Businesses' visitor management systems vulnerable to cyber attacks

IBM researchers discover range of vulnerabilities that are affecting popular automated receptionist and self-service kiosks

Business ID badge for visitor management systems

Visitor management systems such as self-service reception kiosks are at risk to a wealth of security vulnerabilities, according to research from IBM.

These management systems are becoming more common as businesses pursue the automation route instead of hiring human receptionists for kiosk attendants. They allow businesses to autonomously authenticate new visitors to a building, provide them with a badge and/or grant access levels to manage their movement in the building.

Advertisement - Article continues below

IBM X-Force Red researchers found 19 vulnerabilities in these systems which could lead to a data leak including exposure of logs, contact information and details of corporate activities. The researchers are also concerned that the vulnerabilities could be used to compromise corporate networks, using the vulnerability as a foothold to launch further attacks.

'Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders," said IBM in a security blog. "Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well."

Advertisement - Article continues below

Although the research team is keeping most of the details about the vulnerabilities strictly under wraps, just the team and the alerted vendors are aware, we do know that one of the flaws in the systems related to default admin credentials.

Advertisement - Article continues below

Some of the visitor management systems hosted applications which had admin status as a default setting which would allow complete control over the application. Other vulnerabilities allowed attackers to use Windows hotkeys and simple help or print dialogues to exit the visitor management system and interact with Windows instead.

"If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted," said IBM.

Although the use of visitor management systems is more common in the hospitality sector, businesses across the board should be paying attention to things like this.

We reported in December 2018 on how cyber attackers posing as workmen and job interviewees were able to simply waltz into eight European banks and implant Raspberry Pi devices which compromised the bank's IT. From there, these unverified individuals were able to take millions from the banks.

Advertisement - Article continues below

Physical, on-premise attacks like these were just one of the possible consequences IBM detailed in the report. Others include network attacks; if an attacker could leave the kiosk interface and interact with Windows, then attacks could be launched on a company without the attacker having access to the building.

The affected companies have been notified and have issued or plan to issue patches to the known vulnerabilities in their products.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020