In a case of cybersecurity converging with physical security, researchers have disclosed four vulnerabilities in IDenticard Corp.’s PremiSys building access control system that attackers could exploit to sneak into restricted locations.

In a corporate blog post, Tenable, Inc. reported today its researcher Jimi Sebree discovered the zero-day flaws in September 2018, after which time the company made multiple unsuccessful attempts to contact IDenticard. Tenable says it waited to reveal the vulnerabilities until after the company’s self-imposed 90-day window for responsible disclosure officially closed on Jan. 3, 2019.

IDenticard’s website claims tens of thousands of customers, some of whom use the .Net-based PremiSys application to generate custom ID cards, remotely manage ID readers, open or limit access to physical spaces and lock down their facilities. In his own in-depth analysis, Sebree explains that he discovered the vulnerabilities in version 3.1.190 of PremiSys using a .Net decompiler tool, adding that that the issues may exist in subsequent versions as well.

According to Sebree, the most critical of these flaws could allow unauthorized attackers to access the Premisys badge database, thereby giving them the ability to create fake security badges or even disable building locks at the user organization’s facilities. Officially designated CVE-2019-3906, this error involves the use of insecure hard-coded credentials, designed to give users admin-level access to the system via the PremiSys Windows Communication Foundation (WCF) Service endpoint.

“These credentials can be used by an attacker to dump contents of the badge system database, modify contents, or [perform] other various tasks with unfettered access,” Tenable’s official security advisory states. Making matters worse, users are reportedly not allowed to change these credentials, so the only way to remedy this security hole is to limit traffic to this endpoint, which could affect the application’s operations.

The other three bugs consist of:

CVE-2019-3907: Weak hashing and encryption of user credentials and other sensitive information. Tenable describes the method as Base64 encoded MD5 hashes – salt + password.

CVE-2019-3908: Use of a hard-coded password for unzipping Identicard back-ups stored as zip files, which could allow attackers to access or modify the contents. This password cannot be configured by the end user.

CVE-2019-3909: The use of default database credentials upon installation of the service. Users are not permitted to change the passwords without assistance from IDenticard. “These known credentials can be used by attackers to access the sensitive contents of the databases,” Tenable warns.

“Because there is no vendor patch, affected users will have to attempt to mitigate these vulnerabilities,” Tenable asserts in its blog post. “Systems like this should never be open to the Internet and users should ensure proper network segmentation is in place to isolate this critical system.”

“While badge systems should be isolated from the rest of the network, we all know that not everyone is going to follow best practices,” Sebree explains in his report. “Additionally, it’s likely most people administering these applications aren’t even aware of all the extra features and doodads that come built-in. In a production deployment, the attack surface of this single service would be absolutely massive. If a company is depending on it for physical security, simple and critical software errors like these have to be taken seriously.”

“The digital era has brought the cyber and physical worlds together thanks, in part, to the adoption of IoT. An organization’s security purview is no longer confined by a firewall, subnets, or physical perimeter – it’s now boundary-less. This makes it critically important for security teams to have complete visibility into where they are exposed and to what extent,” said Renaud Deraison, co-founder and CTO of Tenable, in a company press release. “Unfortunately, many manufacturers in the new world of IoT don’t always understand the risks of unpatched software, leaving consumers and enterprises vulnerable to a cyber attack.”

SC Media reached out to IDenticard for comment, and was directed to call its parent company Brady Corp. A spokesperson at Brady Corp. later provided the following statement: “We take the issues identified by Tenable…seriously and are looking to incorporate their feedback into our ongoing product development cycle. PremiSys System software is constantly evolving and we appreciate the diligence Tenable outlined in their messages to us.” 

“Regrettably, we overlooked the communication attempts from Tenable. This is unacceptable for us and we are currently reviewing our inbound communication practices to ensure it does not happen in the future,” the statement continues, adding that we anticipate releasing improvements in the near term and will keep our customers updated with how those improvements address Tenable’s concerns.”

IDenticard is based in Markham, Ontario, with an American sister company based in Manheim, Penn.