Originally published on Wired March 4, 2019
Overlooked Security in Sign-In Kiosks – Visitor Management Systems (note: all are “mostly” patched)
Wired published story of IBM interns infiltrating some systems (later patched). Typically there are USB ports exposed and sure enough in this case they found some. We’re surprised that HID Global was the noted offender. They know better but then they generally sell the hardware and someone installs it on some machine that is deployed in some building in some fashion. Here is excerpt from Wired:
On Monday, IBM is publishing findings on vulnerabilities in five “visitor management systems,” the digital sign-in portals that often greet you at businesses and facilities. Companies buy visitor management software packs and set them up on PCs or mobile devices like tablets. But X-Force interns Hannah Robbins and Scott Brink found flaws—now mostly patched—in all five mainstream systems they looked at from the visitor management companies Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist. If you had signed in on one of these systems, an attacker could’ve potentially nabbed your data or impersonated you in the system.
The very nature of visitor management systems is partly to blame. Unlike the remote access attacks most organizations anticipate and attempt to block, a hacker could easily approach a visitor management system with a tool like a USB stick set up to automatically exfiltrate data or install remote-access malware. Even without an accessible USB port, attackers could use other techniques, like Windows keyboard shortcuts, to quickly gain control. And while faster is always better for an attack, it would be relatively easy to stand at a sign-in kiosk for a few minutes without attracting any suspicion.
Among the PC software packs, EasyLobby Solo by HID Global had access issues that could allow an attacker to take control of the system and potentially steal Social Security numbers. And eVisitorPass by Threshold Security had similar access issues and guessable default administrator credentials.
Read full article on Wired March 4, 2019
Editor Note: restricting access to USB ports is a basic necessity. For the sake of convenience and neglectible cost these basic rules are still violated. Our recommendation is visit KioWare or Sitekiosk before you deploy in public. See the related service article with the loan application kiosk and its exposed USB ports video walk-thru.
|Craig is a senior staff writer for Kiosk Industry Group Association. He has 25 years of experience in the industry. He contributed to this article.|