Data leaks, default passwords exposed in visitor management systems

Automation is big business, but smart visitor systems can be as vulnerable to attacks as any other connected device.

A year after WannaCry, UK still vulnerable to major cyber attack, report warns Not enough is being done to protect against cyber attacks on energy, water and other vital services. Read more: https://zd.net/2PD4nnm

Researchers have uncovered a swathe of vulnerabilities which impact visitor management systems in which automation has replaced human assistants.

Automation, artificial intelligence (AI), machine learning (ML), the Internet of Things (IoT), and mobility have begun to permeate every aspect of our daily lives. In the hospitality industry, these technologies have presented an opportunity to improve the security of visitors and guests, as well as reduce the human workforce required to maintain protective measures.

So-called visitor management systems which replace your average security guard or reception desk are becoming big business which is expected to become a market worth over $1.3 billion by 2025.

However, the moment you add Internet connectivity to a device, you are inviting potential attacks -- and security vulnerabilities found in badges and digital control systems can be just as susceptible to exploit as any other.

See also: Cloudflare expands government warrant canaries in transparency bid

For cyberattackers, the ability to tamper with access controls may give them unauthorized access to buildings and areas for criminal schemes. While this may seem an outlandish prospect, social engineering -- such as a man dressing as a maintenance worker to pass through buildings without challenge -- is already a well-known tactic.

"If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted," IBM says. "If the systems are not working as intended, they can provide a false sense of security to the companies deploying them."

The company's cybersecurity team, IBM X-Force Red, recently investigated the security posture of five popular visitor management systems offered by Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist.

TechRepublic: Why businesses fear cyberattacks from ex-employees more than nation states

The team found a total of 19 zero-day vulnerabilities across the vendors' products; Jolly Technologies' Lobby Track Desktop, HID Global's EasyLobby Solo, Threshold Security's eVisitorPass, Envoy's Envoy Passport, and The Receptionist system.

IBM X-Force Red's findings included information disclosure vulnerabilities, the use of default administrator credentials, privilege escalation bugs which could permit information breakouts of kiosk environments, and data leakage including visitor records, social security numbers, and driving license numbers.

CNET: At hearing on federal data-privacy law, debate flares over state rules

"Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders," the researchers say. "Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well."

The vendors impacted by the researchers' findings were notified before public disclosure. Several of the vulnerabilities have been patched, other fixes will be issued in the near future, and some of the bugs will be mitigated through isolation techniques.

The vulnerabilities are listed below.

  • Lobby Track Desktop

CVE-2018-17482 : Visitor records information disclosure    
CVE-2018-17483: Driver's License number information disclosure
CVE-2018-17484: Database information disclosure    
CVE-2018-17485: Default account    
CVE-2018-17486: Visitor records security bypass  
CVE-2018-17487: Kiosk breakout privilege escalation    
CVE-2018-17488: Kiosk breakout privilege escalation    

  • EasyLobby Solo 

CVE-2018-17489: Social security number information disclosure    
CVE-2018-17490: Task manager denial of service
CVE-2018-17491: Program privilege escalation    
CVE-2018-17492: Default account

  • eVisitorPass 

CVE-2018-17493: Fullscreen button breakout privilege escalation
CVE-2018-17494: Start Menu breakout privilege escalation  
CVE-2018-17495: Help Dialog privilege escalation    
CVE-2018-17496: Kiosk privilege escalation  
CVE-2018-17497: Admin credentials default account   

  • Envoy Passport

CVE-2018-17499: Envoy Passport for Android and Envoy Passport for iPhone API key
information disclosure
CVE-2018-17500: Envoy Passport for Android and Envoy Passport for iPhone OAuth Creds information disclosure    

  • The Receptionist 

CVE-2018-17502: The Receptionist for iPad contacts information disclosure

Previous and related coverage