A hardcoded password and other unpatched vulnerabilities are being used by hackers to take control over ID card-based building access systems.
Even if the issue was hypothetically presented to Tenable and the US Computer Emergency Response Team (US-CERT) in the past, there was no patch issued and not even a response was given.
Now the vulnerabilities that impact PremiSys, a card-based building access system developed by IDenticard are being used by hackers for unauthorized access inside various corporate buildings.
The most dangerous cybersecurity flaw is CVE-2019-3906 which is made possible because every PremiSys building access system comes with a hardcoded password for the admin account.
Even more dangerous is the fact that users are not permitted to change these credentials.
Researchers say that because of this the credentials can be used by an attacker to dump contents of the badge system database, modify contents, or other various tasks with unfettered access.
There is no secret that the username and password are “IISAdminUsr” and “Badge1.”; so if PremiSys servers are exposed online, a hacker can use this username and password to access a building’s ID card management system and introduce rogue cards or disable access control features altogether.
A simple and quick Shodan search a handful of these systems connected to the internet, however, systems not connected to the internet can still be exploited from the local network.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
The other three flaws are not as severe as the first, but dangerous.
• CVE-2019-3907 – User credentials and other sensitive information are stored with a known-weak encryption method (Base64 encoded MD5 hashes – salt + password).
• CVE-2019-3908 – IDenticard backups are stored inside a password protected ZIP file. The password is “ID3nt1card.”
• CVE-2019-3909 – The IDenticard service installs with a default database username and password of “PremisysUsr” / “ID3nt1card.”
Researchers say that the vulnerabilities affect PremiSys systems running firmware version 3.1.190, and possibly others. Because the vendor did not cooperate with the research or US-CERT team, no patch is available yet.
A patch should be released as fast as the company can because according to its website, IDenticard has tens of thousands of customers around the world, including government agencies, Fortune 500 companies, K-12 schools, universities, medical centers, and others.
For now, the only recommendation for companies that use PremiSys systems is to reduce the risk of compromise by segment their network to ensure systems like PremiSys are isolated from internal and external threats as much as possible.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.