March 4, 2018 – In Breaking News – WIRED
DANIEL CROWLEY HAS a long list of software platforms, computers, and internet-of-things devices that he suspects he could hack.
As research director of IBM’s offensive security group X-Force Red, Crowley’s job is to follow his intuition about where digital security risks and threats may be lurking and expose them so they can be fixed.
But so many types of computing devices are vulnerable in so many ways, he can’t chase down every lead himself.
So he does what any self-respecting research director would do: He hires interns, two of whom have found a slew of bugs in software platforms that offices rely on every day.
(X-Force Red Labs are secure, state of the art, Security Testing facilities across the globe. They help identify and fix security vulnerabilities within Internet-of-things (IoT), industrial internet of things (IIoT), and operational technology (OT). Courtesy of IBM Security and YouTube. Posted on Jul 30, 2018.)
On Monday, IBM is publishing findings on vulnerabilities in five “visitor management systems,” the digital sign-in portals that often greet you at businesses and facilities.
Companies buy visitor management software packs and set them up on PCs or mobile devices like tablets.
But X-Force interns Hannah Robbins and Scott Brink found flaws—now mostly patched—in all five mainstream systems they looked at from the visitor management companies Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist.
If you had signed in on one of these systems, an attacker could’ve potentially nabbed your data or impersonated you in the system.
X-Force Red interns @_sandw1ch and @robbinbs find 19 vulnerabilities in corporate check-in systems https://t.co/U9I8WQxW1h by @snlyngaas #RSAC https://t.co/thD6FYvrx0 pic.twitter.com/1rH3Asm6Tl
— X-Force Red (@xforcered) March 4, 2019
“There’s this moment of surprise when you start assessing real products, real devices, real software and see just how bad certain things are,” Crowley says.
“These systems would leak information or not properly authenticate a person, or would allow an attacker to break out of the kiosk environment and control the underlying systems to plant malware or access data.”
The systems X-Force Red analyzed don’t integrate directly with systems that print access badges, which would have been an even greater security concern.
Still, the researchers found vulnerabilities that endangered sensitive data and created security exposures…
Continue reading… THE OVERLOOKED SECURITY THREAT OF SIGN-IN KIOSKS
AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:
- Provides named sources
- Reported by more than one notable outlet
- Includes supporting video, direct statements, or photos