Science & Technology

A defect was found in the biometric device

Critical vulnerabilities have been discovered in more than 10 devices that use biometrics to control access to protected areas.

This flaw can be exploited to unlock doors and open ticket gates, allowing an attacker to bypass biometric ID checks and physically enter a controlled space. Threat actors acting remotely could use this vulnerability to execute commands without authentication, unlock doors and ticket gates, or trigger a device restart to trigger a denial of service. there is.

Positive technology Researchers Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin have discovered flaws affecting 11 biometric devices manufactured by IDEMIA.

The team said the affected devices are being used in “the world’s largest financial institutions, universities, medical institutions, and critical infrastructure facilities.”

Critical vulnerability (VU-2021-004) Scored 9.1 out of 10 on the CVSS v3 scale, with 10 being the most serious.

“This vulnerability has been identified in several lines of IDEMIA ACS biometric readers. [access control system] It has a fingerprint scanner and a composite device that analyzes fingerprint and vein patterns, “said Vladimir Nazarov, Head of ICS Security at Positive Technologies.

“Attackers could exploit this flaw to break into protected areas or disable access control systems,” he added.

IDEMIA devices affected by this vulnerability are MorphoWave Compact MD, MorphoWave Compact MDPI, MorphoWave Compact MDPI-M, VisionPass MD, VisionPass MDPI, VisionPass MDPI-M, SIGMA Lite (all versions), SIGMA Lite + (all versions). Version), SIGMA Wide (all versions), SIGMA Extreme, and MA VPMD.

Enable and properly configure the TLS protocol according to Section 7 of IDEMIA Secure Installation Guidelines Eliminate vulnerabilities.

IDEMIA states that future firmware versions will require TLS activation by default.

This is not the first time that Positive Technologies researchers have discovered a flaw in an IDEMIA device. In July 2021, IDEMIA fixed three buffer overflows and path traversals. Vulnerability Identified by a team of cyber security companies.

Under certain conditions, these previous vulnerabilities could allow an attacker to execute code or gain read and write access to any file from a device. IDEMIA has released a firmware update to mitigate security vulnerabilities.

A defect was found in the biometric device A defect was found in the biometric device

Back to top button