Digital systems that let visitors check in and get access badges have become increasingly common in office buildings, but researchers from IBM say some of the devices have hidden flaws that could render facilities insecure.
“We found that you could break out of the kiosk and interact with the underlying Windows operating systems, and from there do things like drop malware or open up the database,” says Daniel Crowley, research director at the IBM X-Force Red security unit.
Accessing the database could let people know who else was visiting the office, which could be sensitive information, or allow them to impersonate expected visitors to get in to offices without permission.
“Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks would be valuable intelligence to collect,” Crowley wrote in a blog post. “Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well.”
The systems are mostly designed so they can be used without an attendant, but exactly how they’re deployed likely varies from site to site, Crowley says.
The actual research was conducted by two summer college interns, Hannah Robbins and Scott Brink, with guidance from the X-Force Red team. The researchers probed the software for the devices, although they didn’t investigate any cloud-based visitor tracking tools. Crowley says he got the idea for the research, which is being presented at the RSA Conference in San Francisco, after noticing there hadn’t been much published research into security issues around visitor management systems.
Affected systems include Lobby Track Desktop, EasyLobby Solo, eVisitorPass, Envoy Passport, and The Receptionist for iPad. IBM notified the system vendors so they could patch the systems as needed before the vulnerabilities were disclosed, Crowley says.