FB pixel

Acronis reports critical flaws in GeoVision biometric devices, man-in-the-middle attack risks

 

access-control

During a network security audit in 2019, cybersecurity company Acronis detected critical vulnerabilities in devices manufactured by biometrics company GeoVision, reports the security company, which has been waiting for the company to patch the flaws for almost a year.

The security company says it found a backdoor password with admin privileges, and claims GeoVision reuses cryptographic keys and discloses private keys. These flaws could enable traffic interception by state-sponsored attackers. The research was conducted by Acronis CISO Kevin Reed, and security researchers Alex Koshelev and Ravikant Tiwari.

The vulnerabilities were identified in fingerprint scanners, access card scanners, and access management appliances spread out in multiple countries. These devices are visible on Shodan and located in Brazil, the U.S., Germany, Taiwan, and Japan.

The key technical findings include undocumented hardcoded passwords which make it easy to access the device with root privileges, shared cryptographic keys in firmware which exposes the device to man-in-the-middle attacks, a buffer overflow vulnerability which can be manipulated to run unauthorized code without prior authentication, and information disclosure vulnerability that hackers can manipulate to read system logs.

Acronis informed GeoVision about the vulnerabilities in August 2019 and then in September about the 90-day courtesy period. Two months later, Acronis reported the vulnerabilities to the Singapore Computer Emergency Response Team (SingCERT). SingCERT and Taiwan’s TWCERT requested a one-month delay in making the vulnerabilities public.

Nearly a year later, in June 2020, three vulnerabilities were patched, yet the critical buffer overflow zero-day “wormable” vulnerability is still active and there is no firmware update. Hackers can overrun the memory buffer and manipulate it to tamper with device by rewriting protocols and commands.

Acronis says GeoVision has not commented or confirmed the findings.

Article Topics

 |   |   |   | 

Latest Biometrics News

 

AI voice deepfake of U.S. Secretary of State triggers global security alert

In one of the most audacious examples yet of AI-enabled political deception, an individual posing as U.S. Secretary of State…

 

Advent reportedly prepping Idemia Public Security sale for up to €3 billion

Hollywood summer blockbusters are increasingly sequels, so perhaps it should be little surprise that the next biggest investment in U.S….

 

Pimloc raises $5M to fuel global expansion of video privacy redaction tool

Pimloc has raised $5 million in a strategic investment round led by Amadeus Capital Partners and Edge Ventures. The company…

 

UK Companies House identity verification requirement nears

Money laundering won’t go away. In fact, the problem is growing. Strict anti money laundering (AML) regulations can help, but…

 

Sumsub integrates with Verax, launches APAC roadshow

Sumsub has unveiled its integration with Verax — the attestation service built on Linea, Consensys’ Ethereum Layer 2 network —…

 

Cameroon unveils plan to modernize local digital govt services

The government of Cameroon has disclosed that it is working to update a Digital Master Plan for decentralized entities in…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Biometric Market Analysis

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events