Researchers have uncovered a swathe of vulnerabilities which impact visitor management systems in which automation has replaced human assistants.
Automation, artificial intelligence (AI), machine learning (ML), the Internet of Things (IoT), and mobility have begun to permeate every aspect of our daily lives. In the hospitality industry, these technologies have presented an opportunity to improve the security of visitors and guests, as well as reduce the human workforce required to maintain protective measures.
So-called visitor management systems which replace your average security guard or reception desk are becoming big business which is expected to become a market worth over $1.3 billion by 2025.
However, the moment you add Internet connectivity to a device, you are inviting potential attacks -- and security vulnerabilities found in badges and digital control systems can be just as susceptible to exploit as any other.
For cyberattackers, the ability to tamper with access controls may give them unauthorized access to buildings and areas for criminal schemes. While this may seem an outlandish prospect, social engineering -- such as a man dressing as a maintenance worker to pass through buildings without challenge -- is already a well-known tactic.
"If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted," IBM says. "If the systems are not working as intended, they can provide a false sense of security to the companies deploying them."
The company's cybersecurity team, IBM X-Force Red, recently investigated the security posture of five popular visitor management systems offered by Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist.
The team found a total of 19 zero-day vulnerabilities across the vendors' products; Jolly Technologies' Lobby Track Desktop, HID Global's EasyLobby Solo, Threshold Security's eVisitorPass, Envoy's Envoy Passport, and The Receptionist system.
IBM X-Force Red's findings included information disclosure vulnerabilities, the use of default administrator credentials, privilege escalation bugs which could permit information breakouts of kiosk environments, and data leakage including visitor records, social security numbers, and driving license numbers.
"Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders," the researchers say. "Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well."
The vendors impacted by the researchers' findings were notified before public disclosure. Several of the vulnerabilities have been patched, other fixes will be issued in the near future, and some of the bugs will be mitigated through isolation techniques.
The vulnerabilities are listed below.
- Lobby Track Desktop
CVE-2018-17482 : Visitor records information disclosure
CVE-2018-17483: Driver's License number information disclosure
CVE-2018-17484: Database information disclosure
CVE-2018-17485: Default account
CVE-2018-17486: Visitor records security bypass
CVE-2018-17487: Kiosk breakout privilege escalation
CVE-2018-17488: Kiosk breakout privilege escalation
- EasyLobby Solo
CVE-2018-17493: Fullscreen button breakout privilege escalation
CVE-2018-17494: Start Menu breakout privilege escalation
CVE-2018-17495: Help Dialog privilege escalation
CVE-2018-17496: Kiosk privilege escalation
CVE-2018-17497: Admin credentials default account
- Envoy Passport
CVE-2018-17499: Envoy Passport for Android and Envoy Passport for iPhone API key
CVE-2018-17500: Envoy Passport for Android and Envoy Passport for iPhone OAuth Creds information disclosure
- The Receptionist
CVE-2018-17502: The Receptionist for iPad contacts information disclosure