Tuesday, April 13, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Details published about vulnerabilities in popular building access system

January 14, 2019
in Internet Security
Details published about vulnerabilities in popular building access system
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter
Image: IDenticard (YouTube screengrab)

A hardcoded password and other unpatched vulnerabilities can allow hackers to take control over ID card-based building access systems, researchers from Tenable have revealed.

Despite being told of the issues by both Tenable and the US Computer Emergency Response Team (US-CERT), the vendor has not issued a patch, nor even responded to researchers.

You might also like

Billions of smartphone owners will soon be authorising payments using facial recognition

PayPal rolls out new fraud management tools for merchants

Ransomware: The internet’s biggest security crisis is getting worse. We need a way out

The vulnerabilities –four in total– affect PremiSys, a card-based building access system developed by IDenticard. Details about the four flaws have been published today in a Tenable security advisory. More in-depth information is also available in a Medium blog post authored by the Tenable researcher who found the issues.

Of the four, the most important security flaw is the one tracked as CVE-2019-3906. According to Tenable, the PremiSys building access system comes with a hardcoded password for the admin account.

“Users are not permitted to change these credentials,” Tenable researchers said. “The only mitigation appears to be to limit traffic to this endpoint, which may or may not have further impact on the availability of the application itself.”

“These credentials can be used by an attacker to dump contents of the badge system database, modify contents, or other various tasks with unfettered access,” researchers added.

The username and password are “IISAdminUsr” and “Badge1.”

If PremiSys servers are exposed online, an attacker can use this username and password to access a building’s ID card management system and introduce rogue cards or disable access control features altogether.

A Shodan search shows only a handful of these systems connected to the internet, a good sign that most companies have secured systems, however, systems not connected to the internet can still be exploited from the local network.

The other three flaws, not as severe as the first, but dangerous nonetheless, include:

  • CVE-2019-3907 – User credentials and other sensitive information are stored with a known-weak encryption method (Base64 encoded MD5 hashes – salt + password).
  • CVE-2019-3908 – IDenticard backups are stored inside a password protected ZIP file. The password is “ID3nt1card.”
  • CVE-2019-3909 – The IDenticard service installs with a default database username and password of “PremisysUsr” / “ID3nt1card.” There are also instructions for meeting longer password standards by using “ID3nt1cardID3nt1card.” Users cannot change this password without sending custom passwords to the vendor directly in order to receive an encrypted variant to use in their configurations. These known credentials can be used by attackers to access the sensitive contents of the databases.

Tenable says the vulnerabilities affect PremiSys systems running firmware version 3.1.190, and possibly others. Because the vendor did not cooperate with the research or US-CERT team, it is unclear if the reported issues were patched. Researchers weren’t able to get their hands on the latest version of the PremiSys firmware to check if the vendor shipped a silent patch without notifying the research team, although this is highly unlikely.

According to its website, IDenticard has tens of thousands of customers around the world, including government agencies, Fortune 500 companies, K-12 schools, universities, medical centers and others.

Contacted for comment by ZDNet, an IDenticard spokesperson redirected our request to its parent company, the Brady Corporation. Attempts to get ahold of a spokesperson who could speak on this security issue were unsuccessful after repeated calls.

Tenable researchers are now recommending that companies review if their PremiSys systems are exposed online and how sysadmins are accessing PremiSys backends.

“To reduce the risk of compromise, users should segment their network to ensure systems like PremiSys are isolated from internal and external threats as much as possible,” Tenable recommended.

More cybersecurity news:

Credit: Source link

Previous Post

How machine learning systems sometimes surprise us – TechCrunch

Next Post

IBM Connections Customizer is available! What's New?

Related Posts

Billions of smartphone owners will soon be authorising payments using facial recognition
Internet Security

Billions of smartphone owners will soon be authorising payments using facial recognition

April 13, 2021
PayPal rolls out new fraud management tools for merchants
Internet Security

PayPal rolls out new fraud management tools for merchants

April 12, 2021
Ransomware: The internet’s biggest security crisis is getting worse. We need a way out
Internet Security

Ransomware: The internet’s biggest security crisis is getting worse. We need a way out

April 12, 2021
Washington State educational organizations targeted in cryptojacking spree
Internet Security

Washington State educational organizations targeted in cryptojacking spree

April 10, 2021
Critical Zoom vulnerability triggers remote code execution without user input
Internet Security

Critical Zoom vulnerability triggers remote code execution without user input

April 10, 2021
Next Post

IBM Connections Customizer is available! What's New?

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Artificial Intelligence Research at Duke
Machine Learning

Artificial Intelligence Research at Duke

April 13, 2021
Learning Not To Fear Machine Learning | by Dimitry Belozersky | Apr, 2021
Neural Networks

Learning Not To Fear Machine Learning | by Dimitry Belozersky | Apr, 2021

April 13, 2021
Billions of smartphone owners will soon be authorising payments using facial recognition
Internet Security

Billions of smartphone owners will soon be authorising payments using facial recognition

April 13, 2021
Indian Brokerage Firm Upstox Suffers Data Breach Leaking 2.5 Millions Users’ Data
Internet Privacy

Indian Brokerage Firm Upstox Suffers Data Breach Leaking 2.5 Millions Users’ Data

April 13, 2021
Caruso real estate to accept Bitcoin as rent payment in industry first
Blockchain

Caruso real estate to accept Bitcoin as rent payment in industry first

April 12, 2021
AI, Machine And Deep Learning: Filling Today’s Need for Speed And Iteration
Machine Learning

AI, Machine And Deep Learning: Filling Today’s Need for Speed And Iteration

April 12, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Artificial Intelligence Research at Duke April 13, 2021
  • Learning Not To Fear Machine Learning | by Dimitry Belozersky | Apr, 2021 April 13, 2021
  • Billions of smartphone owners will soon be authorising payments using facial recognition April 13, 2021
  • Indian Brokerage Firm Upstox Suffers Data Breach Leaking 2.5 Millions Users’ Data April 13, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates