FB pixel

Acronis reports critical flaws in GeoVision biometric devices, man-in-the-middle attack risks

 

access-control

During a network security audit in 2019, cybersecurity company Acronis detected critical vulnerabilities in devices manufactured by biometrics company GeoVision, reports the security company, which has been waiting for the company to patch the flaws for almost a year.

The security company says it found a backdoor password with admin privileges, and claims GeoVision reuses cryptographic keys and discloses private keys. These flaws could enable traffic interception by state-sponsored attackers. The research was conducted by Acronis CISO Kevin Reed, and security researchers Alex Koshelev and Ravikant Tiwari.

The vulnerabilities were identified in fingerprint scanners, access card scanners, and access management appliances spread out in multiple countries. These devices are visible on Shodan and located in Brazil, the U.S., Germany, Taiwan, and Japan.

The key technical findings include undocumented hardcoded passwords which make it easy to access the device with root privileges, shared cryptographic keys in firmware which exposes the device to man-in-the-middle attacks, a buffer overflow vulnerability which can be manipulated to run unauthorized code without prior authentication, and information disclosure vulnerability that hackers can manipulate to read system logs.

Acronis informed GeoVision about the vulnerabilities in August 2019 and then in September about the 90-day courtesy period. Two months later, Acronis reported the vulnerabilities to the Singapore Computer Emergency Response Team (SingCERT). SingCERT and Taiwan’s TWCERT requested a one-month delay in making the vulnerabilities public.

Nearly a year later, in June 2020, three vulnerabilities were patched, yet the critical buffer overflow zero-day “wormable” vulnerability is still active and there is no firmware update. Hackers can overrun the memory buffer and manipulate it to tamper with device by rewriting protocols and commands.

Acronis says GeoVision has not commented or confirmed the findings.

Article Topics

 |   |   |   | 

Latest Biometrics News

 

Cameroon ends 2024 biometric voter registration drive with 755k new enrollments

The Director General in charge of Elections at Cameroon’s elections management agency (ELECAM), Dr Erik Essousse, says 755,085 new potential…

 

Malaysia completes biometric border clearance pilot at Singapore border

Authorities in the Malaysian state of Johor say plans are being finalized for the implementation of a biometric border clearance…

 

New Burkina Faso biometric passport further cements ECOWAS departure

The government of Burkina Faso has unveiled a new generation biometric passport in a move that highlights the countries unwillingness…

 

India to digitize the agricultural sector through unique digital farmer ID

India’s Finance Minister Nirmala Sitharaman announced the implementation of DPI for agriculture in the Union Budget 2024-25. The approved Digital…

 

Protean acknowledged for leadership in digital public infrastructure

Protean Tech has been recognized for its contributions to the digital public infrastructure (DPI) sector at the 2024 Global Fintech…

 

Federal law enforcement must now conduct transparent, standardized AI field testing

A White House advisory panel voted to approve a 24-page report that sets forth specific actions that all federal law…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events