“White-hat” cyber security company, Tenable, last month discovered a potentially catastrophic flaw in PremiSys, an access control system run by IDenticard. The hardcoded credentials that Tenable found in the firm’s devices provide administrator access to the entire service through an end-point that controls the system.
This means that anyone with those passwords would be able to modify the contents or even dump the entire badge system database, in addition to a variety of other processes, without obstacles. A malicious attacker discovering those passwords could disrupt building operation, block entry/exit for occupants, or allow physical access to unauthorized persons.
Researchers at the Maryland-based Tenable found the username and password - “PremisysUsr” / “ID3nt1card” - hardcoded into the database configuration as a default. Tenable claim that the configuration file contains an encrypted form of the default password, and that the only way for customers to change their password is to request an encrypted version of their desired username and password directly from the vendor. However, until the customer understands the problem and pursues the solution, their systems are vulnerable.
Furthermore, Tenable researchers found that ID backups are stored in a password-protected .zip file, and that file’s password - ID3nt1card - is hardcoded in the application. A range of other sensitive information, such as user credentials, is also stored with a ‘Base64 encoded MD5 hashes – salt + password’ encryption method that is widely accepted as being easy to decrypt.
Tenable presented the issues to IDenticard, and it’s parent company The Brady Corporation. After 45 days, they registered the issue with the US Computer Emergency Readiness Team. The three flaws have now been cataloged as CVE-2019-3906 to CVE 2019-3909, and Tenable recommends that customers limit traffic to affected machines but warn that doing so may adversely affect how the system works as a whole.
“Because there is no vendor patch, affected users will have to attempt to mitigate these vulnerabilities,” states a Tenable blog post. “Systems like this should never be open to the internet and users should ensure proper network segmentation is in place to isolate this critical system.” According to Tenable, these flaws were still in the Premisys system, version 3.1.190, tested on January 9th, 2019.
“While badge systems should be isolated from the rest of the network, we all know that not everyone is going to follow best practices,” James Sebree, a researcher for Tenable, wrote in a Medium post. “If a company is depending on it for physical security, simple and critical software errors like these have to be taken seriously.”
IDenticard is not the only firm leaving hardcoded passwords in their systems. Last month, a different study identified hardcoded credentials in Schneider Electric’s EVlink electric vehicle charging stations. While in December, another research team discovered hardcoded security keys in popular home security device Guardzilla, which were rendered vulnerable by an outdated algorithm.
Hardcoding passwords or security keys into systems has become common in software, devices, firmware, and DevOps tools, to make it easy for system developers, enable superuser access, or for Application-to-Application / Database communications. Hardcoded passwords are particularly dangerous because they are easy targets for password guessing exploits, allowing hackers and malware to hijack firmware, devices, systems, and software. Once they find the hardcoded password for one device it will usually provide access to all similar devices, which can provide the ammunition for large-scale DDoS attacks, such as Mirai in 2016.
In October 2016 hackers took control of IoT enabled devices such as video surveillance cameras and printers by taking advantage of hardcoded passwords. The Mirai Botnet used the devices to run a synchronized barrage of requests from devices to overwhelm the popular DNS service Dyn, which in turn took Twitter, Spotify, Reddit, and other major websites offline. “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters,” tweeted Jeff Jarmoc, head of security for global business service Salesforce, shortly after the incident.
In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.
— Jeff Jarmoc ?? (@jjarmoc) October 22, 2016
In this emerging interconnected world, a single weakness in a single device can put the whole system or building at risk. Critical infrastructure and high-value assets are protected by cyber security experts but the average customer is unaware that they are buying devices that create serious vulnerabilities for their building. For the connected technology sector, these kinds of oversights reduce consumer confidence in connected devices and slow growth of the sector. Let’s not wait for another Mirai, or worse, before we decide to make the necessary changes to the security culture around connected devices.