- January 14, 2022
The problem concerns IDEMIA biometric readers designed to organize access control, in which privileged commands can be executed via the management protocol.
Jan. 14, 2022 - Positive Technologies researchers, Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich and Vyacheslav Moskvin have discovered a critical vulnerability (VU-2021-004) in IDEMIA biometric identification devices used in the world's largest financial institutions, universities, healthcare organizations and critical infrastructure facilities. By exploiting the flaw, which received a score of 9.1 on the CVSS v3 scale, attackers can unlock doors and turnstiles. Researchers say the forced use of TLS as a management protocol will help eliminate the risk of biometric identification bypass.
“The vulnerability has been identified in several lines of biometric readers for the IDEMIA ACS equipped with fingerprint scanners and combined devices that analyze fingerprints and vein patterns,” explains Vladimir Nazarov, Head of ICS Security, Positive Technologies. “An attacker can potentially exploit the flaw to enter a protected area or disable access control systems.”
A remote attacker can use the following commands without authentication:
- trigger_relay to unlock a door or turnstile if they are directly controlled by the terminal
- terminal_reboot to cause a denial of service
To eliminate the vulnerability, enable and correctly configure the TLS protocol according to Section 7 of the IDEMIA Secure Installation Guidelines. In future firmware versions, IDEMIA will make TLS activation mandatory by default.
Below is a list of devices affected by this vulnerability:
- MorphoWave Compact MD
- MorphoWave Compact MDPI
- MorphoWave Compact MDPI-M
- VisionPass MD
- VisionPass MDPI
- VisionPass MDPI-M
- SIGMA Lite (all versions)
- SIGMA Lite+ (all versions)
- SIGMA Wide (all versions)
- SIGMA Extreme
- MA VP MD
In July 2021, IDEMIA fixed three vulnerabilities discovered by Positive Technologies experts.
About Positive Technologies
Positive Technologies is a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection. Commitment to clients and research has earned Positive Technologies a reputation as one of the foremost authorities on Industrial Control System, Banking, Telecom, Web Application, and ERP security, supported by recognition from the analyst community.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe