Flaw Found in Biometric ID Devices

A critical vulnerability has been uncovered in far more than 10 units that use biometric identification to manage obtain to shielded parts.

The flaw can be exploited to unlock doors and open up turnstiles, offering attackers a way to bypass biometric ID checks and bodily enter managed spaces. Performing remotely, threat actors could use the vulnerability to operate instructions without the need of authentication to unlock a door or turnstile or induce a terminal reboot so as to lead to a denial of company.

Beneficial Technologies researchers Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin discovered the flaw, which impacts 11 biometric identification devices manufactured by IDEMIA. 

The group mentioned that the impacted equipment are in use in the “world’s greatest economical establishments, universities, healthcare corporations, and critical infrastructure services.” 

The critical vulnerability (VU-2021-004) has been given a rating of 9.1 out of 10 on the CVSS v3 scale, with 10 becoming the most severe.

“The vulnerability has been recognized in several strains of biometric readers for the IDEMIA ACS [access control system] geared up with fingerprint scanners and combined gadgets that examine fingerprints and vein patterns,” mentioned Vladimir Nazarov, head of ICS Security at Favourable Technologies. 

He added: “An attacker can potentially exploit the flaw to enter a secured location or disable entry manage programs.”

The IDEMIA units impacted by the vulnerability are MorphoWave Compact MD, MorphoWave Compact MDPI, MorphoWave Compact MDPI-M, VisionPass MD, VisionPass MDPI, VisionPass MDPI-M, SIGMA Lite (all variations), SIGMA Lite+ (all variations), SIGMA Huge (all versions), SIGMA Intense, and MA VP MD.

Enabling and effectively configuring the TLS protocol in accordance to Segment 7 of the IDEMIA Secure Installation Guidelines will reduce the vulnerability. 

IDEMIA has stated it will make TLS activation necessary by default in future firmware versions.

This isn’t really the 1st time Good Systems scientists have learned a flaw in IDEMIA equipment. In July 2021, IDEMIA set 3 buffer overflow and path traversal vulnerabilities identified by the cybersecurity company’s staff. 

Underneath sure problems, these prior vulnerabilities authorized an attacker to execute code, or to achieve examine and create accessibility to any file from the gadget. IDEMIA released firmware updates to mitigate the security vulnerabilities.

Some parts of this article are sourced from:
www.infosecurity-journal.com