Receptionists or security guards are increasingly being replaced by self check-in kiosks for visitors to businesses, public buildings, schools, hotels, and hospitals. But, while these visitor management systems are an efficient way to control who enters a building, the technology can be compromised, creating serious security problems for the companies that deploy them, a new test shows.
In a recent probe by IBM's X-Force Red research team, white-hat hackers tested the security of five popular visitor management systems and found 19 previously undisclosed vulnerabilities.
Some of the kiosks had exposed ports that could allow a criminal to gain remote access by loading malware onto the device. With others, the hacking could be done by using the screen in the same way that any visitor would.
"In some cases, it's not all that complicated. For one of the vulnerabilities, the bypass was just hitting the escape key," said Charles Henderson, global leader of IBM X-Force Red.
Automated visitor security is a relatively new technology that's expected to become more widely adopted in the next few years. The global market for visitor management systems was $824 million last year and should top $1.3 billion in 2025, according to MarketResearch.com.
"As with most new technologies, people are quick to put things into the market to try to prove their value, but they're not putting the same level of investment into making sure that it's secure," said Randy Vanderhoof, executive director of the Secure Technology Alliance, which promotes digital security. "The hackers and the fraudsters know this and so these devices are very ripe targets for them."
The major findings:
- Hackers could exploit vulnerabilities to access data such as visitor logs, contact information (driver's license numbers and in some cases, Social Security numbers), as well as corporate activities
- Several of the applications running in these VMS kiosks would allow attackers to get into corporate networks, a major security concern
- Other vulnerabilities could be used to control the system with the same privileges as the operating software.
"Obviously, identity theft is a major concern, but there's also a lot of information that can be gleaned just by understanding the meetings that are going on at a company," Henderson told NBC News. For example, knowing that a management team from a related company has visited recently could signal future merger and acquisition activities.
Another possible threat: A criminal who can compromise the visitor management system might be able to enter the building with a valid visitor's badge. Some VMS kiosks issue badges that serve as keys to open locked doors, potentially allowing access to secure areas of the building.
"This is unacceptable on so many levels," said security awareness expert Robert Siciliano. "This research shows that unmonitored access control is not ready for prime time."
The companies selling these visitor management systems claim they can maximize front-desk efficiency and enhance security because these automated attendants can scan various forms of ID and screen visitors against criminal databases and internal red flag lists.
"The end result is a safer and more efficient work or school environment," one company boasts on its website. Another explains that sign-in sheets can let others see who's signed in, while their system "keeps everything confidential."
Henderson points out that replacing a clipboard with a database stored in a system that's not secure could do just the opposite.
"You've gone from maybe the clipboard getting stolen with that day's visitors' information being compromised to a magic box in the lobby. If it gets compromised, you're talking about six months, maybe six years' worth of visitor logs being compromised, however long that thing has been there," Henderson told NBC News.
Vyas Sekar, an associate professor in the department of electrical and computer engineering at Carnegie Mellon University, said any business that chooses to adopt an automated visitor check-in system needs to fully understand the security implications — especially if that system is connected to the corporate network.
"An attacker always looks for the weakest link, so if they find one of these systems that collects personal data and is network-connected, it's like a goldmine for them," Sekar said. "If these systems are not secured and a company does not have the right security practices in place, then that's a big security risk."
The IBM researchers told the five companies about the vulnerabilities they discovered and worked with them to create patches. The hope is that customers who receive the patches realize the importance of installing them and that manufacturers will establish proper security protocols and test their system for vulnerabilities.
"Don't be confused. A visitor management system is still a computer, and it still has the same vulnerabilities," IBM's Henderson said. "If you're not testing the system — when the criminals attack, they'll win."