FB pixel

Acronis reports critical flaws in GeoVision biometric devices, man-in-the-middle attack risks

 

access-control

During a network security audit in 2019, cybersecurity company Acronis detected critical vulnerabilities in devices manufactured by biometrics company GeoVision, reports the security company, which has been waiting for the company to patch the flaws for almost a year.

The security company says it found a backdoor password with admin privileges, and claims GeoVision reuses cryptographic keys and discloses private keys. These flaws could enable traffic interception by state-sponsored attackers. The research was conducted by Acronis CISO Kevin Reed, and security researchers Alex Koshelev and Ravikant Tiwari.

The vulnerabilities were identified in fingerprint scanners, access card scanners, and access management appliances spread out in multiple countries. These devices are visible on Shodan and located in Brazil, the U.S., Germany, Taiwan, and Japan.

The key technical findings include undocumented hardcoded passwords which make it easy to access the device with root privileges, shared cryptographic keys in firmware which exposes the device to man-in-the-middle attacks, a buffer overflow vulnerability which can be manipulated to run unauthorized code without prior authentication, and information disclosure vulnerability that hackers can manipulate to read system logs.

Acronis informed GeoVision about the vulnerabilities in August 2019 and then in September about the 90-day courtesy period. Two months later, Acronis reported the vulnerabilities to the Singapore Computer Emergency Response Team (SingCERT). SingCERT and Taiwan’s TWCERT requested a one-month delay in making the vulnerabilities public.

Nearly a year later, in June 2020, three vulnerabilities were patched, yet the critical buffer overflow zero-day “wormable” vulnerability is still active and there is no firmware update. Hackers can overrun the memory buffer and manipulate it to tamper with device by rewriting protocols and commands.

Acronis says GeoVision has not commented or confirmed the findings.

Article Topics

 |   |   |   | 

Latest Biometrics News

 

Biometrics cutting the line of in-person payments innovations: Mastercard

Mastercard sees biometrics for in-store payments as a part of a broader shift towards seamless interactions of all kinds, as…

 

New South Wales’ government is investing millions in digital identity

New South Wales’ decentralized digital identity program is getting a cash infusion from the Premier Chris Minns’ government, which has…

 

Innovatrics cuts fingerprint error rate by 20%, upgrades SmartFace platform

Innovatrics has reported its best-yet scores in NIST’s fingerprint biometrics testing, and added a new feature to its facial recognition…

 

Canadian cruise terminal gets Pangiam face biometrics for ID verification

The Vancouver Fraser Port Authority and U.S. Customs and Border Protection (CBP) have joined forces to implement face biometrics for…

 

Atlantic Council stresses importance of DPI, data for stronger digital economies

The Atlantic Council has highlighted the importance of digital identity and digital public infrastructure (DPI) in birthing and growing strong,…

 

Sri Lanka extends bid deadline for national digital ID project

The Government of Sri Lanka has extended the deadline for the submission of bids for the procurement of a Master…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events