Report: Flaws in PremiSys access system could literally open door for physical intruders

News by Bradley Barth

In a case of cyber-security converging with physical security, researchers have disclosed four vulnerabilities in IDenticard Corp.'s PremiSys building access control system that attackers could exploit to sneak into restricted locations.

In a case of cyber-security converging with physical security, researchers have disclosed four vulnerabilities in IDenticard Corp.’s PremiSys building access control system that attackers could exploit to sneak into restricted locations.

In a corporate blog post, Tenable, Inc. reported today its researcher Jimi Sebree discovered the zero-day flaws in September 2018, after which time the company made multiple unsuccessful attempts to contact IDenticard. Tenable says it waited to reveal the vulnerabilities until after the company’s self-imposed 90-day window for responsible disclosure officially closed on 3 January, 2019.

IDenticard’s website claims tens of thousands of customers, some of whom use the .Net-based PremiSys application to generate custom ID cards, remotely manage ID readers, open or limit access to physical spaces and lock down their facilities. In his own in-depth analysis, Sebree explains that he discovered the vulnerabilities in version 3.1.190 of PremiSys using a .Net decompiler tool, adding that that the issues may exist in subsequent versions as well.

According to Sebree, the most critical of these flaws could allow unauthorised attackers to access the Premisys badge database, thereby giving them the ability to create fake security badges or even disable building locks at the user organisation’s facilities. Officially designated CVE-2019-3906, this error involves the use of insecure hard-coded credentials, designed to give users admin-level access to the system via the PremiSys Windows Communication Foundation (WCF) Service endpoint.

"These credentials can be used by an attacker to dump contents of the badge system database, modify contents, or [perform] other various tasks with unfettered access," Tenable’s official security advisory states. Making matters worse, users are reportedly not allowed to change these credentials, so the only way to remedy this security hole is to limit traffic to this endpoint, which could affect the application’s operations.

The other three bugs consist of:

CVE-2019-3907: Weak hashing and encryption of user credentials and other sensitive information. Tenable describes the method as Base64 encoded MD5 hashes – salt + password.

CVE-2019-3908: Use of a hard-coded password for unzipping Identicard back-ups stored as zip files, which could allow attackers to access or modify the contents. This password cannot be configured by the end user.

CVE-2019-3909: The use of default database credentials upon installation of the service. Users are not permitted to change the passwords without assistance from IDenticard. "These known credentials can be used by attackers to access the sensitive contents of the databases," Tenable warns.

"Because there is no vendor patch, affected users will have to attempt to mitigate these vulnerabilities," Tenable asserts in its blog post. "Systems like this should never be open to the Internet and users should ensure proper network segmentation is in place to isolate this critical system."

"While badge systems should be isolated from the rest of the network, we all know that not everyone is going to follow best practices," Sebree explains in his report. "Additionally, it’s likely most people administering these applications aren’t even aware of all the extra features and doodads that come built-in. In a production deployment, the attack surface of this single service would be absolutely massive. If a company is depending on it for physical security, simple and critical software errors like these have to be taken seriously."

"The digital era has brought the cyber and physical worlds together thanks, in part, to the adoption of IoT. An organisation’s security purview is no longer confined by a firewall, subnets, or physical perimeter – it’s now boundary-less. This makes it critically important for security teams to have complete visibility into where they are exposed and to what extent," said Renaud Deraison, co-founder and CTO of Tenable, in a company press release. "Unfortunately, many manufacturers in the new world of IoT don’t always understand the risks of unpatched software, leaving consumers and enterprises vulnerable to a cyber-attack."

SC Media reached out to IDenticard for comment, and was directed to call its parent company Brady Corp. A message left for the corporate communications department has not yet been returned. IDenticard is based in Markham, Ontario, with an American sister company based in Manheim, Penn.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews