A hardcoded password and other unpatched vulnerabilities can allow hackers to take control over ID card-based building access systems, researchers from Tenable have revealed.
Despite being told of the issues by both Tenable and the US Computer Emergency Response Team (US-CERT), the vendor has not issued a patch, nor even responded to researchers.
The vulnerabilities --four in total-- affect PremiSys, a card-based building access system developed by IDenticard. Details about the four flaws have been published today in a Tenable security advisory. More in-depth information is also available in a Medium blog post authored by the Tenable researcher who found the issues.
Of the four, the most important security flaw is the one tracked as CVE-2019-3906. According to Tenable, the PremiSys building access system comes with a hardcoded password for the admin account.
"Users are not permitted to change these credentials," Tenable researchers said. "The only mitigation appears to be to limit traffic to this endpoint, which may or may not have further impact on the availability of the application itself."
"These credentials can be used by an attacker to dump contents of the badge system database, modify contents, or other various tasks with unfettered access," researchers added.
The username and password are "IISAdminUsr" and "Badge1."
If PremiSys servers are exposed online, an attacker can use this username and password to access a building's ID card management system and introduce rogue cards or disable access control features altogether.
A Shodan search shows only a handful of these systems connected to the internet, a good sign that most companies have secured systems, however, systems not connected to the internet can still be exploited from the local network.
The other three flaws, not as severe as the first, but dangerous nonetheless, include:
Tenable says the vulnerabilities affect PremiSys systems running firmware version 3.1.190, and possibly others. Because the vendor did not cooperate with the research or US-CERT team, it is unclear if the reported issues were patched. Researchers weren't able to get their hands on the latest version of the PremiSys firmware to check if the vendor shipped a silent patch without notifying the research team, although this is highly unlikely.
According to its website, IDenticard has tens of thousands of customers around the world, including government agencies, Fortune 500 companies, K-12 schools, universities, medical centers and others.
Contacted for comment by ZDNet, an IDenticard spokesperson redirected our request to its parent company, the Brady Corporation. Attempts to get ahold of a spokesperson who could speak on this security issue were unsuccessful after repeated calls.
Tenable researchers are now recommending that companies review if their PremiSys systems are exposed online and how sysadmins are accessing PremiSys backends.
"To reduce the risk of compromise, users should segment their network to ensure systems like PremiSys are isolated from internal and external threats as much as possible," Tenable recommended.