Visitor Kiosk Privacy Exploit – Easy Lobby Access Systems and Others

By | October 17, 2022
hacker exploit easy lobby

Last Updated on October 17, 2022 by Craig Allen Keefner

Visitor Kiosk News

Read full article on ThreatPost

Student researchers working with IBM X-Force Red team find security holes in five leading visitor kiosk management systems.

Excerpt:

Visitor kiosk systems protect business against physical threats such as unwanted and unidentified guests. But many of these lobby-based perimeter checkpoints are opening up companies to a bevy of cyber-threats.

On Monday, IBM’s penetration testing team, X-Force Red, released a report that outlines 19 bugs found across five leading visitor-management systems. Vulnerabilities range from data leakage, complete program takeover and the ability for a visitor to press Windows’ hotkeys to break out of the kiosk environment. Affected are systems made by HID Global (EasyLobby Solo), Threshold (eVisitorPass), Envoy (Envoy Passport) and The Receptionist (The Receptionist).

Interestingly, the research was conducted by IBM summer interns (Hannah Robbins and Scott Brink) under the guidance of the X-Force Red research team.

“These are really interesting targets. By their very nature, they are exposed to the public that has no credentials,” said Daniel Crowley, IBM X-Force Red’s research director.

Crowley said researchers had three goals in testing the visitor-management systems. “One, was how easy is to get checked-in as a visitor without any sort of real identifying information. Secondly, we set out to see how easy is it to get other people’s information out of the system. And third, is there a way that an adversary can break out of the application, cause it to crash or get arbitrary code-execution to run on the targeted device and gain a foothold to attack the corporate network,” he said.

Researchers said they were able to accomplish all three.

Read full article on ThreatPost

More Posts

Author: Craig Allen Keefner

Craig Allen Keefner is an industry analyst, content strategist, and longtime authority on self-service kiosks, digital signage, unattended payment systems, and interactive technology. He manages content and industry strategy for Kiosk Industry and The Industry Group, with a focus on kiosk software, hardware-software integration, accessibility, payment compliance, healthcare kiosks, restaurant self-service, and emerging AI automation. Craig has covered the self-service and kiosk industry since the 1990s, tracking how public-facing terminals move from concept to field deployment. His work combines industry research, vendor analysis, operator conversations, standards tracking, trade show coverage, and practical experience with the real-world constraints of kiosk deployments. https://www.linkedin.com/in/kiosk