An IDenticard building access control system contains vulnerabilities where an attacker could create fake badges, disable door locks, and modify user data, researchers said.
IDenticard’s PremiSys is an access control and photo ID program that provides an access control program, including granting or restricting access to specific doors, locking down facilities, controlling door alarms, viewing integrated surveillance video, and creating detailed reports.
PremiSys suffers from serious vulnerabilities, one of which relates to a hardcoded backdoor account that can give an attacker admin access to the service, said James Sebree, a researcher at Tenable. This access can be leveraged to enter the badge system database and modify its content.
PremiSys stores credentials and other sensitive data using a weak hashing method, researchers said.
They also found backups and the database installed by the IDenticard service are protected by default passwords easy to obtain and which cannot be changed by the user.
The CVE identifiers CVE-2019-3906 through CVE-2019-3909 have been assigned to these vulnerabilities.
An attacker could exploit these security holes to enter buildings by creating fake badges and disabling door locks, the researcher said. An attacker could also download the entire content of the user database, and modify or delete data.