Unpatched Flaws in Building Access System Allow Hackers to Create Fake Badges
Researchers discovered that a popular building access control system made by IDenticard contains vulnerabilities that can be exploited to create fake badges, disable door locks, and obtain or modify user data.
IDenticard is a US-based provider of ID, access and security solutions. On its website, the company says it has tens of thousands of customers around the world, including Fortune 500 companies, educational institutions, medical centers, factories, and government agencies.
PremiSys is an access control and photo ID solution that provides organizations a wide range of features for a comprehensive access control program, including for granting or restricting access to specific doors, locking down facilities, controlling door alarms, viewing integrated surveillance video, and creating detailed reports.
Researchers at Tenable discovered that the product is affected by several potentially serious vulnerabilities. One of them is related to the existence of a hardcoded backdoor account that can give an attacker admin access to the service. This access can be leveraged to enter the badge system database and modify its content.
The cybersecurity firm’s experts also discovered that PremiSys stores credentials and other sensitive data using a hashing method that is known to be weak.
They also noticed that backups and the database installed by the IDenticard service are protected by default passwords that are easy to obtain and which cannot be changed by the user.
The CVE identifiers CVE-2019-3906 through CVE-2019-3909 have been assigned to these vulnerabilities.
Tenable warned that an attacker could exploit these security holes to covertly enter buildings by creating fake badges and disabling door locks. An attacker could also download the entire content of the user database, and modify or delete data.
However, the company has clarified for SecurityWeek that conducting an attack requires access to the network housing the badge system as these servers are unlikely to be accessible directly from the Internet.
“If an attacker needed physical access to a building, they could theoretically add themselves to a badge system to get past security, and either disable locks on demand or simply give themselves entry rights to things they otherwise wouldn’t have,” Tenable’s research team said via email.
Tenable says it has been attempting to report its findings to the vendor since early October, including through CERT/CC, but received no response. Since more than 90 days have passed since the first attempt, Tenable has made its findings public, even if there don’t appear to be any patches.
Tenable has tested its findings on version 3.1.190 of the PremiSys software. Version 3.2 was released in May 2018, but the cybersecurity firm believes the latest versions of the product are affected as well.
SecurityWeek has reached out to IDenticard for comment and will update this article if the company responds.