The need to control who can access an organization’s facilities is critical to keeping corporate assets secure. To address that issue, more and more organizations have implemented access control systems, requiring authorized personnel to use specific credentials--such as PIN numbers, biometrics or key cards--to enter a facility or specific areas of a facility. Just as importantly, these systems monitor and report on suspicious activity, such as someone trying to unlock a door he or she isn't authorized to unlock. The security provided by access control systems is vital, which is why the discovery of dangerous exposures in a leading access control system is so troubling.
Tenable Research uncovered four zero-day vulnerabilities in IDenticard’s PremiSys access control system—exposures that could allow unauthorized personnel to easily enter premises. The first was the use of hard-coded credentials, which could allow anyone with access to the management software administrative access. Other vulnerabilities included using a weak encryption method, a password hardcoded into the application and use of default database credentials.
As unsettling as these access control vulnerabilities may be, they are not as uncommon as you might think, says Daniel Kennedy, research director for information security at 451 Research.
“Many of these systems are installed for non-technical or limited technical users, like schools installing a physical badge access system; so often, parameters like default settings aren't updated, he said. “And many applications are still being written without any policies or static/dynamic/composition analysis during the software construction or testing process.”
In a recent blog post, Tenable senior researcher James Sebree pointed out that there are more parts to the access control vulnerability puzzle.
“Most people don’t realize that many companies rely on third parties to install and maintain their badge systems,” he wrote. “It isn’t uncommon for these third parties to install the systems with default settings and leave, only to come back months later to apply updates for a fee.”
Sebree goes on to say that while the access control manufacturer may intend the installer to change default settings, it doesn’t always happen, leaving unexposed pathways.
Another problem, Kennedy noted, is that many of these physical access control systems, similar to SCADA or industrial control systems, were never designed to be internet-accessible.
“That’s Tenable’s general point--that this problem is emblematic of a trend in this type of software, because you can't design software without understanding that some customers will expose it as everything is becoming more connected.”
Taking note of these challenges may be the key to preventing these types of vulnerabilities in the future. IT professionals installing access control technology should be sure to keep up with patches, change defaults, perform vulnerability testing and segment their networks. At the same time, vendors writing application security software should build in a testing tool, Kennedy advised.
Even without a built-in testing tool, there are ways to test access control systems using standalone testing tools. Examples include static application security tools (SAST), which look for vulnerabilities inside of code or binaries; dynamic application security tools (DAST) that test for vulnerabilities in web applications; Interactive Application Security Testing (IAST) that run in the background and identify security issues in applications as they run; and Software Composition Analysis (SCA) tools, which examine open source components and their potential vulnerabilities. There also are general vulnerability assessment solutions that look for vulnerabilities within an IT environment.
Beyond that, it’s about due diligence by the buyer, Kennedy said.
“Buyers can insist that default settings are modified or that a technology provider submit the results of their most recent security tests on their products,” he said.“ They can include a checklist of security requirements, processes around what will happen if a security vulnerability is found, and contractual requirements on required notifications in case of a data breach or serious problem being identified.”