GeoVision, a Taiwanese fingerprint scanner, access control, and surveillance tech manufacturer, fixed critical vulnerabilities in their devices that could be abused by hackers and nation-state threat actors.
During a network security audit last year, Acronis discovered numerous vulnerabilities in GeoVision devices that could allow users to gain full and unauthorized access to the cameras.
The findings are important because vulnerabilities in mission-critical devices such as biometric fingerprint scanners, surveillance cameras, and other security IoTs could be exploited by nation-state actors to intercept traffic and conduct espionage.
In a new report by Acronis, researchers disclose numerous vulnerabilities in GeoVision surveillance equipment and fingerprinter scanners.
“Acronis’ security team found four critical vulnerabilities in GeoVision’s devices, including a backdoor password with admin privileges, the reuse of cryptographic keys, and the disclosure of private keys to everyone. All of these vulnerabilities could allow state-sponsored attackers to intercept potential traffic,” Acronis’ report states.
The CVEs made public by Acronis include CVE-2020-3928, CVE-2020-3930, and CVE-2020-3929, and were found in fingerprint scanners, access card scanners, and access management appliances being used around the world.
At least six models have been confirmed by Acronis to be vulnerable.
Moreover, because IoT search engines like Censys.io and Shodan regularly scan the web for public-facing devices, vulnerable GeoVision devices can be tapped into by malicious actors to open doors without keycards, spy on users, or even steal fingerprints.
“Using these vulnerabilities, attackers could remotely open doors without the keycards, install Trojans on those devices, establish their persistence on the network, spy on internal users, and steal fingerprints and other data – all without ever being detected,” Acronis noted.
A Shodan search query (“WYM/1.0”) provided by Acronis shows over 2,600 affected devices connect to the Internet.
The vulnerabilities affecting these devices include:
A hardcoded “root” password: It isn’t unusual for IoT devices to come with a hardcoded default password (e.g., admin:admin, or admin:password), however typically, user manuals are documenting it and advising the user to change this password. GeoVision’s devices, however, reportedly didn’t have this password documented anywhere. Moreover, accessing an in-built URL “/isshd.htm” on the device can activate the Dropbear SSH server on port 8009, which can then be tapped into by an attacker using default credentials.
“The password is not documented, exposing customers to an unknown risk. By default, ssh server is not running on the device, however there is a hidden URL in the device management interface [https://%3cip.of.the.device%3e/isshd.htm]. If this URL is accessed, Dropbear ssh will be started on port 8009.”
Shared cryptographic keys: Encryption is futile if the private keys in a typical PKI implementation are known. In the case of GeoVision, the firmware available for download from the manufacturer’s website revealed the presence of hardcoded public and private keys. These exposed keys can enable Man-in-the-Middle (MitM) attacks for HTTPS and SSH connections to the device.
The storing of private keys in firmware isn’t something unique to GeoVision devices. Routers, smart printers, and IoTs have been storing private keys in firmware for ages out of necessity. This is often considered a “security tradeoff” because of self-signed certificates on the devices for administration pages.
Buffer Overflow: A buffer overflow vulnerability exists in some models due to a vulnerable program called “port80” bundled with the device. If exploited, attackers can leverage this vulnerability to execute arbitrary code on devices without authentication.
“The vulnerable program is /usr/bin/port80 in the firmware (SHA256: 5B531E50CFA347BBE3B9C667F8D802CDECC6B1CD270719DAC5ECE4CE33696D3A). We provided PoC code and demo video for this vulnerability to SingCERT.”
Log exposure: In select models, accessing the “/messages.txt” and “/messages.old.txt” URLs on the vulnerable device exposes log file data without requiring any authentication. The exposed logs can reveal potentially sensitive information to the adversaries.
“System logs are available without authentication at [http://%3cip.of.the.device%3e/messages.txt] and at [http://%3cip.of.the.device%3e/messages.old.txt], which enables attackers to read system logs, which helps with further attack planning.”
Patches issued after 10 months
Acronis first notified GeoVision of these vulnerabilities in August 2019, and it wasn’t until ten months later that the vulnerabilities were fixed.
This timeframe is not particularly impressive given the critical nature of the vulnerabilities and the fact GeoVision’s clients rely on these devices to secure their environments.
“When a security manufacturer learns of critical vulnerabilities in their devices, there is an expectation they’ll act quickly to fix the problem. Yet August 2019 became the first of the many months when Acronis would patiently wait for an update (in vain, as it turns out) from one manufacturer in particular,” reads the blog post.
Even today, out of the four critical vulnerabilities reported by Acronis, only three have been fixed by the manufacturer.
“Last week, TWCERT confirmed the availability of the new version (v. 1.22) – but we still see no firmware update released on GeoVision’s website.”
Considering that these vulnerabiilties can be used to bypass security controlers, their misuse can wreak havoc on the very systems they are intended to protect:
“Fingerprint data could be used to enter your home and unlock personal devices. Photos can be easily be reused by malicious actors for identity theft based on biometric data. Attackers could also sell access to any doors protected by these devices, offering a free entry to one’s home or place of work,” Acronis warned in their report.
These are just a few examples of how security and public safety systems can be exploited by criminals and state-sponsored actors to achieve contrary purposes through these security measures.
When choosing a manufacturer for your perimeter defense needs, a thorough security audit, along with a consistent history of patching demonstrated by the manufacturer (or lack thereof), can tell the whole story.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.