Businesses' visitor management systems vulnerable to cyber attacks

IBM researchers discover range of vulnerabilities that are affecting popular automated receptionist and self-service kiosks

Business ID badge for visitor management systems

Visitor management systems such as self-service reception kiosks are at risk to a wealth of security vulnerabilities, according to research from IBM.

These management systems are becoming more common as businesses pursue the automation route instead of hiring human receptionists for kiosk attendants. They allow businesses to autonomously authenticate new visitors to a building, provide them with a badge and/or grant access levels to manage their movement in the building.

IBM X-Force Red researchers found 19 vulnerabilities in these systems which could lead to a data leak including exposure of logs, contact information and details of corporate activities. The researchers are also concerned that the vulnerabilities could be used to compromise corporate networks, using the vulnerability as a foothold to launch further attacks.

'Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders," said IBM in a security blog. "Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well."

Although the research team is keeping most of the details about the vulnerabilities strictly under wraps, just the team and the alerted vendors are aware, we do know that one of the flaws in the systems related to default admin credentials.

Some of the visitor management systems hosted applications which had admin status as a default setting which would allow complete control over the application. Other vulnerabilities allowed attackers to use Windows hotkeys and simple help or print dialogues to exit the visitor management system and interact with Windows instead.

"If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted," said IBM.

Although the use of visitor management systems is more common in the hospitality sector, businesses across the board should be paying attention to things like this.

We reported in December 2018 on how cyber attackers posing as workmen and job interviewees were able to simply waltz into eight European banks and implant Raspberry Pi devices which compromised the bank's IT. From there, these unverified individuals were able to take millions from the banks.

Physical, on-premise attacks like these were just one of the possible consequences IBM detailed in the report. Others include network attacks; if an attacker could leave the kiosk interface and interact with Windows, then attacks could be launched on a company without the attacker having access to the building.

The affected companies have been notified and have issued or plan to issue patches to the known vulnerabilities in their products.

Featured Resources

Virtual desktops and apps for dummies

An easy guide to virtual desktop infrastructure, end-user computing, and more

Download now

The total economic impact of optimising and managing your hybrid multi-cloud

Cost savings and business benefits of accelerating the cloud journey

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

What’s next for the education sector?

A new learning experience

Download now

Recommended

Data breaches increase by a third as staff continue to work from home
cyber security

Data breaches increase by a third as staff continue to work from home

17 May 2021
What is phishing?
phishing

What is phishing?

17 May 2021
Cisco to acquire threat intelligence provider Kenna Security
Acquisition

Cisco to acquire threat intelligence provider Kenna Security

14 May 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

14 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021