Businesses' visitor management systems vulnerable to cyber attacks

Business ID badge for visitor management systems

Visitor management systems such as self-service reception kiosks are at risk to a wealth of security vulnerabilities, according to research from IBM.

These management systems are becoming more common as businesses pursue the automation route instead of hiring human receptionists for kiosk attendants. They allow businesses to autonomously authenticate new visitors to a building, provide them with a badge and/or grant access levels to manage their movement in the building.

IBM X-Force Red researchers found 19 vulnerabilities in these systems which could lead to a data leak including exposure of logs, contact information and details of corporate activities. The researchers are also concerned that the vulnerabilities could be used to compromise corporate networks, using the vulnerability as a foothold to launch further attacks.

'Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders," said IBM in a security blog. "Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well."

Although the research team is keeping most of the details about the vulnerabilities strictly under wraps, just the team and the alerted vendors are aware, we do know that one of the flaws in the systems related to default admin credentials.

Some of the visitor management systems hosted applications which had admin status as a default setting which would allow complete control over the application. Other vulnerabilities allowed attackers to use Windows hotkeys and simple help or print dialogues to exit the visitor management system and interact with Windows instead.

"If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted," said IBM.

Although the use of visitor management systems is more common in the hospitality sector, businesses across the board should be paying attention to things like this.

We reported in December 2018 on how cyber attackers posing as workmen and job interviewees were able to simply waltz into eight European banks and implant Raspberry Pi devices which compromised the bank's IT. From there, these unverified individuals were able to take millions from the banks.

Physical, on-premise attacks like these were just one of the possible consequences IBM detailed in the report. Others include network attacks; if an attacker could leave the kiosk interface and interact with Windows, then attacks could be launched on a company without the attacker having access to the building.

The affected companies have been notified and have issued or plan to issue patches to the known vulnerabilities in their products.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.