Automation is pervasive across our modern world and building lobbies are the latest place affected by the changes. The friendly receptionist or security guard is being replaced by kiosks, and it is big business, with sales expected to exceed $1.3 billion by 2025. These systems are officially called visitor management systems and allow businesses to check a guest in, give them a badge and control access to restricted areas of the facility.
Unlike simple pen and paper, they have the ability to authenticate visitors and provision badges for them in an automated way without allowing anyone to see who else has visited. If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted. If the systems are not working as intended, they can provide a false sense of security to the companies deploying them.
Considering that these systems are intentionally physically exposed to outsiders and have a role in the security of an organization, they should be developed with security in mind throughout the product life cycle and should include physically present attackers in their threat model. However, our team has identified vulnerabilities in a number of visitor management system products that could prevent them from achieving that goal.
Two X-Force Red summer interns (Hannah Robbins and Scott Brink), under the guidance of the X-Force Red research team, took a closer look at the security of five popular visitor management systems and discovered 19 previously undisclosed vulnerabilities across all the vendors. If the vulnerabilities were exploited by attackers, data like visitor logs, contact information and corporate activities could be accessed. They also discovered these systems can be used to establish a foothold to attack corporate networks.
The findings included:
- Data leakage — information disclosure of personal and corporate data;
- Keys to the kingdom — several applications had default administrative credentials, which would allow complete control of the application; and
- Breakout — other identified vulnerabilities could allow an attacker to use Windows hotkeys and standard help or print dialogs to break out of the kiosk environment and interact with Windows, giving an attacker control over the system with the same privileges as the software was given.
What Are the Potential Consequences?
Given control of a visitor management system, an attacker could achieve a number of goals depending on the features of the system in question and the context of how it has been deployed.
Physical access: Attackers who want to perform a physical task like stealing valuable assets or launching physical attacks to compromise computers may be able to acquire a valid badge. Some visitor management systems can even issue and provision radio frequency identification (RFID) badges, giving an attacker a key to open doors. Even if the issued badges are not capable of opening doors, they may still identify an attacker as a trusted outsider. A smile and gentle request for help opening a locked door often goes unchallenged with a valid badge.
Network access: If an attacker’s goal is simply to gain access to the internal network, they may not even need to enter the premises, since the visitor management system itself may have access to the internal network and compromising it could mean gaining a foothold on the network.
Data exfiltration: Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders. Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well.
Closing the Door to Visitor Management System Vulnerabilities
Details for the vulnerabilities disclosed by our X-Force Red team have been provided to the affected vendors in advance in order to allow time for an official fix to be developed and released in advance of this publication.
Apply the patch: Several of the vendors have updated their software or plan to with appropriate patches of changes to functions. If there is no patch, include these systems in a security testing program to confirm the exploitability and apply appropriate techniques to isolate the system from others.
Harden access: Evaluate the privileges the system has and determine if systems requires administrative privileges to run. If not, revoke the privileges and ensure default passwords are not enabled. If network access is not required for the visitor management system to function, it should not be connected to the network.
Encrypt everything: Full-disk encryption should always be used on any system accessible to the public or at risk of theft, such as laptops and kiosks. Since iOS now employs mandatory full-disk encryption backed by a hardware security module, full-disk encryption is already the norm on iOS devices.
Password integrity: If the password can be guessed, the encryption may be rendered moot, so make sure to set a strong password on the device. iOS has a kiosk mode that can be used to prevent users from accessing the full functionality of the device, and this should be employed to add an additional barrier to exploitation.
- Lobby Track Desktop (Jolly Technologies)
- CVE-2018-17482 Lobby Track Desktop visitor records information disclosure
- CVE-2018-17483 Lobby Track Desktop Driver’s License number information disclosure
- CVE-2018-17484 Lobby Track Desktop database information disclosure
- CVE-2018-17485 Lobby Track Desktop default account
- CVE-2018-17486 Lobby Track Desktop visitor records security bypass
- CVE-2018-17487 Lobby Track Desktop kiosk breakout privilege escalation
- CVE-2018-17488 Lobby Track Desktop kiosk breakout privilege escalation
- EasyLobby Solo (HID Global)
- eVisitorPass (Threshold Security)
- CVE-2018-17493 eVisitorPass Fullscreen button breakout privilege escalation
- CVE-2018-17494 eVisitorPass Start Menu breakout privilege escalation
- CVE-2018-17495 eVisitorPass Help Dialog privilege escalation
- CVE-2018-17496 eVisitorPass kiosk privilege escalation
- CVE-2018-17497 eVisitorPass admin credentials default account
- Envoy Passport (Envoy)
- The Receptionist (The Receptionist)
- CVE-2018-17502 The Receptionist for iPad contacts information disclosure