Visitor management kiosks serve as a convenient means to control and manage the inflow of visitors and guests. Nonetheless, just like any other technology employing automation, these systems may also pose security risks. Reportedly, researchers have discovered a plethora of security flaws in multiple visitor management systems. These vulnerabilities could result in serious damages.
Security Bugs In Visitor Management Systems
Researchers from IBM X-Force Red team have discovered a number of serious security flaws in multiple visitor management systems. Precisely, two interns at the X-Force red research team analyzed five different visitor management kiosk systems and found 19 different vulnerabilities in them. These security vulnerabilities could induce different results such as information disclosure, giving access to potential attackers, and others.
Interns Scott Brink and Hannah Robbins assessed the security of the visitor management systems. The systems evaluated by the duo include Lobby Track Desktop (by Jolly Technologies), EasyLobby Solo (by HID Global), eVisitorPass (by Threshold Security), Envoy Passport (Envoy), and The Receptionist (The Receptionist).
Among these five, almost all of them exhibited multiple security flaws, except The Receptionist. It had only one low-severity vulnerability (CVE-2018-17502) that could result in information disclosure. Two vulnerabilities (CVE-2018-17499 and CVE-2018-17500) were found in Envoy Passport. Both of them could result in disclosure of sensitive information.
The researchers discovered 5 different vulnerabilities in eVisitorPass. Of these, 4 vulnerabilities (CVE-2018-17493, CVE-2018-17494, CVE-2018-17495, and CVE-2018-17496) could lead to privilege escalation. Whereas, CVE-2018-17497 represented default admin credentials that could give access to a potential attacker upon exploit.
In the case of EasyLobby Solo, the researchers noticed 4 different vulnerabilities triggering different results upon exploit. Whereas, for Lobby Track Desktop, the researchers found the maximum number of vulnerabilities – seven – all showing different impacts such as information disclosure, security bypass, and privilege escalation.
Patches On The Way
IBM X-Force Red confirmed that they have duly reported the flaws to all vendors. As stated in their report,
“Details for the vulnerabilities disclosed by our X-Force Red team have been provided to the affected vendors in advance in order to allow time for an official fix to be developed and released in advance of this publication.”
That means these apps are now safe for the customers. Yet, they must ensure that their systems are duly updated for the patches.