Positive Technologies Uncovers Vulnerability in IDEMIA Biometric Identification Devices That Can Unlock Doors and Turnstiles

The problem concerns IDEMIA biometric readers designed to organize access control, in which privileged commands can be executed via the management protocol. IDEMIA released a Security Bulletin explaining how to mitigate the discovered vulnerability

Positive Technologies researchers, Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin have discovered a critical vulnerability (VU-2021-004) in IDEMIA biometric identification devices used in the world’s largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities. By exploiting the flaw, which received a score of 9.1 on the CVSS v3 scale, attackers can unlock doors and turnstiles. Researchers say the forced use of TLS as a management protocol will help eliminate the risk of biometric identification bypass.

«The vulnerability has been identified in several lines of biometric readers for the IDEMIA ACS 1 equipped with fingerprint scanners and combined devices that analyze fingerprints and vein patterns,» explains Vladimir Nazarov, Head of ICS Security, Positive Technologies. «An attacker can potentially exploit the flaw to enter a protected area or disable access control systems.»

A remote attacker can use the following commands without authentication:
— trigger_relay to unlock a door or turnstile if they are directly controlled by the terminal
— terminal_reboot to cause a denial of service

To eliminate the vulnerability, enable and correctly configure the TLS protocol according to Section 7 of the IDEMIA Secure Installation Guidelines. In future firmware versions, IDEMIA will make TLS activation mandatory by default.

Below is a list of devices affected by this vulnerability:

  • MorphoWave Compact MD
  • MorphoWave Compact MDPI
  • MorphoWave Compact MDPI-M
  • VisionPass MD
  • VisionPass MDPI
  • VisionPass MDPI-M
  • SIGMA Lite (all versions)
  • SIGMA Lite+ (all versions)
  • SIGMA Wide (all versions)
  • SIGMA Extreme
  • MA VP MD/li>

In July 2021, IDEMIA fixed three vulnerabilities discovered by Positive Technologies experts.

  1. Access control system