Acronis reports critical flaws in GeoVision biometric devices, man-in-the-middle attack risks
During a network security audit in 2019, cybersecurity company Acronis detected critical vulnerabilities in devices manufactured by biometrics company GeoVision, reports the security company, which has been waiting for the company to patch the flaws for almost a year.
The security company says it found a backdoor password with admin privileges, and claims GeoVision reuses cryptographic keys and discloses private keys. These flaws could enable traffic interception by state-sponsored attackers. The research was conducted by Acronis CISO Kevin Reed, and security researchers Alex Koshelev and Ravikant Tiwari.
The vulnerabilities were identified in fingerprint scanners, access card scanners, and access management appliances spread out in multiple countries. These devices are visible on Shodan and located in Brazil, the U.S., Germany, Taiwan, and Japan.
The key technical findings include undocumented hardcoded passwords which make it easy to access the device with root privileges, shared cryptographic keys in firmware which exposes the device to man-in-the-middle attacks, a buffer overflow vulnerability which can be manipulated to run unauthorized code without prior authentication, and information disclosure vulnerability that hackers can manipulate to read system logs.
Acronis informed GeoVision about the vulnerabilities in August 2019 and then in September about the 90-day courtesy period. Two months later, Acronis reported the vulnerabilities to the Singapore Computer Emergency Response Team (SingCERT). SingCERT and Taiwan’s TWCERT requested a one-month delay in making the vulnerabilities public.
Nearly a year later, in June 2020, three vulnerabilities were patched, yet the critical buffer overflow zero-day “wormable” vulnerability is still active and there is no firmware update. Hackers can overrun the memory buffer and manipulate it to tamper with device by rewriting protocols and commands.
Acronis says GeoVision has not commented or confirmed the findings.