Businesses' visitor management systems vulnerable to cyber attacks

IBM researchers discover range of vulnerabilities that are affecting popular automated receptionist and self-service kiosks

Business ID badge for visitor management systems

Visitor management systems such as self-service reception kiosks are at risk to a wealth of security vulnerabilities, according to research from IBM.

These management systems are becoming more common as businesses pursue the automation route instead of hiring human receptionists for kiosk attendants. They allow businesses to autonomously authenticate new visitors to a building, provide them with a badge and/or grant access levels to manage their movement in the building.

IBM X-Force Red researchers found 19 vulnerabilities in these systems which could lead to a data leak including exposure of logs, contact information and details of corporate activities. The researchers are also concerned that the vulnerabilities could be used to compromise corporate networks, using the vulnerability as a foothold to launch further attacks.

'Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders," said IBM in a security blog. "Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well."

Advertisement
Advertisement - Article continues below

Although the research team is keeping most of the details about the vulnerabilities strictly under wraps, just the team and the alerted vendors are aware, we do know that one of the flaws in the systems related to default admin credentials.

Some of the visitor management systems hosted applications which had admin status as a default setting which would allow complete control over the application. Other vulnerabilities allowed attackers to use Windows hotkeys and simple help or print dialogues to exit the visitor management system and interact with Windows instead.

"If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted," said IBM.

Although the use of visitor management systems is more common in the hospitality sector, businesses across the board should be paying attention to things like this.

We reported in December 2018 on how cyber attackers posing as workmen and job interviewees were able to simply waltz into eight European banks and implant Raspberry Pi devices which compromised the bank's IT. From there, these unverified individuals were able to take millions from the banks.

Physical, on-premise attacks like these were just one of the possible consequences IBM detailed in the report. Others include network attacks; if an attacker could leave the kiosk interface and interact with Windows, then attacks could be launched on a company without the attacker having access to the building.

The affected companies have been notified and have issued or plan to issue patches to the known vulnerabilities in their products.

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/cloud/amazon-web-services-aws/354223/what-to-expect-from-aws-reinvent-2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Visit/hardware/354232/raspberry-pi-4-owners-complain-of-broken-wi-fi-when-using-hdmi
Hardware

Raspberry Pi 4 owners complain of broken Wi-Fi when using HDMI

29 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019