Connect with us

Data security

Flaw Found in Biometric ID Devices

Published

on

nxtalpha aggregator

Flaw Found in Biometric ID Devices

A critical vulnerability has been discovered in more than ten devices that use biometric identification to control access to protected areas.

The flaw can be exploited to unlock doors and open turnstiles, giving attackers a way to bypass biometric ID checks and physically enter controlled spaces. Acting remotely, threat actors could use the vulnerability to run commands without authentication to unlock a door or turnstile or trigger a terminal reboot so as to cause a denial of service.

Positive Technologies researchers Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin found the flaw, which impacts 11 biometric identification devices made by IDEMIA. 

The team said that the impacted devices are in use in the "world's largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities." 

The critical vulnerability (VU-2021-004) has received a score of 9.1 out of 10 on the CVSS v3 scale, with 10 being the most severe.

“The vulnerability has been identified in several lines of biometric readers for the IDEMIA ACS [access control system] equipped with fingerprint scanners and combined devices that analyze fingerprints and vein patterns,” said Vladimir Nazarov, head of ICS Security at Positive Technologies. 

He added: “An attacker can potentially exploit the flaw to enter a protected area or disable access control systems.”

The IDEMIA devices affected by the vulnerability are MorphoWave Compact MD, MorphoWave Compact MDPI, MorphoWave Compact MDPI-M, VisionPass MD, VisionPass MDPI, VisionPass MDPI-M, SIGMA Lite (all versions), SIGMA Lite+ (all versions), SIGMA Wide (all versions), SIGMA Extreme, and MA VP MD.

Enabling and correctly configuring the TLS protocol according to Section 7 of the IDEMIA Secure Installation Guidelines will eliminate the vulnerability. 

IDEMIA has said it will make TLS activation mandatory by default in future firmware versions.

This isn't the first time Positive Technologies researchers have discovered a flaw in IDEMIA devices. In July 2021, IDEMIA fixed three buffer overflow and path traversal vulnerabilities identified by the cybersecurity company's team. 

Under certain conditions, these prior vulnerabilities allowed an attacker to execute code, or to gain read and write access to any file from the device. IDEMIA released firmware updates to mitigate the security vulnerabilities.

Continue Reading

Latest

Companies

Public Companies Hold A Combined $11.8 Billion Worth Of BTC On Their Balance Sheet – See The Leading Firms

Crypto Mining3 weeks ago

Aliyu Pokima Publicly traded companies went all-in on Bitcoin in 2021 led by Michael Saylor’s MicroStrategy.Other firms on the list...

Indian Regulator SEBI Wants Mutual Funds to Stay Away From Crypto Investments Until Legislation Is Finalized

Crypto Mining3 weeks ago

Kevin Helms The Securities and Exchange Board of India (SEBI) has reportedly asked mutual fund companies not to get involved...

XRP Creator Chris Larsen Proposes Strategy To Incentivize Bitcoin Miners To Move Away From Proof-of-Work

Crypto Mining1 month ago

Brenda Ngari XRP inventor and Ripple executive chairman Chris Larsen has unveiled a plan to entice miners of the flagship...

Iceland Refuses to Power New Bitcoin Farms Amid Electricity Shortages

Crypto Mining1 month ago

Lubomir Tassev Cryptocurrency mining is among several energy-intensive industries hurt by a power deficit in Iceland. The country’s main utility...

Public Bitcoin Miners Are Increasing Their BTC Treasuries

Crypto Mining2 months ago

Dylan LeClair And Sam Rule Publicly-traded bitcoin mining firms have been accumulating and holding bitcoin at an increasing rate.The below...

NASDAQ-Listed HIVE Blockchain to Expand Data Center in New Brunswick, Canada With 40 Megawatts Capacity

Crypto Mining3 months ago

Bitcoin.com PR HIVE Blockchain is set to expand its data center campus in New Brunswick, Canada with 40 megawatts capacity....

%d bloggers like this: