Follow us:
  1. Home
  2. News
  3. Cybersecurity News

IBM researchers find security flaws in popular visitor check-in systems

The vulnerabilities could be used to steal data on visitors or access off-limit areas in buildings

Photo (c) uschools - Getty Images
Researchers from IBM recently discovered that some visitor check-in systems harbor flaws that could expose sensitive information.

Upon examining five different visitor management systems commonly found in office buildings, IBM researchers concluded these systems instilled visitors with “a false sense of security.” The following systems contained flaws:

  • Lobby Track Desktop, with seven vulnerabilities;

  • eVisitorPass (recently rebranded as Threshold Security), with five vulnerabilities;

  • EasyLobby Solo, with four vulnerabilities;

  • Envoy’s flagship Passport system, with two vulnerabilities; and

  • The Receptionist (an iPad app), with one vulnerability.

Vulnerabilities uncovered

The researchers went about examining the security of the systems by performing a series of tests.

“One, was how easy is to get checked-in as a visitor without any sort of real identifying information. Secondly, we set out to see how easy is it to get other people’s information out of the system,” Daniel Crowder, research director at the IBM X-Force Red security unit, told TechCrunch.

“Third, is there a way that an adversary can break out of the application, cause it to crash or get arbitrary code-execution to run on the targeted device and gain a foothold to attack the corporate network.”

Ultimately, the researchers were able to do all three.

Security implications

The bugs could enable people to steal data on visitors and even make it possible for them to impersonate expected visitors to get into offices without permission.

“Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks would be valuable intelligence to collect,” Crowder wrote in a blog post. “Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well.”

IBM said it notified the system vendors before the vulnerabilities were disclosed to allow them an opportunity to fix the bugs.

“Some responded much more quickly than others,” Crowder said. “The Lobby Track vulnerabilities were acknowledged by Jolly Technologies, but they stated that the issues can be addressed through configuration options. X-Force Red tested the Lobby Track software in its default configuration.”

Take an Identity Theft Quiz

Get matched with an Authorized Partner

    Share your comments