A critical vulnerability has been found in far more than 10 devices that use biometric identification to control access to secured spots.
The flaw can be exploited to unlock doorways and open up turnstiles, giving attackers a way to bypass biometric ID checks and physically enter managed areas. Acting remotely, danger actors could use the vulnerability to run instructions devoid of authentication to unlock a door or turnstile or induce a terminal reboot so as to induce a denial of support.
Favourable Technologies researchers Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin uncovered the flaw, which impacts 11 biometric identification devices made by IDEMIA.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The team reported that the impacted devices are in use in the “world’s premier monetary institutions, universities, healthcare corporations, and critical infrastructure amenities.”
The critical vulnerability (VU-2021-004) has acquired a score of 9.1 out of 10 on the CVSS v3 scale, with 10 becoming the most critical.
“The vulnerability has been determined in several strains of biometric readers for the IDEMIA ACS [access control system] equipped with fingerprint scanners and mixed gadgets that analyze fingerprints and vein patterns,” reported Vladimir Nazarov, head of ICS Security at Good Technologies.
He additional: “An attacker can possibly exploit the flaw to enter a safeguarded spot or disable access command programs.”
The IDEMIA units impacted by the vulnerability are MorphoWave Compact MD, MorphoWave Compact MDPI, MorphoWave Compact MDPI-M, VisionPass MD, VisionPass MDPI, VisionPass MDPI-M, SIGMA Lite (all versions), SIGMA Lite+ (all variations), SIGMA Large (all variations), SIGMA Extreme, and MA VP MD.
Enabling and correctly configuring the TLS protocol in accordance to Area 7 of the IDEMIA Safe Set up Guidelines will remove the vulnerability.
IDEMIA has mentioned it will make TLS activation mandatory by default in long run firmware variations.
This isn’t really the initial time Positive Technologies researchers have found a flaw in IDEMIA products. In July 2021, IDEMIA mounted 3 buffer overflow and path traversal vulnerabilities identified by the cybersecurity firm’s crew.
Beneath sure situations, these prior vulnerabilities allowed an attacker to execute code, or to acquire examine and compose obtain to any file from the product. IDEMIA unveiled firmware updates to mitigate the security vulnerabilities.
Some elements of this article are sourced from: