Bluebox Security researchers spotted a security bypass vulnerability in the kiosk management application used on the RSA Conference 2016 vendor badge scanning devices.
Conference vendors are given an Android Samsung Galaxy S4 that is locked into a “kiosk” mode that should only enable select features on the device, such as scanning the badges of booth visitors so that the vendors can monitor traffic and interested parties.
The device is locked to protect the data it collects and all locked features should only be accessible to someone with the administrative login credentials.
Researchers at Bluebox Security reverse-engineered the app and found the default password hidden in plain-text within the app's code. This provided access to the app's settings and ultimately to the device where data is stored, according to a Thursday blog post.
The researchers speculate the default code was embedded in the app as a mechanism to ensure the device can be managed even if the admin's custom passcode is lost. But, they added, it was a poor decision to embed the password un-encrypted and un-obfuscated in the app's shipped code.
Andrew Blaich, lead security analyst at Bluebox Security, told SCMagazine.com that the vulnerability could allow a threat actor to upload malware to skim data from the device and or the badges it scans.
Blaich said the bug could also jeopardize the information of non-RSA Conference attendees if the same devices or apps are used at other events.
It's important that app builders understand that whatever is left in the code that's not obfuscated or encrypted will be found, Blaich said
“Anyone can take the app, reverse-engineer it and find the code,” he said.
RSA has been notified of the vulnerability and Blaich said officials are looking into ways to secure the platform. More details will be disclosed once a solution is found, Blaich said.
RSA Conference General Manager Linda Gray said in statement emailed to SCMagazine.com the app does not store an index of all RSA Conference attendees.
"The devices being used by exhibitors start out entirely empty, except for information about the exhibitor that has rented the device, and some app settings,"Gray said. "After that, the device only stores sparse information about those leads that are scanned by that exhibiting vendor only (badge ID, name, company name and job title) on that particular device. The device does not have the ability to download any additional information about attendees," she added.
UPDATE: This article has been updated to include comments from RSA Conference General Manager Linda Gray.
