Businesses' visitor management systems vulnerable to cyber attacks

IBM researchers discover range of vulnerabilities that are affecting popular automated receptionist and self-service kiosks

Business ID badge for visitor management systems

Visitor management systems such as self-service reception kiosks are at risk to a wealth of security vulnerabilities, according to research from IBM.

These management systems are becoming more common as businesses pursue the automation route instead of hiring human receptionists for kiosk attendants. They allow businesses to autonomously authenticate new visitors to a building, provide them with a badge and/or grant access levels to manage their movement in the building.

IBM X-Force Red researchers found 19 vulnerabilities in these systems which could lead to a data leak including exposure of logs, contact information and details of corporate activities. The researchers are also concerned that the vulnerabilities could be used to compromise corporate networks, using the vulnerability as a foothold to launch further attacks.

'Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders," said IBM in a security blog. "Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well."

Although the research team is keeping most of the details about the vulnerabilities strictly under wraps, just the team and the alerted vendors are aware, we do know that one of the flaws in the systems related to default admin credentials.

Some of the visitor management systems hosted applications which had admin status as a default setting which would allow complete control over the application. Other vulnerabilities allowed attackers to use Windows hotkeys and simple help or print dialogues to exit the visitor management system and interact with Windows instead.

"If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted," said IBM.

Although the use of visitor management systems is more common in the hospitality sector, businesses across the board should be paying attention to things like this.

We reported in December 2018 on how cyber attackers posing as workmen and job interviewees were able to simply waltz into eight European banks and implant Raspberry Pi devices which compromised the bank's IT. From there, these unverified individuals were able to take millions from the banks.

Physical, on-premise attacks like these were just one of the possible consequences IBM detailed in the report. Others include network attacks; if an attacker could leave the kiosk interface and interact with Windows, then attacks could be launched on a company without the attacker having access to the building.

The affected companies have been notified and have issued or plan to issue patches to the known vulnerabilities in their products.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

What are biometrics?
Security

What are biometrics?

27 Nov 2020
Black Friday's best antivirus deals
Security

Black Friday's best antivirus deals

27 Nov 2020
Veritas Access Appliance with IBM Spectrum® Protect
Server & storage

Veritas Access Appliance with IBM Spectrum® Protect

27 Nov 2020
Ransomware protection with Veritas NetBackup Appliances
Security

Ransomware protection with Veritas NetBackup Appliances

27 Nov 2020

Most Popular

46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020