Widely used building access system can be easily compromised

A researcher has discovered several egregious vulnerabilities in the PremiSys IDenticard building access management system, some of which could allow attackers to take control of the vulnerable system, create rogue access badges, and more.

The vulnerabilities are present in version 3.1.190 of the software and it is unknown whether they have been fixed, as the Brady Corporation – IDenticard’s parent company – has yet to offer a comment on the revelation.

The vulnerabilities

James Sebree, a security researcher with Tenable, probed the PremiSys IDenticard software for vulnerabilities.

He discovered four:

• CVE-2019-3906 – Hardcoded credentials that provide administrator access to the entire service via the PremiSys Windows Communication Foundation (WCF) Service endpoint
• CVE-2019-3907 – Weak encryption of stored user credentials and other sensitive information
• CVE-2019-3908 – System backups are stored into password protected files that can be unzipped by using a hardcoded password (“ID3nt1card”)
• CVE-2019-3909 – Default database username and password (“PremisysUsr” / “ID3nt1card”).

“Most people don’t realize that many companies rely on third parties to install and maintain their badge systems,” Sebree explained the danger.

“It isn’t uncommon for these third parties to install the systems with default settings and leave, only to come back months later to apply updates for a fee. This is where priorities become skewed. The access control vendor makes software that a third party installs for a customer. The customer uses what they need while leaving many features unused but still enabled. This leads to unnecessary cyber exposure of critical physical security infrastructure, and a possible entrypoint into the digital infrastructure.”

Vulnerability disclosure

Sebree tried to contact the vendor and responsibly disclose the flaws so that they could fix them before he publishes his research, but hasn’t hear back from them. CERT’s efforts to do the same were equally unsuccessful.

Sebree also couldn’t get his hands on a newer version of the software to check whether the vulnerabilities had been quietly fixed, so Tenable advises users to never open these systems to the internet and to isolate it from the rest of the network.

UPDATE (February 5, 2019, 4:50 AM PT):

IDenticard has released updated software, Version 4.1, to address the hard-coded credential vulnerability (CVE-2019-3906). Inadequate encryption strength (CVE-2019-3907) and use of hard-coded password (CVE-2019-3908) are in process of being fixed with an update expected February 2019.

These software updates will be provided free of charge. Users can contact the IDenticard Technical Support Team for additional information.

The company also recommends users change the Service Database default username and password.