Hardcoded default passwords have been found in a popular building access control system, and the company behind the product has failed to release patches to fix the issue, according to researchers from cybersecurity company Tenable.
Tenable said it discovered four vulnerabilities in a version of PremiSys, an access control system run by Manheim, Pennsylvania-based IDenticard.
The most glaring flaw was hardcoded credentials providing administrator access to the entire service via an endpoint that controls the system. These credentials can be used by an attacker to dump contents of the badge system database, modify contents, or other various tasks with unfettered access.
The flaw is made worse by the fact that users cannot change these credentials. Tenable recommends limiting traffic to this machine, but that may adversely affect how entire system works.
Researchers for the Columbia, Maryland, company also found a different vulnerability that would allow attackers into a database of information stored on identification cards. An administrative username and password of “PremisysUsr” / “ID3nt1card” is coded into the database configuration by default. According to Tenable, that configuration file contains an encrypted form of the default password that users can’t change themselves. In order to change it, users must request an encrypted version of their desired username and password directly from the vendor, which can then be copied into the configuration file.
Additionally, Tenable researchers found that ID backups are stored in a password-protected .zip file, and that file’s password —ID3nt1card — is hardcoded in the application. Other sensitive information, such as user credentials, is stored with an encryption method (Base64 encoded MD5 hashes – salt + password) that is known to be weak.
The flaws have been catalogued as CVE-2019-3906 to CVE 2019-3909.
“Because there is no vendor patch, affected users will have to attempt to mitigate these vulnerabilities,” a Tenable blog post reads. “Systems like this should never be open to the internet and users should ensure proper network segmentation is in place to isolate this critical system.”
After finding the flaws, Tenable researchers attempted to contact IDenticard in order to notify them of their findings. After 45 days, the company turned to the U.S. Computer Emergency Readiness Team for further help in contacting the company. Those attempts were unsuccessful, Tenable said.
According to Tenable, the flaws researchers uncovered were still in the Premisys system tested, version 3.1.190, as of Jan. 9.
“While badge systems should be isolated from the rest of the network, we all know that not everyone is going to follow best practices,” James Sebree, a researcher for Tenable, wrote in a Medium post. “If a company is depending on it for physical security, simple and critical software errors like these have to be taken seriously.”
According the company’s website, Premisys is used to grant and restrict access to doors, lock down facilities, view integrated video, create detailed reports and a provide organizations with a host of other access and building controls. The product is used by Fortune 500 companies, K-12 schools, universities, medical centers and government agencies.
IDenticard’s parent company, The Brady Corporation, did not return CyberScoop’s request for comment.
Hardcoding passwords or security keys into systems is wildly frowned upon by security experts. Research released earlier Monday identified hardcoded credentials in Schneider Electric’s EVlink electric vehicle charging stations. Last month, researchers discovered hardcoded security keys in popular home security device Guardzilla, which were rendered vulnerable by an outdated algorithm.