The flaw can be exploited to unlock doors and open turnstiles, giving attackers a way to bypass biometric ID checks and physically enter controlled spaces. Acting remotely, threat actors could use the vulnerability to run commands without authentication to unlock a door or turnstile or trigger a terminal reboot so as to cause a denial of service.
Positive Technologies researchers Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin found the flaw, which impacts 11 biometric identification devices made by IDEMIA.
The team said that the impacted devices are in use in the “world’s largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities.”
The critical vulnerability (VU-2021-004) has received a score of 9.1 out of 10 on the CVSS v3 scale, with 10 being the most severe.
“The vulnerability has been identified in several lines of biometric readers for the IDEMIA ACS [access control system] equipped with fingerprint scanners and combined devices that analyze fingerprints and vein patterns,” said Vladimir Nazarov, head of ICS Security at Positive Technologies.
He added: “An attacker can potentially exploit the flaw to enter a protected area or disable access control systems.”
The IDEMIA devices affected by the vulnerability are MorphoWave Compact MD, MorphoWave Compact MDPI, MorphoWave Compact MDPI-M, VisionPass MD, VisionPass MDPI, VisionPass MDPI-M, SIGMA Lite (all versions), SIGMA Lite+ (all versions), SIGMA Wide (all versions), SIGMA Extreme, and MA VP MD.
Enabling and correctly configuring the TLS protocol according to Section 7 of the IDEMIA Secure Installation Guidelines will eliminate the vulnerability.
IDEMIA has said it will make TLS activation mandatory by default in future firmware versions.
This isn’t the first time Positive Technologies researchers have discovered a flaw in IDEMIA devices. In July 2021, IDEMIA fixed three buffer overflow and path traversal vulnerabilities identified by the cybersecurity company’s team.
Under certain conditions, these prior vulnerabilities allowed an attacker to execute code, or to gain read and write access to any file from the device. IDEMIA released firmware updates to mitigate the security vulnerabilities.