Vulnerabilities Found in Visitor Kiosk Systems

As more and more businesses begin replacing security guards with Visitor Kiosk Access Systems they become vulnerable to attack. The popular kiosk systems are expected to pass 1.3 billion in sales by 2025. However, many of these systems are riddled with security vulnerabilities, which malicious actors can take advantage of.

Visitor kiosk systems are used by businesses to automate the authentication of visitors, provide them with badges, and to give access necessary areas.

Two interns at IBM’S X-Force red research team along with their supervisors found that five different kiosk management systems contained vulnerabilities. After investigating and researching into the kiosks they found a total of 19 flaws. The kiosks found with flaws included Lobby Track Desktop (Jolly Technologies), EasyLobby Solo (HID Global), eVistorPass (Threshold Security), Envoy Passport (Envoy), and The Receptionist (The Receptionist).

During the analysis of the systems the researchers had three goals in mind. Daniel Crowley, IBM X-Force Red’s research director said the goals were:

“One, was how easy is to get checked-in as a visitor without any sort of real identifying information. Secondly, we set out to see how easy it is to get other people’s information out of the system. And third, is there a way that an adversary can break out of the application, cause it to crash or get arbitrary code-execution to run on the targeted device and gain a foothold to attack the corporate network,”

The researchers found that if exploited the vulnerabilities can reveal visitor log data, contact information, and activities of the companies. Further, attackers could get past the interface of the kiosks and into the underlying Windows operating systems using windows hotkey and standard help/print dialogs. Thus, giving attacks control of the system. Many of the tested application had default administrative credentials that could easily give full access to attackers.

Since the discovery of these vulnerabilities, all affected vendors have been contacted, who have released patches for the flaws. Any organization who has deployed the systems should promptly patch their kiosks. All systems should be hardened so attackers cannot access administrative privileges and all default passwords should be changed. Further, all systems should be enabled with full disk encryption.

For security advisory services contact LIFARS today.