Critical bugs detected in GeoVision’s Fingerprint and Card Scanners.
The Taiwanese supplier of IP cameras and video surveillance systems, GeoVision, has recently fixed three of its four main faults related to its card and fingerprint scanners. The detected flaws could theoretically allow attackers to hijack network traffic and perform man-in-the-middle attacks on their scanners.
The bugs were found by enterprise security firm Acronis last year during a regular safety audit at a large retailer in Singapore. According to Acronis’s report that has been shared with The Hacker News, malicious actors can establish persistence on the network and spy on internal users or collect information without ever being identified. “They can reuse your fingerprint data to enter your home and/or personal devices, and photos can be easily reused by malicious actors to perpetrate identity theft based on biometric data”, the company explained.
Out of thousands of devices that may be remotely hacked, the detected vulnerabilities impact at least six separate device families, with more than 2,500 vulnerable devices found online across Brazil, United States, Germany, Taiwan and Japan.
The first critical bug involves a previously undocumented root password which enables a system attacker to access the device through a backdoor using the default password (“admin”) and login to the compromised device remotely.
The second critical bug concerns the usage of hardcoded shared cryptographic private keys for SSH authentication.
The third vulnerability allows the attackers to access system logs on the device without the need for authentication.
The last vulnerability has a CVSS ranking of 10, which makes it a critical bug. It is related to a buffer overflow flaw in the firmware that affects the fingerprint readers from GeoVision. This flaw basically enables attackers to execute unauthorized code on the devices. What is more disturbing is that no authentication is required beforehand.
Acronis have contacted SingCERT with their findings, as well as GeoVision in August last year and then again in September and December. Yet, GeoVision issued fixes to three of the faults (version 1.22) earlier this month, leaving the fourth critical vulnerability unpatched.
Taiwan’s Computer Emergency Response Team (TWCERT) also recognized the bugs and released three bug advisories — CVE-2020-3928, CVE-2020-3929, and CVE-2020-3930. TWCERT verified the firmware corrections and the availability of the latest update.
The fourth critical bug which has so far remained unpatched represents a serious risk to security because it may allow attackers to make use of a weak parameter to overwrite the memory management responsible structures.
According to Acronis’s CISO Kevin Reed and Security Researcher Alex Koshelev, the attacker is free to install its malicious code in the firmware as soon as it gains full access to the device. After that happens, evicting him from the network is virtually impossible.
They also commented that it’s pretty surprising for certain companies not to hurry to patch crucial flaws. The presence of backdoors is also concerning in addition to the poor quality of the original source code. This demonstrates that IoT protection is unreliable, so each organization has to realize that utilizing such devices can lead them to long-term unpredictable risks.