Flaw Found in Biometric ID Devices

Flaw Found in Biometric ID Devices

A critical vulnerability has been discovered in more than ten devices that use biometric identification to control access to protected areas.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

The flaw can be exploited to unlock doors and open turnstiles, giving attackers a way to bypass biometric ID checks and physically enter controlled spaces. Acting remotely, threat actors could use the vulnerability to run commands without authentication to unlock a door or turnstile or trigger a terminal reboot so as to cause a denial of service.

Positive Technologies researchers Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin found the flaw, which impacts 11 biometric identification devices made by IDEMIA. 

The team said that the impacted devices are in use in the “world’s largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities.” 

The critical vulnerability (VU-2021-004) has received a score of 9.1 out of 10 on the CVSS v3 scale, with 10 being the most severe.

“The vulnerability has been identified in several lines of biometric readers for the IDEMIA ACS [access control system] equipped with fingerprint scanners and combined devices that analyze fingerprints and vein patterns,” said Vladimir Nazarov, head of ICS Security at Positive Technologies. 

He added: “An attacker can potentially exploit the flaw to enter a protected area or disable access control systems.”

The IDEMIA devices affected by the vulnerability are MorphoWave Compact MD, MorphoWave Compact MDPI, MorphoWave Compact MDPI-M, VisionPass MD, VisionPass MDPI, VisionPass MDPI-M, SIGMA Lite (all versions), SIGMA Lite+ (all versions), SIGMA Wide (all versions), SIGMA Extreme, and MA VP MD.

Enabling and correctly configuring the TLS protocol according to Section 7 of the IDEMIA Secure Installation Guidelines will eliminate the vulnerability. 

IDEMIA has said it will make TLS activation mandatory by default in future firmware versions.

This isn’t the first time Positive Technologies researchers have discovered a flaw in IDEMIA devices. In July 2021, IDEMIA fixed three buffer overflow and path traversal vulnerabilities identified by the cybersecurity company’s team. 

Under certain conditions, these prior vulnerabilities allowed an attacker to execute code, or to gain read and write access to any file from the device. IDEMIA released firmware updates to mitigate the security vulnerabilities.

By admin