Automation is pervasive across our modern world and building lobbies are the latest place affected by the changes. The friendly receptionist or security guard is being replaced by kiosks, and it is big business, with sales expected to exceed $1.3 billion by 2025. These systems are officially called visitor management systems and allow businesses to check a guest in, give them a badge and control access to restricted areas of the facility.

Unlike simple pen and paper, they have the ability to authenticate visitors and provision badges for them in an automated way without allowing anyone to see who else has visited. If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted. If the systems are not working as intended, they can provide a false sense of security to the companies deploying them.

Considering that these systems are intentionally physically exposed to outsiders and have a role in the security of an organization, they should be developed with security in mind throughout the product life cycle and should include physically present attackers in their threat model. However, our team has identified vulnerabilities in a number of visitor management system products that could prevent them from achieving that goal.

Two X-Force Red summer interns (Hannah Robbins and Scott Brink), under the guidance of the X-Force Red research team, took a closer look at the security of five popular visitor management systems and discovered 19 previously undisclosed vulnerabilities across all the vendors. If the vulnerabilities were exploited by attackers, data like visitor logs, contact information and corporate activities could be accessed. They also discovered these systems can be used to establish a foothold to attack corporate networks.

The findings included:

  • Data leakage — information disclosure of personal and corporate data;
  • Keys to the kingdom — several applications had default administrative credentials, which would allow complete control of the application; and
  • Breakout — other identified vulnerabilities could allow an attacker to use Windows hotkeys and standard help or print dialogs to break out of the kiosk environment and interact with Windows, giving an attacker control over the system with the same privileges as the software was given.

What Are the Potential Consequences?

Given control of a visitor management system, an attacker could achieve a number of goals depending on the features of the system in question and the context of how it has been deployed.

Physical access: Attackers who want to perform a physical task like stealing valuable assets or launching physical attacks to compromise computers may be able to acquire a valid badge. Some visitor management systems can even issue and provision radio frequency identification (RFID) badges, giving an attacker a key to open doors. Even if the issued badges are not capable of opening doors, they may still identify an attacker as a trusted outsider. A smile and gentle request for help opening a locked door often goes unchallenged with a valid badge.

Network access: If an attacker’s goal is simply to gain access to the internal network, they may not even need to enter the premises, since the visitor management system itself may have access to the internal network and compromising it could mean gaining a foothold on the network.

Data exfiltration: Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders. Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well.

Closing the Door to Visitor Management System Vulnerabilities

Details for the vulnerabilities disclosed by our X-Force Red team have been provided to the affected vendors in advance in order to allow time for an official fix to be developed and released in advance of this publication.

Apply the patch: Several of the vendors have updated their software or plan to with appropriate patches of changes to functions. If there is no patch, include these systems in a security testing program to confirm the exploitability and apply appropriate techniques to isolate the system from others.

Harden access: Evaluate the privileges the system has and determine if systems requires administrative privileges to run. If not, revoke the privileges and ensure default passwords are not enabled. If network access is not required for the visitor management system to function, it should not be connected to the network.

Encrypt everything: Full-disk encryption should always be used on any system accessible to the public or at risk of theft, such as laptops and kiosks. Since iOS now employs mandatory full-disk encryption backed by a hardware security module, full-disk encryption is already the norm on iOS devices.

Password integrity: If the password can be guessed, the encryption may be rendered moot, so make sure to set a strong password on the device. iOS has a kiosk mode that can be used to prevent users from accessing the full functionality of the device, and this should be employed to add an additional barrier to exploitation.

Learn more about X-Force Red and X-Force Red’s penetration testing services.


The Vulnerabilities

More from Software Vulnerabilities

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…