Interns discover security flaws in reception kiosks

News by Bradley Barth

Five kiosk-based visitor management systems designed to securely check guests into business facilities or industrial buildings were found to contain vulnerabilities that could potentially allow attackers to physically intrude into spaces, break into private networks or steal information.

Five kiosk-based visitor management systems designed to securely check guests into business facilities or industrial buildings were found to contain vulnerabilities that could potentially allow attackers to physically intrude into spaces, break into private networks or steal information.

Normally, these systems automate the authentication of visitors and provision them with security badges (potentially RFID-enabled) for access, without letting external parties view who else has visited. However, two interns with IBM’s X-Force research team, with some guidance from their mentors, recently examined five such systems and found a total of 19 flaws, some of which could enable adversaries to issue their own badges, access the application itself, or escape the kiosk environment and interact with the underlying Windows operating system.

"Considering that these systems are intentionally physically exposed to outsiders and have a role in the security of an organisation, they should be developed with security in mind throughout the product life cycle and should include physically present attackers in their threat model," said an IBM X-Force blog post authored by Daniel Crowley, head of researcher and protester for the X-Force Red hacking team. "However, our team has identified vulnerabilities in a number of visitor management system products that could prevent them from achieving that goal."

IBM listed the affected products as Lobby Track Desktop from Jolly Technologies, EasyLobby Solo from HID Global, eVisitorPass from Threshold Security, Envoy Passport from Envoy and The Receptionist (from The Receptionist). The company credited interns Hannah Robbins and Scott Brink with uncovering the issues.

IBM’s X-Force Red Lab in Austin, including interns Hannah Robbins (back row, center) and Scott Brink (back row, right).

An IBM spokesperson has told SC Media that all of the vendors have issued patches for their vulnerabilities except for Jolly Technologies. "The Lobby Track vulnerabilities were acknowledged by Jolly Technologies, but they stated that the issues can be addressed through configuration options," the spokesperson explained. "X-Force Red tested the Lobby Track software in its default configuration."

Lobby Track Desktop was found to contain seven vulnerabilities. Three of these were information disclosure flaws that can reveal, respectively, visitor records, driver’s license numbers and data information. The remaining four consisted of two kiosk breakout privilege escalations, a visitor records security bypass, and the use of default account credentials.

The five flaws that researchers discovered in eVisitorPass consisted of four privilege escalations and the inclusion of an admin credentials default account.

EasyLobby Solo was flagged for four vulnerabilities, which were identified as a Social Security number information disclosure, a task manager denial of service bug, a privilege escalation, and the use of default account credentials.

Envoy Passport for Android devices and iPhones were found to contain two information disclosure vulnerabilities that could reveal API keys and OAuth credentials.

Finally, The Receptionist for iPad was determined to have an information disclosure flaw that could potentially divulge contacts information.

To prevent future incidents, Crowley recommends users of visitor management system not only regularly apply software updates, but also perform security tests on these systems, eliminate admin privileges if possible, cut off network access to these solutions, use full disk encryption, and operate systems in kiosk mode to limit their functionality.

SC has been attempting to reach the affected vendors named in this study. A spokesperson from The Receptionist told SC Media that the company fixed its vulnerability. "We removed the contacts.json file mentioned in the CVE with version 4.2 of our application that was released on 8 February. The file in question was only used by our automated UI testing, and it contained no customer visit data."

Envoy also released a statement, noting that the issues were resolved by 14 February and that "customer and visitor data was never at risk. Worst case, these issues could cause inaccurate data to be added to the systems we use to monitor how our software is performing. The IBM researchers categorised the severity of this issue as low."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews