did not comment by deadline.
IBM found a whopping seven bugs in a product called Lobby Track Desktop made by Jolly Technologies. An attacker could approach a Lobby Track kiosk and easily gain access to a record-query tool that can be manipulated to dump the system’s whole database of past visitor sign-in records, potentially including driver’s license numbers. Of the five companies IBM contacted to disclose vulnerabilities, only Jolly Technologies did not issue patches, because, the company says, all seven issues can be mitigated through system configuration changes.
"All of the self-serve issues described by the IBM security group can be addressed through simple configuration," Jolly Technologies customer relations manager Donnie Lytle wrote in a statement. "We leave the 'kiosk mode' configuration open so that users can customize the software to meet their specific needs. All settings and options are covered during presales demonstrations, customer testing, and installation with support technicians."
Crowley says he is glad these options exists but points out that it is very rare for users to deviate from default configurations unless they are specifically trying to enable a certain feature.
In general, the researchers point out that many visitor management systems position themselves as security products without actually offering visitor authentication mechanisms. “If you’re a system that’s supposed to identify people as trusted visitors, you should probably demand proof like a QR code or a password to prove that people are who they say they are. But the systems that we researched were kind of just a glorified log book.”
Crowley says he would like to look more deeply at visitor management systems that integrate with RFID door locks and can directly issue badges. Compromising one of those would not only potentially give an attacker extensive physical access within a target organization but could also enable other digital compromises across the victim’s networks. Tesearchers have certainly found vulnerabilities in electronic access control systems over the years, and continue to.
“This was sort of scratch-the-surface kind of stuff,” Crowley says. But he adds that the bugs the interns found in just a few weeks say a lot about what else might be lurking on these crucial and interconnected systems. “One of the reasons I was excited for somebody to do this project is because I knew going in that it was going to be a bloodbath.”