True North Networks Blog
The Overlooked Security Threat of Sign-In Kiosks
DANIEL CROWLEY HAS a long list of software platforms, computers, and internet-of-things devices that he suspects he could hack. As research director of IBM’s offensive security group X-Force Red, Crowley's job is to follow his intuition about where digital security risks and threats may be lurking and expose them so they can be fixed. But so many types of computing devices are vulnerable in so many ways, he can’t chase down every lead himself. So he does what any self-respecting research director would do: He hires interns, two of whom have found a slew of bugs in software platforms that offices rely on every day.
On Monday, IBM is publishing findings on vulnerabilities in five “visitor management systems,” the digital sign-in portals that often greet you at businesses and facilities. Companies buy visitor management software packs and set them up on PCs or mobile devices like tablets. But X-Force interns Hannah Robbins and Scott Brink found flaws—now mostly patched—in all five mainstream systems they looked at from the visitor management companies Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist. If you had signed in on one of these systems, an attacker could've potentially nabbed your data or impersonated you in the system.
“There’s this moment of surprise when you start assessing real products, real devices, real software and see just how bad certain things are,” Crowley says. “These systems would leak information or not properly authenticate a person, or would allow an attacker to break out of the kiosk environment and control the underlying systems to plant malware or access data.”
The systems X-Force Red analyzed don’t integrate directly with systems that print access badges, which would have been an even greater security concern. Still, the researchers found vulnerabilities that endangered sensitive data and created security exposures.
The very nature of visitor management systems is partly to blame. Unlike the remote access attacks most organizations anticipate and attempt to block, a hacker could easily approach a visitor management system with a tool like a USB stick set up to automatically exfiltrate data or install remote-access malware. Even without an accessible USB port, attackers could use other techniques, like Windows keyboard shortcuts, to quickly gain control. And while faster is always better for an attack, it would be relatively easy to stand at a sign-in kiosk for a few minutes without attracting any suspicion.
Among the mobile products the researchers looked at, The Receptionist had a bug that could potentially expose users’ contact data to an attacker. Envoy Passport exposed system access tokens that could be used to both read data and write, or input, data.
"IBM X-Force Red discovered two vulnerabilities, but customer and visitor data was never at risk," Envoy wrote in a statement. "Worst case, these issues could cause inaccurate data to be added to the systems we use to monitor how our software is performing." The Receptionist did not provide comment by deadline.
Among the PC software packs, EasyLobby Solo by HID Global had access issues that could allow an attacker to take control of the system and potentially steal Social Security numbers. And eVisitorPass by Threshold Security had similar access issues and guessable default administrator credentials.