Five kiosk-based visitor management systems designed to securely check guests into business facilities or industrial buildings were found to contain vulnerabilities that could potentially allow attackers to physically intrude into spaces, break into private networks or steal information.

Normally, these systems automate the authentication of visitors and provision them with security badges (potentially RFID-enabled) for access, without letting external parties view who else has visited. However, two interns with IBM's X-Force research team, with some guidance from their mentors, recently examined five such systems and found a total of 19 flaws, some of which could enable adversaries to issue their own badges, access the application itself, or escape the kiosk environment and interact with the underlying Windows operating system.

"Considering that these systems are intentionally physically exposed to outsiders and have a role in the security of an organization, they should be developed with security in mind throughout the product life cycle and should include physically present attackers in their threat model," said an IBM X-Force blog post authored by Daniel Crowley, head of researcher and protester for the X-Force Red hacking team. "However, our team has identified vulnerabilities in a number of visitor management system products that could prevent them from achieving that goal."

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.