Automated reception kiosks are a security dumpster fire

Hannah Robbins and Scott Brink, two student interns at IBM division X-Force Red set out to study potential vulnerabilities in sign-in reception kiosks, found at many offices and retailers, and discovered 19 bugs in kiosks from industry leaders Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist (the vendors say they have now patched these bugs).

The defects the interns discovered variously allowed attackers to dump the full contents of the reception system's databases (including Social Security Numbers and scanned driver's licenses), overwrite/delete/alter entries for previous visitors, and more.

Though the interns did yeoman work in surfacing these defects, the fact that a pair of relatively junior security practitioners were able to find all these showstopper bugs bodes ill for the whole category, which has not been subject to much independent scrutiny (yet).

I encounter these systems often, including in places like doctor's offices and schools, which sometimes ask you to scan sensitive IDs and input other sensitive information. I'd always had a bad feeling about them, so it's a little alarming to get hard data to support that impressionistic anxiety.

Crawley says he would like to look more deeply in the future at visitor management systems that integrate with RFID door locks and can directly issue badges. Compromising one of those would not only potentially give an attacker extensive physical access within a target organization, but could also enable other digital compromises across the victims networks. And researchers have certainly found vulnerabilities in electronic access control systems over the years, and continue to.