One of the nation’s leading purveyors of security access badges and plastic ID cards is scrambling to patch multiple vulnerabilities in its system, which could allow attackers to covertly enter secured buildings and obtain top-level access privileges, granting them the ability to modify a building’s list of authorized visitors.
Cybersecurity firm Tenable Research on Tuesday disclosed multiple zero-day vulnerabilities discovered in the PremiSys software developed by IDenticard, a company whose photo ID software and access control systems are widely used by federal, state, and local government agencies. The company also says its customers, which number in the tens of thousands, include K-12 schools, colleges and universities, as well as medical centers, factories, and an undisclosed number of Fortune 500 companies.
The most critical flaw uncovered by Tenable would enable an attacker to manufacturer their own custom, counterfeit ID cards, and potentially disable locks at a user facility, according to researchers.
Tenable said that multiple attempts to contact the company before disclosing the vulnerabilities failed—something that IDenticard’s parent company, the billion-dollar Wisconsin manufacturer Brady Corporation, was quick to own up to.
“We take the issues identified by Tenable, a leading third party cyber security research company, seriously and are looking to incorporate their feedback into our ongoing product development cycle. PremiSys™ System software is constantly evolving and we appreciate the diligence Tenable outlined in their messages to us,” a Brady spokesperson told Gizmodo by email.
They noted that, “regrettably,” Tenable’s messages to the company were overlooked. “This is unacceptable for us and we are currently reviewing our inbound communication practices to ensure it does not happen in the future. We welcome any engagement from Tenable regarding this matter,” they said.
The company added that it intends to address the problems “in the near term,” and would be contacting its customers with news of any developments.
An online search shows that Brady Corporation has had numerous contracts with federal government agencies, including the Departments of Defense, Justice, State, Homeland Security, and Office of Personnel Management, to name a few. However, it’s unclear whether any of these agencies are using the affected PremiSys software, or have merely purchased other products sold by company.
Other publicly available documents show that the PremiSys system has been used of late by an office of City of New York, as well as offices of the U.S. Navy and Army, in addition to numerous municipal and city government offices.
The flaws discovered by Tenable reportedly include antiquated and easily cracked password encryption; a hard-coded password for accessing backup files—meaning it cannot be altered by users; and default credentials available upon installation, which cannot be changed without IDenticard’s assistance.
The cybersecurity firm said the U.S. Computer Emergency Readiness Team, which operates under the Department of Homeland Security, has been notified.
“The digital era has brought the cyber and physical worlds together thanks, in part, to the adoption of IoT. An organization’s security purview is no longer confined by a firewall, subnets, or physical perimeter—it’s now boundaryless,” said Tenable cofounder and CTO Renaud Deraison. “This makes it critically important for security teams to have complete visibility into where they are exposed and to what extent.”
Deraison added that, in the “new world of IoT,” many manufacturers have failed to properly assess the risk of unpatched software. “In this case, organizations that use PremiSys for access control are at a huge risk as patches are not available.”
Tenable said that users should segment their network to isolate PremiSys from internal and external threats as much as possible. The vulnerabilities—CVE-2019-3906, CVE-2019-3907, CVE-2019-3908, CVE-2019-3909—affect software version 3.1.190.